Skip to content
Klutch.sh Docs

Deploying One Time Secret

Introduction

One Time Secret is a self-hosted secret sharing service that enables secure transmission of sensitive information like passwords, API keys, and private messages. When you share a secret, the recipient receives a unique link that can only be viewed once before it is permanently destroyed, ensuring that sensitive data does not persist in email inboxes or chat logs.

Created by Delano, One Time Secret is built with Ruby and uses Redis for ephemeral storage. The application encrypts all secrets at rest and supports optional passphrase protection for an additional layer of security.

Key features of One Time Secret include:

  • Self-Destructing Links: Secrets are automatically deleted after being viewed once
  • Expiration Times: Set custom expiration periods from minutes to days
  • Passphrase Protection: Add an optional passphrase for additional security
  • Burn Before Reading: Option to destroy a secret before it is read
  • API Access: RESTful API for integration with other applications
  • No Registration Required: Anonymous secret sharing without accounts
  • Metadata Control: Sender can verify if a secret has been viewed
  • Custom Branding: Customize the interface for your organization
  • Open Source: Full transparency with auditable source code

This guide walks through deploying One Time Secret on Klutch.sh using Docker with Redis for storage.

Why Deploy One Time Secret on Klutch.sh

Deploying One Time Secret on Klutch.sh provides a secure, private alternative to third-party secret sharing services:

Data Sovereignty: Host sensitive data on infrastructure you control rather than trusting third-party services with your passwords and secrets.

HTTPS by Default: Automatic SSL certificates ensure all secrets are transmitted securely over encrypted connections.

Persistent Redis Storage: Attach volumes to ensure your Redis data persists across container restarts while maintaining the ephemeral nature of secrets.

Custom Domains: Use your organization’s domain for a professional appearance and to build trust with recipients.

Environment Variable Security: Store encryption keys and configuration securely without exposing them in your repository.

Prerequisites

Before deploying One Time Secret on Klutch.sh, ensure you have:

Deploying One Time Secret on Klutch.sh

    Create Your Dockerfile

    Create a Dockerfile in your repository:

    FROM ruby:3.1-slim
    

    # Install dependencies
    RUN apt-get update && apt-get install -y \
        build-essential \
        redis-server \
        git \
        && rm -rf /var/lib/apt/lists/*
    

    # Clone One Time Secret
    WORKDIR /app
    RUN git clone https://github.com/onetimesecret/onetimesecret.git .
    

    # Install Ruby dependencies
    RUN bundle install --without development test
    

    # Create configuration
    COPY config/config.yaml /app/etc/config.yaml
    

    # Start script
    COPY start.sh /start.sh
    RUN chmod +x /start.sh
    

    EXPOSE 7143
    

    CMD ["/start.sh"]

    Create Configuration File

    Create config/config.yaml:

    :site:
      :host: localhost:7143
      :domain: your-domain.klutch.sh
      :ssl: true
    :redis:
      :uri: redis://127.0.0.1:6379/0
    :colonels:
      - admin@example.com
    :emailer:
      :mode: :smtp
      :from: noreply@your-domain.com
    :secrets:
      :key: YOUR_SECRET_KEY_HERE

    Create Startup Script

    Create start.sh:

    #!/bin/bash
    redis-server --daemonize yes
    bundle exec thin -R config.ru -p 7143 start

    Push to GitHub

    Commit and push your files to your GitHub repository.

    Create a New Project on Klutch.sh

    Navigate to the Klutch.sh dashboard and create a new project.

    Create and Configure the App

    Create a new app and connect it to your GitHub repository.

    Configure HTTP Traffic

    Set the traffic type to HTTP with an internal port of 7143.

    Set Environment Variables

    Configure the following environment variables:

    VariableDescription
    OTS_SECRET_KEYEncryption key for secrets
    OTS_DOMAINYour deployment domain

    Attach Persistent Volumes

    Add persistent storage:

    Mount PathRecommended SizePurpose
    /var/lib/redis5 GBRedis data storage
    /app/etc100 MBConfiguration files

    Deploy Your Application

    Click Deploy to build and launch your One Time Secret instance.

    Access Your Instance

    Once deployed, access your One Time Secret instance at your app URL and start sharing secrets securely.

Additional Resources