PrivateBin — Zero-Knowledge Encrypted Pastebin

Introduction

PrivateBin is a fork of ZeroBin that provides a secure, self-hosted pastebin service. The key principle is zero knowledge: all encryption and decryption happens client-side in the browser. The server stores only encrypted blobs and never has access to the plaintext content or the decryption key, which is part of the URL fragment and never sent to the server.

What PrivateBin Does

• Encrypts all paste content in the browser using 256-bit AES before sending to the server
• Stores only encrypted data on the server, ensuring zero knowledge of content
• Supports paste expiration with options like burn-after-reading, 5 minutes, 1 hour, 1 day, and more
• Allows optional password protection for an additional layer of security
• Provides discussion threads on pastes with the same end-to-end encryption

Architecture Overview

PrivateBin is a PHP application with a JavaScript frontend that handles all cryptographic operations. When a user creates a paste, the JS client generates a random key, encrypts the content with AES-256-GCM via the Web Crypto API, and sends the ciphertext to the server. The decryption key is placed in the URL fragment (after the #), which browsers never transmit to the server. The PHP backend stores encrypted blobs using a configurable backend: filesystem, MySQL, PostgreSQL, S3, or Google Cloud Storage.

Self-Hosting & Configuration

• Deploy via Docker using the official image or drop the PHP files into any web server with PHP 7.4+
• Edit conf/conf.php to configure storage backend, paste size limits, and expiration defaults
• Choose from filesystem, MySQL, PostgreSQL, SQLite, S3, or Google Cloud Storage for data persistence
• Set traffic limits and abuse prevention via rate limiting and CAPTCHA options in the config
• Place behind a reverse proxy with TLS to ensure the encrypted channel is end-to-end secure

Key Features

• True zero-knowledge architecture where the server never sees plaintext or decryption keys
• Burn-after-reading mode that deletes pastes after the first view
• Syntax highlighting for code snippets and Markdown rendering for formatted text
• Discussion threads on pastes with the same end-to-end encryption applied to comments
• QR code generation for easy sharing of paste URLs on mobile devices

Comparison with Similar Tools

• Pastebin.com — Popular public service but not self-hosted and no end-to-end encryption
• Hastebin — Self-hosted pastebin without encryption, plaintext stored on server
• CryptPad — Collaborative encrypted suite with a notes feature, but much heavier to self-host
• Stikked — Self-hosted pastebin with syntax highlighting but no client-side encryption

FAQ

Q: How is the encryption key shared? A: The key is part of the URL fragment (after #). Browsers never send the fragment to the server, so the key stays between sender and recipient.

Q: Can the server admin read pastes? A: No. The server stores only AES-256 encrypted blobs. Without the key in the URL fragment, the content cannot be decrypted.

Q: What happens when a paste expires? A: Expired pastes are purged from storage. Burn-after-reading pastes are deleted immediately after the first successful decryption request.

Q: Does it support file attachments? A: Yes. File attachments are encrypted client-side with the same key and stored alongside the paste data.

Sources

• https://github.com/PrivateBin/PrivateBin
• https://privatebin.info