FIND-20260323-018 — SharePwd: Zero-Knowledge Secret Sharing

SharePwd — Zero-Knowledge Secret Sharing (Burn After Reading)

SharePwd is an open-source, self-hostable burn-after-reading secret sharing platform created by Antonin HILY (Jizo AI, France). It uses client-side AES-256-GCM encryption via the Web Crypto API: the decryption key lives in the URL fragment and is never transmitted to the server (zero-knowledge by design). Secrets self-destruct after viewing. Go backend, Next.js frontend, Docker Compose self-hosting, EU data residency (OVHCloud). Shared by Laurent Minne on LinkedIn with traction in the French tech community.

The tool addresses a real workflow gap: securely handing off credentials, API keys, and tokens between operators without relying on Slack or email. However, the project is very new (created 2026-02-23, 8 stars) and carries an AGPL-3.0 license, which requires legal review before code integration. Self-hosting the tool as a standalone service is permitted under AGPL-3.0 without license obligations.

security secret-sharing zero-knowledge aes-256-gcm burn-after-reading self-hosted go nextjs credentials devops eu-data-residency

License Alert: AGPL-3.0 — Self-hosting as a standalone tool is fine. Any code integration, modification, or derivative work distributed over a network requires open-sourcing under AGPL-3.0. Recommended alternative with ODS-compatible license: Yopass (Apache-2.0, ~4500 stars).

Security Review

License

AGPL-3.0 (FLAG)

Last Commit

2026-03-10

Repo Age

< 30 days (2026-02-23)

Stars / Forks

8 / 0

Known CVEs

Maintenance

ACTIVE

Supply Chain Risk

MEDIUM

Recommendation

USE_WITH_CAUTION

Supply chain note: Single maintainer, minimal community vetting (8 stars, 0 forks). Client-side AES-256-GCM with key-in-fragment is a proven pattern shared by Yopass, OTS, and others. Go backend has low dependency surface. No security policy found. Very new project — insufficient track record for production adoption.

ODS Impact

ODS operators regularly need to transmit credentials and API keys during service provisioning, tenant onboarding, and support workflows. Current practice (Slack messages, email) is not zero-knowledge and leaves secrets in chat history. SharePwd — or a more mature equivalent — would improve this operational security posture.

Relevant ODS contexts: SecureMail service (secure message delivery), Notification Hub (SMTP/API key setup), OID provisioning (client secret delivery to tenants), and general DevOps credential handoff. Self-hosting via Docker Compose fits the ODS Coolify/Docker infra model.

Recommended action: Evaluate Yopass (Apache-2.0) as the ODS-safe alternative. If SharePwd is preferred for EU residency reasons, legal must confirm AGPL-3.0 self-hosting terms before deployment.

Alternatives

Tool	License	Stars	Notes
Yopass	`Apache-2.0`	~4,500	Recommended. Same zero-knowledge pattern. ODS-safe license. Go + Redis backend.
Bitwarden Send	`AGPL-3.0 / SaaS`	N/A	Integrated with Bitwarden password manager. More complete solution if ODS adopts Bitwarden.
OTS	`MIT`	~500	Simple PHP. MIT license. Less actively maintained.