I Built a Pastebin Where Even I Can't Read Your Data

I got tired of seeing API keys shared in plain text on Slack and Pastebin. So I built a zero-knowledge alternative.

Ishan January 10, 2026

Last week, a coworker Slacked me an AWS key. In plain text. In a channel with 50 people.

“Can you delete that?” I asked.

“Already did.”

Cool. Except Slack stores message history. That key is sitting on Slack’s servers forever. One breach, one rogue employee, one subpoena—and it’s exposed.

This happens constantly. Developers share secrets via Slack, Discord, Pastebin. All plain text. All stored on servers we don’t control.

So I built something different.

The Problem

Every time you share a password or API key, you’re trusting:

The platform’s servers
The platform’s employees
The platform’s security
Every future breach that hasn’t happened yet

That’s a lot of trust for “just a quick paste.”

Regular pastebins store your data in plain text. When (not if) they get breached, everything’s exposed.

The Solution: Zero-Knowledge Architecture

CloakBin encrypts everything in your browser before it ever touches our servers. We literally cannot read your pastes—even if we wanted to.

Here’s how it works:

1. Client-Side Encryption

When you create a paste, JavaScript encrypts your content using AES-256 (same encryption banks use) right in your browser.

Live Encryption Demo

What you type:

What the server sees:

Nothing yet...

2. The Key Never Leaves Your Browser

The encryption key lives in the URL fragment—the part after the #:

cloakbin.com/abc123#your-secret-key

Here’s the trick: browsers never send URL fragments to servers. It’s not a feature I built—it’s how HTTP works. The # and everything after it stays client-side.

This is a fundamental web security feature. Check your browser's network tab—you'll never see the fragment in any request.

3. What Our Server Actually Stores

Encrypted blob: U2FsdGVkX1+8K3...
Key: ¯_(ツ)_/¯

We store encrypted noise. Without the key (which we never receive), it’s unreadable.

“But what if you change the code?”

Fair concern. Here’s why that doesn’t help us:

It’s open source - Check the encryption yourself
Encryption runs client-side - Before any network request
Browser DevTools don’t lie - Verify nothing leaves your machine unencrypted

The Two-Factor Sharing Problem

“Cool, but if I share the URL on Discord, the key’s right there in the message.”

You’re right. That’s why we added password protection.

With a password enabled:

The encryption key is derived from your password (using PBKDF2)
No key in the URL—just a clean link like cloakbin.com/abc123
Only someone who knows the password can decrypt

Secure sharing workflow:
1. Create paste with password protection
2. Share the link on Discord/Slack/email
3. Send password via different channel (text, call)

Two channels = much harder to intercept both.

What You Get

Feature	Free	Premium
Unlimited pastes	✓	✓
Client-side encryption	✓	✓
Password protection	✓	✓
Syntax highlighting (40+ languages)	✓	✓
Expiration options	✓	✓
Custom URLs	—	✓
Extended expiration	—	✓
Paste history	—	✓

Premium: $4.99/mo or $20/year (save 67%)

Try It

No signup required. Just paste, encrypt, share.

Try CloakBin

Links:

Questions? Roast my architecture? Found a security flaw? Drop a comment—I read everything.