

Yopass lets you share secrets, passwords, and files securely with end-to-end encryption. Secrets are encrypted in the browser using OpenPGP before being sent to the server — the decryption key never leaves your machine. Each secret gets a one-time URL that expires automatically.
No accounts, no tracking, no plaintext storage. Stop sharing secrets in Slack, email, and ticket systems.
Try the demo | It's recommended to self-host Yopass for sensitive use.
See the docs for detailed guides on configuration, theming, OIDC authentication, audit logging, and more.
The quickest way to get Yopass running with TLS and automatic certificate renewal via Let's Encrypt.
deploy/with-nginx-proxy-and-letsencrypt/docker-compose.yml and replace the placeholder values for VIRTUAL_HOST, LETSENCRYPT_HOST, and LETSENCRYPT_EMAILdocker-compose up -d
Yopass will be available at the domain you configured.
Already have a reverse proxy handling TLS? Use the simpler setup:
cd deploy/docker-compose/insecure
docker-compose up -d
Then point your reverse proxy to 127.0.0.1:80.
With TLS encryption:
docker run --name memcached_yopass -d memcached
docker run -p 443:1337 -v /local/certs/:/certs \
--link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211 --tls-key=/certs/tls.key --tls-cert=/certs/tls.crt
Yopass will be available on port 443 on all host interfaces. To restrict to localhost, use -p 127.0.0.1:443:1337.
Without TLS (requires a reverse proxy for transport encryption):
docker run --name memcached_yopass -d memcached
docker run -p 127.0.0.1:80:1337 --link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211
Then point your TLS-terminating reverse proxy to 127.0.0.1:80.
kubectl apply -f deploy/yopass-k8.yaml
kubectl port-forward service/yopass 1337:1337
This is a minimal setup to get started. Configure TLS before using in production.
Yopass uses Memcached (default) or Redis as its storage backend. All flags can also be set via environment variable (uppercase, dashes → underscores).
# Memcached (default)
yopass-server --memcached localhost:11211
# Redis
yopass-server --database redis --redis redis://localhost:6379/0
For the full flag reference see yopass.se/docs/server-options. Topic-specific guides:
| Guide | Description |
|---|---|
| TLS / HTTPS | Built-in TLS, Nginx, Caddy, Traefik, Let's Encrypt |
| File Storage | Disk and S3/MinIO backends, size limits |
| Read-Only Mode | Split-instance deployments |
| OpenID Connect | OIDC authentication (license required) |
| Theming & Branding | Custom themes, logo, app name (license required) |
| Metrics | Prometheus, alerting rules, Grafana |
| Audit Logging | NDJSON compliance logging (license required) |
| Read Receipts | Know when a secret was opened (license required) |
| Webhooks | Signed lifecycle event notifications (license required) |
Yopass supports multiple languages via react-i18next. See the current translations. Contributions for new languages are welcome — see this example PR.
Yopass was first released in 2014 and has been maintained with the help of many contributors. It is used by organizations including Spotify, Doddle, and Gumtree Australia.
If you use Yopass and want to support the project, you can give thanks via email, consider donating, or give consent to list your company here.
$ claude mcp add yopass \
-- python -m otcore.mcp_server <graph>