DropLock: Client-Side Secret Sharing That Never Touches the Server

Let's be honest: sharing secrets online is a pain. Email? Out of the question. Slack? Logged forever. Traditional secret sharing services often route your data through their servers, trusting that they'll handle it responsibly and delete it promptly.

DropLock takes a different approach—and it's worth understanding why that matters.

The Core Idea

DropLock lets you create a "lock box" link that your recipient opens in their browser. When someone sends a secret through this link, it's encrypted locally using the recipient's public key before anything goes anywhere. The encrypted payload lives in the URL fragment (the part after the # that browsers never send to servers), so the server genuinely cannot read your secret.

This is end-to-end encryption done right, at the application layer, without needing any plugins or installed software.

How the Cryptography Actually Works

Here's where it gets interesting for the technically curious:

1. When you create a lock box, your browser generates a public/private key pair
2. The public key lives in your lock box URL
3. The private key stays in your browser as a non-extractable key (part of the Web Crypto API)—meaning JavaScript cannot export it, even if your page is compromised
4. When someone sends you a secret, their browser combines your public key with a one-time key to derive an AES-GCM encryption key using HKDF-SHA-256
5. The secret gets encrypted locally, and only the ciphertext appears in the URL fragment

The clever part: since each browser/device gets its own key pair, someone opening your lock box on a different browser literally cannot decrypt the message. The secret is bound to a specific browser profile.

The Tradeoff You Need to Know About

Here's where DropLock is refreshingly honest: it doesn't verify that the lock box URL hasn't been tampered with in transit.

If someone can intercept and modify the lock box link before it reaches your recipient—say, through a man-in-the-middle attack—they could substitute their own lock box URL. The sender would encrypt the secret for the attacker's key instead of yours.

DropLock's recommendation: use two different channels to verify the lock box URL matches. Or simply use a channel you already trust completely (a face-to-face conversation, a known-secure messaging app).

This isn't a flaw in the cryptography—it's an honest acknowledgment of a real-world attack vector that many similar tools ignore.

When DropLock Makes Sense

DropLock isn't a replacement for proper secret management tools like password managers or enterprise secret vaults. But it shines in specific scenarios:

• Quick one-off sharing where setting up a full vault entry feels excessive
• Sharing credentials with non-technical users who wouldn't navigate a password manager
• Situations where you need audit trail and can't use corporate tools
• Temporary access sharing without creating persistent credentials

The Bottom Line

DropLock is a minimal, thoughtfully designed tool that demonstrates how much security is possible with pure browser-side cryptography. It's not a replacement for audited enterprise solutions, and the developers explicitly note it hasn't undergone professional security review.

But for quick, ephemeral secret sharing where you control the delivery channel? It's a neat trick to have in your back pocket.

The source code is available on GitHub, so security-minded readers can verify the implementation or even run their own instance.

What do you think—would you use a client-side secret sharing tool for quick handoffs? Let us know in the comments.

Looking for a home for your next project? NameOcean offers domain registration and AI-powered Vibe Hosting to get your ideas live fast.