CtrlVOnline

Encrypted pastebin for peace of mind

Paste text, get a link with the key in the URL fragment. The server never sees the content or the key. Open the link and it decrypts in your browser.

Your text

Encrypted in your browser. The server never sees the content or the key.

0 / 1800

Link expiration

After expiration the link can no longer be decrypted. Check happens in the browser.

Protect with passwordThe key is never stored in the URL — it's derived from the password via PBKDF2. Anyone with the link will also need the password.

Burn after readingOn first open the content is shown and the URL is removed from history. Without a backend it's an "honor system" — a technical user can preserve the data.

How it works

AES-GCM 256-bit encryption in the browser
Without password: random key in URL fragment (#)
With password: key derived via PBKDF2 (200k iterations)
The server gets nothing past the fragment

MVP limits

Maximum ~1800 characters (URL hash limit)
Expiration and burn-after-read are client-side
Server-enforced version planned with Vercel KV backend
No sign-up, no storage