Deploying OTS

Introduction

OTS (One-Time Secret) is a secure secret sharing service that allows you to share passwords, credentials, and other sensitive information through self-destructing links. Once a secret is viewed, it’s automatically deleted, ensuring that sensitive data doesn’t linger in inboxes or chat logs.

The service is ideal for securely sharing initial passwords, API keys, or any confidential information that should only be accessed once. Built with security as the primary focus, OTS encrypts secrets and provides options for expiration times and passphrase protection.

Key highlights of OTS:

Self-Destructing Secrets: Links expire after a single view
Encryption: Secrets are encrypted at rest
Passphrase Protection: Optional additional passphrase security
Expiration Times: Configurable secret lifetimes
No Registration Required: Share secrets without creating accounts
API Access: Programmatic secret creation and retrieval
Clean Interface: Simple, user-friendly design
Audit Logging: Track secret creation and access
Private Deployment: Full control over your data
Open Source: MIT license with transparent code

This guide walks through deploying OTS on Klutch.sh using Docker.

Why Deploy OTS on Klutch.sh

Deploying OTS on Klutch.sh provides several advantages:

Simplified Deployment: Klutch.sh handles the deployment automatically.

Persistent Storage: Attach persistent volumes for secret storage.

HTTPS by Default: Automatic SSL certificates ensure encrypted transmission.

GitHub Integration: Version-controlled deployments through your repository.

Scalable Resources: Allocate CPU and memory as needed.

Environment Variable Management: Securely store configuration.

Custom Domains: Use your own domain for a branded experience.

Always-On Availability: Your secret sharing service remains accessible 24/7.

Prerequisites

Before deploying OTS on Klutch.sh, ensure you have:

A Klutch.sh account
A GitHub account with a repository for your configuration
Redis for secret storage (recommended for production)
(Optional) A custom domain for your OTS instance

Understanding OTS Architecture

OTS has a straightforward architecture:

Ruby Application: The core application built with Ruby/Sinatra.

Redis Backend: Stores encrypted secrets with automatic expiration.

Web Interface: Clean, minimal interface for creating and viewing secrets.

API Layer: REST API for programmatic access.

Deploying OTS on Klutch.sh

Create Your GitHub Repository

Create a new GitHub repository for your OTS deployment configuration.

Create the Dockerfile

Create a Dockerfile in your repository root:

FROM ruby:3.1-slim

# Install dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    redis-tools \
    git \
    && rm -rf /var/lib/apt/lists/*

# Clone OTS
WORKDIR /app
RUN git clone https://github.com/onetimesecret/onetimesecret.git .

# Install dependencies
RUN bundle install --deployment

# Set environment
ENV RACK_ENV=production
ENV OTS_HOST=${OTS_HOST}
ENV REDIS_URL=${REDIS_URL}

EXPOSE 3000

CMD ["bundle", "exec", "thin", "start", "-p", "3000"]

Create a New Project on Klutch.sh

Navigate to the Klutch.sh dashboard and create a new project.

Create a New App

Within your project, create a new app and connect your GitHub repository.

Configure HTTP Traffic

In the deployment settings:

Select HTTP as the traffic type
Set the internal port to 3000

Set Environment Variables

Configure the following environment variables:

Variable	Value
`OTS_HOST`	Your app domain
`REDIS_URL`	Redis connection URL
`OTS_SECRET`	Generate a secure random string
`COLONEL`	Admin email address

Attach Persistent Volumes

Add persistent storage (if not using external Redis):

Mount Path	Recommended Size	Purpose
`/app/data`	5 GB	Application data
`/app/log`	2 GB	Log files

Deploy Your Application

Click Deploy to start the build process.

Access OTS

Once deployed, access your OTS instance at https://your-app.klutch.sh and start sharing secrets securely.

Using OTS

Creating a Secret

Share sensitive information:

Navigate to your OTS instance
Enter your secret in the text area
Optionally set a passphrase
Choose expiration time
Click Generate
Copy and share the unique link

Viewing a Secret

Recipients access secrets:

Open the shared link
Enter passphrase if required
View the secret (once)
Secret is automatically deleted

Expiration Options

Configure secret lifetimes:

5 minutes
1 hour
1 day
7 days
Custom durations

API Usage

Create secrets programmatically:

curl -X POST https://your-ots.klutch.sh/api/v1/share \
  -d "secret=my-secret-password" \
  -d "ttl=3600"

Retrieve secrets:

curl https://your-ots.klutch.sh/api/v1/secret/SECRET_KEY

Configuration

Customizing Appearance

Modify the OTS interface:

Edit view templates
Update CSS styles
Add your branding
Customize messaging

Security Settings

Configure security options:

Set maximum secret size
Configure rate limiting
Enable/disable features
Set default expiration

Email Notifications

Enable email features:

Configure SMTP settings
Enable email delivery
Customize email templates

Production Best Practices

Security Recommendations

Use HTTPS exclusively (automatic on Klutch.sh)
Configure strong OTS_SECRET
Enable rate limiting
Monitor for abuse
Regular security updates

Redis Configuration

For production reliability:

Use managed Redis service
Configure persistence
Set appropriate memory limits
Enable authentication

Backup Considerations

Note about backups:

Secrets are designed to be ephemeral
Database backups may contain encrypted secrets
Consider security implications of backups
Focus on configuration backups

Troubleshooting Common Issues

Secrets Not Expiring

Verify Redis connection
Check TTL configuration
Review Redis memory settings
Monitor Redis expiration

Cannot Create Secrets

Check Redis connectivity
Verify disk space
Review application logs
Check rate limits

API Issues

Verify API endpoints
Check authentication if enabled
Review request format
Check response codes

Alternative Implementations

Other OTS options:

PrivateBin: Encrypted pastebin with self-destruction
Yopass: Secure password sharing
Sniptt: Modern secret sharing

Additional Resources

Conclusion

Deploying OTS on Klutch.sh provides a secure, self-hosted solution for sharing sensitive information. With self-destructing links and encryption, OTS ensures that passwords and secrets don’t persist in email threads or chat logs, significantly reducing the risk of credential exposure.