A Fully End-to-End Encrypted Paste Service
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Mateusz Brawański 8f57c9639f
Update packages
2 years ago
.vscode Begin reworking the API for pure flask. 3 years ago
api Updated server-side language listing. Fixed expiration times not applying. 2 years ago
art Add initial stuff for the web app. 4 years ago
hljs-datagen Updated server-side language listing. Fixed expiration times not applying. 2 years ago
web-app Update packages 2 years ago
.gitignore Updated server-side language listing. Fixed expiration times not applying. 2 years ago
LICENSE.TXT Initial commit 4 years ago
NOTICE.TXT We 2020 now bois. 3 years ago
README.MD Added OpenGraph. 3 years ago


E2EE-Paste: A Fully End-to-End Encrypted Paste Service

This is the full source for the service powering my paste service as paste.emzi0767.com.

It's designed to only ever hold encrypted blobs, without corresponding encryption keys, thus enabling users to store text data in a safe manner. This is in stark contrast to most alternative services, which hold the data in plain text form, or using encryption the service provider can reverse (usually because they hold the keys).

All the actual work, i.e. the encryption and decryption, happens on the client side, and the encryption keys never hit the server. This means that the only people who can read your pastes are people you share the full paste link with.


The application consists of 2 components: REST API, and web application.

Web Application

The Web portion of E2EE-Paste is an Angular 7 Single-Page application. It requires a modern browser to run. As a general rule of thumb, latest version of Firefox, Chrome/Chromium, Edge (EdgeHTML-based), or any of its derivatives should do just fine. Here's the full list of features required:

  • TODO: feature list with links to caniuse.com


The REST API is a Python 3.7 application, with PostgreSQL used as backing storage. The complete list of requirements is as follows:

  • Python 3.7
    • TODO: pip packages
  • PostgreSQL server, version 9.6 or better (10 or better recommended)

Technical details

The application uses 256-bit AES-GCM to encrypt your text data, and sends the encrypted contents as a binary blob to the server for storage. The generated share links look like this: https://paste.emzi0767.com/asdf#fdsafdsa, where asdf is the ID of the paste, and fdsafdsa is a long base64 string, containing the data required to decrypt the paste. As the fragment is never sent to the server, the server never receives the key required to decrypt your data.

Data is stored as binary blobs in a PostgreSQL database.


See setup instructions for the API and the web app.


You need to set your nginx up such that it passes all /api requests to the API, and all other 404s to /index.html. An example snippet for such configuration:

    # Handle all other requests as usual
    location / {
        try_files $uri $uri/ /index.html;

    # Reverse proxy
    # Proxy all other requests to another server
    location /api {
        proxy_pass          https://e2ee-paste:5000;
        proxy_set_header    X-Real-IP    $remote_addr;
        proxy_set_header    Host         $host;

Support me

Lots of effort went into making this, and sometimes even related software.

If you feel like I'm doing a good job, or just want to throw money at me, you can do so through any of the following:

Other questions

If you have other questions or would like to talk in general, feel free to visit my Discord server.

Emzi's Central Dispatch