Skip to content
Klutch.sh Docs

Deploying Hemmelig

Introduction

Hemmelig (Norwegian for “secret”) is a self-hosted application for sharing sensitive information through encrypted, self-destructing messages. When you need to share passwords, API keys, or other secrets securely, Hemmelig creates encrypted links that automatically expire and can only be viewed once.

Built with Node.js and React, Hemmelig provides a clean, modern interface for creating and sharing secrets. The application supports password protection, custom expiration times, and file attachments. All data is encrypted client-side before transmission, ensuring that even the server cannot read your secrets.

Key highlights of Hemmelig:

  • End-to-End Encryption: Secrets are encrypted before leaving your browser
  • Self-Destructing: Links expire after viewing or after a set time
  • Password Protection: Add an extra layer of security with passwords
  • File Attachments: Share files along with text secrets
  • Custom Expiration: Set expiration from minutes to days
  • View Limits: Configure how many times a secret can be viewed
  • IP Restrictions: Limit access to specific IP addresses
  • No Database Required: Option to run without a database

This guide walks through deploying Hemmelig on Klutch.sh using Docker, configuring security settings, and sharing secrets securely.

Prerequisites

Before deploying Hemmelig on Klutch.sh, ensure you have:

  • A Klutch.sh account
  • A GitHub account with a repository for your Hemmelig configuration
  • Basic familiarity with Docker and containerization concepts
  • (Optional) A custom domain for your secrets sharing service

Preparing Your Repository

Create a GitHub repository with the following structure:

hemmelig-deploy/
├── Dockerfile
├── .dockerignore
└── README.md

Creating the Dockerfile

Create a Dockerfile using the official Hemmelig image:

FROM hemmeligapp/hemmelig:latest


# Environment variables for configuration
ENV SECRET_LOCAL_HOSTNAME=0.0.0.0
ENV SECRET_PORT=3000
ENV SECRET_MASTER_KEY=${SECRET_MASTER_KEY}


# Database configuration (SQLite by default)
ENV SECRET_DATABASE_HOST=${SECRET_DATABASE_HOST:-}


# Base URL for generated links
ENV SECRET_APP_URL=${SECRET_APP_URL}


# Expose the application port
EXPOSE 3000


# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

Advanced Dockerfile with Redis

For production with Redis caching:

FROM hemmeligapp/hemmelig:latest


ENV SECRET_LOCAL_HOSTNAME=0.0.0.0
ENV SECRET_PORT=3000
ENV SECRET_MASTER_KEY=${SECRET_MASTER_KEY}
ENV SECRET_APP_URL=${SECRET_APP_URL}


# Redis configuration
ENV SECRET_REDIS_HOST=${SECRET_REDIS_HOST}
ENV SECRET_REDIS_PORT=${SECRET_REDIS_PORT:-6379}


# Rate limiting
ENV SECRET_MAX_TEXT_SIZE=${SECRET_MAX_TEXT_SIZE:-256}
ENV SECRET_MAX_FILE_SIZE=${SECRET_MAX_FILE_SIZE:-4}


# Expiration settings
ENV SECRET_DEFAULT_TTL=${SECRET_DEFAULT_TTL:-3600}


EXPOSE 3000


HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

Environment Variables Reference

VariableRequiredDefaultDescription
SECRET_MASTER_KEYYes-Master encryption key (32+ characters)
SECRET_APP_URLYes-Public URL of your Hemmelig instance
SECRET_PORTNo3000Application port
SECRET_LOCAL_HOSTNAMENo0.0.0.0Bind address
SECRET_REDIS_HOSTNo-Redis server hostname
SECRET_REDIS_PORTNo6379Redis server port
SECRET_MAX_TEXT_SIZENo256Maximum text size in KB
SECRET_MAX_FILE_SIZENo4Maximum file size in MB
SECRET_DEFAULT_TTLNo3600Default expiration in seconds

Deploying Hemmelig on Klutch.sh

    Generate Master Key

    Generate a secure master key for encryption:

    Terminal window
    openssl rand -hex 32

    Save this key securely - you will need it for configuration.

    Push Your Repository to GitHub

    Terminal window
    git init
    git add Dockerfile .dockerignore README.md
    git commit -m "Initial Hemmelig deployment configuration"
    git remote add origin https://github.com/yourusername/hemmelig-deploy.git
    git push -u origin main

    Create a New Project on Klutch.sh

    Navigate to the Klutch.sh dashboard and create a new project named “hemmelig” or “secrets”.

    Create a New App

    Within your project, create a new app. Connect your GitHub account and select your Hemmelig repository.

    Configure HTTP Traffic

    • Select HTTP as the traffic type
    • Set the internal port to 3000

    Set Environment Variables

    Configure the following environment variables:

    VariableValue
    SECRET_MASTER_KEYYour generated 64-character hex key
    SECRET_APP_URLhttps://your-app-name.klutch.sh
    SECRET_PORT3000

    Attach Persistent Volumes

    Mount PathRecommended SizePurpose
    /home/node/hemmelig/data5 GBDatabase and uploaded files
    /home/node/hemmelig/uploads10 GBFile attachments storage

    Deploy Your Application

    Click Deploy to start the build process. Klutch.sh will build the container, attach volumes, and start Hemmelig with HTTPS enabled.

    Access Hemmelig

    Once deployment completes, access your Hemmelig instance at https://your-app-name.klutch.sh.

Using Hemmelig

Creating a Secret

  1. Navigate to your Hemmelig instance
  2. Enter your secret text in the input field
  3. Configure options:
    • Password: Add optional password protection
    • Expiration: Set time until expiration
    • Max Views: Limit number of views
  4. Click Create Secret
  5. Copy the generated link

Sharing Files

  1. Click the attachment icon
  2. Select files to upload
  3. Files are encrypted and attached to your secret
  4. Share the generated link

Viewing a Secret

  1. Open the shared link
  2. Enter password if required
  3. View the secret content
  4. The secret is automatically deleted after viewing (if configured)

Advanced Options

IP Restrictions:

  • Limit access to specific IP addresses or ranges
  • Useful for internal team sharing

Custom Expiration:

  • Set expiration from 5 minutes to 7 days
  • Secrets are automatically deleted after expiration

Burn After Reading:

  • Secret is immediately deleted after first view
  • Perfect for one-time sharing

Security Best Practices

Encryption

  • All secrets are encrypted client-side using AES-256
  • The encryption key is part of the URL fragment (never sent to server)
  • Server only stores encrypted data

Master Key Security

  • Store your SECRET_MASTER_KEY securely
  • Never commit it to version control
  • Rotate periodically for enhanced security

Network Security

  • Always use HTTPS (provided by Klutch.sh)
  • Consider IP restrictions for sensitive deployments
  • Enable password protection for important secrets

Troubleshooting

Secrets Not Decrypting

  • Ensure the complete URL including fragment is shared
  • Check that the master key hasn’t changed
  • Verify the secret hasn’t expired

File Upload Fails

  • Check file size limits
  • Verify upload directory permissions
  • Ensure sufficient storage space

Connection Errors

  • Verify application is running
  • Check environment variables
  • Review application logs

Additional Resources

Conclusion

Deploying Hemmelig on Klutch.sh provides a secure, self-hosted solution for sharing sensitive information. With end-to-end encryption, self-destructing messages, and flexible expiration options, Hemmelig ensures your secrets remain confidential. The combination of Klutch.sh’s HTTPS and Hemmelig’s encryption creates a robust security layer for sharing passwords, API keys, and other sensitive data.