<div align="center"> <img src="banner.png" alt="hemmelig" /> </div> <h1 align="center">Encrypted secret sharing for everyone!</h1> <div align="center"> This application is designed for sharing encrypted information across organizations or among private individuals. Hemmelig places a high priority on safeguarding your privacy and will make every effort to maintain it. We trust you will find value in using our product. </div>


Hemmelig is available at https://hemmelig.app


How it works

You enter https://hemmelig.app, write your sensitive information, expire time, optional password, and click create a secret link. You share the secret link. The receiver of the link opens it, writes the optional password, and retrieves the sensitive information. When a secret link is created, it gets its unique decryption key that is not saved to the database and only will be part of the URL. This is how the encryption works: encrypt(DATA, YOUR_UNIQUE_ENCRYPTION_KEY). The encryption of the text and files is done in the client; this means the server will get the encrypted information, and nothing in clear text.


Docker image

Hemmelig strongly advice you to ue the tagged docker images as the main branch will have breaking changes now and then. For Hemmelig versions supporting Redis, use <= v4.4.0.

Supported docker platforms: amd/64, arm/64.


If you have to follow some sort of compliance, and have to self-host, https://hemmelig.app is available as a docker image. The following is the bare minimum to run the docker image.

mkdir -p data/hemmelig database
chown 1000:1000 data/hemmelig database

docker run -p 3000:3000 -d --name=hemmelig \
   -v ./data/hemmelig/:/var/tmp/hemmelig/upload/files \ # For the file uploads
   -v ./database/:/home/node/hemmelig/database/ \       # For the sqlite database

Alternatively you can use docker-compose:

# fetch docker-compose.yml
wget https://raw.githubusercontent.com/HemmeligOrg/Hemmelig.app/main/docker-compose.yml

# create volumes directories
mkdir -p data/hemmelig database

# set permissions (Node user has UID 1000 within the container)
chown 1000:1000 data/hemmelig database

# start hemmelig 
docker-compose up -d

# stop containers
docker-compose down

Have a look at the Dockerfile for a full example of how to run this application.


Hemmelig can be used as a CLI to create secrets on the fly!

# Pipe data to hemmelig
cat mysecretfile | npx hemmelig

# For the documentaiton
npx hemmelig --help

Environment variables

ENV varsDescriptionDefault
SECRET_LOCAL_HOSTNAMEThe local hostname for the fastify instance0.0.0.0
SECRET_PORTThe port number for the fastify instance3000
SECRET_HOSTUsed for i.e. set cors/cookies to your domain name""
SECRET_MAX_TEXT_SIZEThe max text size for the secret. Is set in kb. i.e. 256 for 256kb.256
SECRET_JWT_SECRETOverride this for the secret signin JWT tokens for log ingood_luck_have_fun
SECRET_ROOT_USEROverride this for the root account usernamegroot
SECRET_ROOT_PASSWORDThis is the root password, override it with your own passwordiamgroot
SECRET_ROOT_EMAILThis is the root email, override it with your own emailgroot@hemmelig.app
SECRET_FILE_SIZESet the total allowed upload file size in mb.4
SECRET_FORCED_LANGUAGESet the default language for the application.en
SECRET_UPLOAD_RESTRICTIONSet the restriction for uploads to signed in users"true"
SECRET_RATE_LIMIT_MAXThe maximum allowed requests each time frame1000
SECRET_RATE_LIMIT_TIME_WINDOWThe time window for the requests before being rate limited in seconds60
SECRET_DO_SPACES_ENDPOINTThe Digital Ocean Spaces/AWS s3 endpoint""
SECRET_DO_SPACES_KEYThe Digital Ocean Spaces/AWS s3 key""
SECRET_DO_SPACES_SECRETThe Digital Ocean Spaces/AWS s3 secret""
SECRET_DO_SPACES_BUCKETThe Digital Ocean Spaces/AWS s3 bucket name""
SECRET_DO_SPACES_FOLDERThe Digital Ocean Spaces/AWS s3 folder for the uploaded files""
SECRET_AWS_S3_REGIONThe Digital AWS s3 region""
SECRET_AWS_S3_KEYThe Digital AWS s3 key""
SECRET_AWS_S3_SECRETThe Digital AWS s3 secret""
SECRET_AWS_S3_BUCKETThe Digital AWS s3 bucket name""
SECRET_AWS_S3_FOLDERThe Digital AWS s3 folder for the uploaded files""

Supported languages

Have a look at the public/locales/ folder.

Run locally

npm install

# Start the frontend/backend
npm run dev


Hemmelig has changed from using Redis as an backend to sqlite. Here we are using Prisma, and the sqlite file is available here: /database/hemmelig.db. Have a look at the docker-compose file for how to handle the database.

Admin, roles and settings

Admins have access to adjust certain settings in Hemmelig. If you go to the account -> instance settings, you can see all the settings.

We also have different roles.

The difference here is that if you i.e. set Hemmelig to be in read only mode, only admin and creator is allowed to create secrets, but non signed in users, and users with the role user can only view them.

Admins are also allowed to create new users in the settings. This is great if you want to limit who your users are by the disable user account creation setting.

My lovely contributors

Feel free to contribute to this repository. Have a look at CONTRIBUTION.md for the guidelines.

Common errors

If this errors occur on the first run of your hemmelig instance, this means there are some issues with the ownership of the files/directory for the database.

Datasource "db": SQLite database "hemmelig.db" at "file:../database/hemmelig.db"

Error: Migration engine error:
SQLite database error
unable to open database file: ../database/hemmelig.db

If you have any issues with uploading files for your instance, you will need the following as well:

Here is an example of how you would solve that:

sudo chown -R username.group /home/username/data/
sudo chown -R username.group /home/username/database/