A secure, end-to-end encrypted paste sharing platform with zero-knowledge architecture. Share code, text, and markdown securely with automatic expiry and burn-after-read options.
# Run directly without installation
npx pastevault up
# Install globally for repeated use
npm install -g pastevault
pastevault up
# Clone and run locally
git clone https://github.com/arc53/pastevault.git
cd pastevault
npm install
npx pastevault up
┌─────────────────────────────────────────────────────────────┐
│ Frontend │
│ Next.js 14 + TypeScript + shadcn/ui + Tailwind │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Client-Side Encryption │ │
│ │ • XChaCha20-Poly1305 encryption │ │
│ │ • PBKDF2 key derivation │ │
│ │ • Monaco editor with Markdown │ │
│ │ • Shiki syntax highlighting │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────┬───────────────────────────────────┘
│ HTTPS + Encrypted Payloads
│
┌─────────────────────────▼───────────────────────────────────┐
│ Backend │
│ Fastify + TypeScript + Prisma │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ RESTful API │ │
│ │ • Paste storage (ciphertext only) │ │
│ │ • Metadata management │ │
│ │ • Rate limiting & validation │ │
│ │ • Automatic expiry cleanup │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────┬───────────────────────────────────┘
│
┌─────────────────────────▼───────────────────────────────────┐
│ Database │
│ PostgreSQL (default) or SQLite │
│ │
│ • Encrypted paste content (ciphertext) │
│ • Metadata (expiry, burn status, view counts) │
│ • Salt & KDF parameters (password mode) │
│ • No plaintext content ever stored │
└─────────────────────────────────────────────────────────────┘
Random Key Mode (Zero-Knowledge):
1. Generate random 32-byte key client-side
2. Encrypt content: XChaCha20-Poly1305(content, key, nonce, aad)
3. Send only ciphertext to server
4. Embed key in URL fragment: #k=base64url(key)
5. Fragment never sent to server logs
Password Mode:
1. Derive key: PBKDF2(password, salt, 600k iterations)
2. Store salt on server, key stays client-side
3. Same encryption, password-based decryption
AAD = "pastevault:" + paste_id + ":v1"
Prevents:
- Ciphertext substitution attacks
- Cross-paste replay attacks
- Version confusion attacks
No need to clone the repository! Just run:
npx pastevault up
That's it! This will:
- Download and install PasteVault automatically
- Install all dependencies
- Set up SQLite database (no external dependencies)
- Build and serve the frontend
- Start the backend API
- Run everything on http://localhost:3000
Note: The first run will take a bit longer as it downloads dependencies and builds the frontend. Subsequent runs will be much faster.
The CLI supports several options to customize your setup:
# Custom ports
npx pastevault up --port 8080 # Backend port
npx pastevault up --frontend-port 3002 # Frontend port
# Disable features
npx pastevault up --no-frontend # Backend only
npx pastevault up --no-open # Don't auto-open browser
# Example with all options
npx pastevault up --port 8080 --frontend-port 3002 --no-open
Want to contribute or modify PasteVault? Clone the repository for development:
git clone https://github.com/arc53/pastevault.git
cd pastevault
docker compose up -d
# Install dependencies
npm install
# Setup database
npm run db:push
# Start backend
npm run dev
Backend runs on http://localhost:3001
cd frontend
# Install dependencies
npm install
# Start frontend
npm run dev
Frontend runs on http://localhost:3000
http://localhost:3000)pastevault/
├── README.md # This file
├── docker-compose.yml # PostgreSQL setup
├── package.json # Backend dependencies
├── prisma/
│ └── schema.prisma # Database schema
├── src/ # Backend source
│ ├── index.ts # Fastify server
│ ├── routes/ # API endpoints
│ ├── lib/ # Utilities & config
│ └── types/ # TypeScript definitions
└── frontend/ # Next.js frontend
├── package.json
├── src/
│ ├── app/ # Next.js 14 App Router
│ ├── components/ # React components
│ ├── lib/ # Crypto & utilities
│ ├── hooks/ # React hooks
│ └── types/ # TypeScript definitions
└── ...
# PostgreSQL (default)
DATABASE_URL="postgresql://pastevault:pastevault_dev_password@localhost:5432/pastevault"
DATABASE_PROVIDER="postgresql"
# SQLite (uncomment to use SQLite instead)
# DATABASE_URL="file:./pastevault.db"
# DATABASE_PROVIDER="sqlite"
PORT=3001
NODE_ENV=development
CORS_ORIGIN=http://localhost:3000
RATE_LIMIT_MAX=10
RATE_LIMIT_WINDOW_MS=60000
MAX_PASTE_SIZE_BYTES=1048576
CLEANUP_INTERVAL_MINUTES=60
NEXT_PUBLIC_API_URL=http://localhost:3001/api
npm run build
npm start
cd frontend
npm run build
npm start
npm run db:migrate
$ claude mcp add pastevault \
-- python -m otcore.mcp_server <graph>