Vaulted

Why Client-Side Encryption Matters for Secret Sharing

By

When you share a password or API key through most secret-sharing tools, your plaintext data hits their server before it gets encrypted. That means the service can read your secrets — and so can anyone who compromises their infrastructure.

The server-side encryption problem

Traditional secret-sharing tools follow this flow:

  1. You type your secret into a form
  2. Your browser sends the plaintext to the server
  3. The server encrypts it and stores the ciphertext
  4. A link is generated for the recipient

The issue is step 2. Your secret travels across the network in plaintext (protected by TLS, but fully visible to the server). The service has access to your data, even if only briefly.

This means:

  • A compromised server exposes every secret in transit
  • Employees of the service could theoretically access your data
  • Law enforcement or legal requests could compel the service to hand over secrets
  • Server logs might inadvertently capture plaintext data

How client-side encryption fixes this

Vaulted takes a different approach. Encryption happens entirely in your browser:

  1. You type your secret into a form
  2. Your browser generates an AES-256-GCM key and encrypts the secret locally
  3. Only the encrypted ciphertext is sent to the server
  4. The encryption key is placed in the URL fragment (#), which browsers never send to servers

The server only ever sees encrypted data. It cannot decrypt your secret because it never has the key.

Why the URL fragment matters

The URL fragment — everything after the # symbol — has a special property: browsers do not include it in HTTP requests. When someone opens your Vaulted link, the fragment stays in their browser. The server receives a request for the secret ID but never sees the decryption key.

This is not a custom protocol or a workaround. It is how browsers have always worked, defined in RFC 3986.

What this means in practice

With client-side encryption, even if Vaulted's servers were completely compromised, an attacker would get only encrypted blobs — useless without the keys that only exist in the shared links.

No trust required. The cryptography speaks for itself.

Ready to share a secret securely? Try Vaulted — it's free.