Nobody Can Read Your Pastes. Not Even Us.
How zero-knowledge encryption works, and why it matters that we literally cannot access your data.
When we say we can’t read your pastes, we’re not making a policy promise. We’re describing a technical reality.
Let me explain how.
The problem with “trust us”
Most services that handle your data make a simple promise: “We won’t look at it.”
That’s nice. But it means:
- They could look if they wanted to
- A hacker who breaches them could access everything
- A government subpoena could force them to hand it over
- A rogue employee could peek at your data
“Trust us” is a policy. Policies can change. Employees can be bribed. Servers can be hacked.
How zero-knowledge actually works
Here’s what happens when you create a paste on CloakBin:
1. Encryption happens in your browser
Before anything leaves your device, JavaScript encrypts your content using AES-256—the same encryption banks and governments use.
2. The key never touches our servers
This is the critical part. The encryption key is generated in your browser and stays there.
When you get your link, it looks like this:
cloakbin.com/abc123#your-secret-keyEverything after the # (the “fragment”) is your encryption key. Here’s the magic: browsers don’t send URL fragments to servers. It’s a fundamental rule of how the web works.
3. What we actually store
When you save a paste, our server receives:
- Encrypted gibberish
- Some metadata (expiration time, etc.)
- That’s it
We literally cannot decrypt your content because we never have the key. Not through clever engineering. Not through a court order. Not through a security breach.
“But what if you secretly change the code?”
Fair question. Here’s why that doesn’t work:
The code is open source. Anyone can inspect exactly what runs in your browser. Security researchers do this regularly.
The encryption happens client-side. Even if we wanted to capture your data, the architecture makes it technically difficult. The key generation and encryption run in your browser before any network request.
Browser security helps. Modern browsers sandbox JavaScript. The key stays in memory only during your session and never persists anywhere we could access.
Why this matters for you
For personal privacy
Your passwords, personal notes, and sensitive messages stay yours. Even if you don’t trust us (you shouldn’t trust anyone blindly), the math protects you.
For business security
Sharing API keys with contractors? Sending credentials to team members? Zero-knowledge means even our employees can’t leak your data—because they can’t access it.
For legal protection
In some jurisdictions, companies can be compelled to hand over user data. We can comply with such requests—but all we have is encrypted noise. We can’t decrypt what we don’t have keys for.
The tradeoffs
Zero-knowledge isn’t free. Here’s what you give up:
No password recovery. If you lose the link, it’s gone. We can’t help.
No server-side search. We can’t search through encrypted blobs. You need to keep track of your links.
No sharing analytics. We can’t tell you who viewed your paste because we can’t read the content to add tracking.
For most sensitive data, these tradeoffs are worth it. The alternative—trusting a third party with your secrets—carries far bigger risks.
Try it yourself
Don’t take our word for it. Create a paste and:
- Check your browser’s network tab—no key in the request
- Look at the URL—key is only in the fragment
- Inspect our source code—it’s all on GitHub
The bottom line
“Trust us” isn’t good enough for sensitive data. Zero-knowledge encryption means you don’t have to trust us—the math handles security, not promises.
Your secrets stay yours. Not because we’re nice, but because we architected it to be technically impossible for us to access them.
That’s how security should work.