Ad-HocHIGH2026-03-23 — submitted by James via #Innovation
Summary
Yopass is a mature (2014), battle-tested open-source platform for one-time encrypted secret delivery. Client-side OpenPGP encryption: the decryption key is embedded in the URL fragment and never reaches the server — the server stores only the encrypted blob. Secrets auto-expire (1h/1d/1w) and are deleted after first read.
Latest release 13.1.0 (2026-03-17) adds read-only instance mode, health check endpoints for container orchestration, and configurable default expiration. Active Dependabot maintenance confirmed (commit today, 2026-03-23).
Go backend with minimal dependency surface. React frontend with active Dependabot updates. 12 years of community vetting, active contributor base. Client-side OpenPGP encryption pattern is audited and proven across multiple comparable tools. No single-maintainer risk.
ODS Impact
Direct fit for three ODS workflows:
DevOps credential sharing — operators handing off API keys, DB passwords, and tokens during service provisioning (Coolify, Redpanda, PostgreSQL) without leaving secrets in Slack or email. Deployable as a standalone Coolify service in minutes.
OID tenant onboarding — sharing initial client_secret or admin credentials to new tenant administrators without exposure in transit. Fits the zero-trust model: the secret never exists in clear text on the server.
SecureMail integration — Yopass can complement SecureMail as a lower-friction option for one-time credential delivery within tenant onboarding flows. Could be called via its CLI from Notification Hub workflows.
Apache-2.0 license means it can be forked, embedded, or called from ODS services without legal friction. Prometheus metrics endpoint fits ODS observability stack. Redis backend aligns with existing ODS infra. Kubernetes manifests available for direct Coolify/GKE deployment.
Recommended over SharePwd for any ODS integration: more mature, better license, health checks included.