Frequently Asked Questions

EnigmaBin stands out by offering true end-to-end encryption with flexible security options:

• Your content is encrypted in your browser before being sent to our servers
• Choose between fast classical encryption or enhanced quantum-resistant protection
• We never have access to your unencrypted data
• No account required, just paste and share
• Optional burn-after-reading feature
• Automatic paste expiration
• Secure deletion URLs for manual removal

When you create a paste, you'll receive two types of URLs:

• Decryption URL: Contains the decryption key in the URL fragment (after the #). This key never reaches our servers and is required to view the content.
• Deletion URL: Contains a secure burn token that allows you to permanently delete the paste from our servers. Keep this URL private.

• Maximum paste size: 2MB
• Quantum-resistant mode generates URLs up to ~4.5k characters (classical mode URLs are much shorter)
• Burn-after-reading is enforced client-side and should not be relied upon for critical security

For general inquiries and security concerns, you can reach us at contact@enigmabin.com

For bug reports, feature requests, and code-related discussions, please use our GitHub Issues page.

EnigmaBin offers two encryption modes:

• Classical Mode (Default): Uses X25519 for key exchange and ChaCha20-Poly1305 for symmetric encryption. Generates shorter URLs and is suitable for most use cases.
• Quantum-Resistant Mode: Adds ML-KEM-1024 encryption on top of the classical layer. This provides protection against future quantum computers but results in longer URLs (~4.5k characters).

All encryption operations happen in your browser - we only store the already-encrypted data.

We maintain a strict minimal data collection policy:

• We only store the encrypted content and its expiration time
• No IP addresses or user metadata is collected
• No cookies are used except for essential site functionality
• Basic anonymous analytics through Vercel Analytics
• All pastes are automatically deleted after their expiration period

We believe in complete transparency and verifiable security:

• Our entire codebase is open source and available on GitHub
• All encryption happens client-side using well-vetted libraries
• You can inspect the code and verify the security measures yourself
• Self-hosting is supported - check out the SvelteKit adapters for deployment options

Burn-after-reading automatically deletes a paste after its first view:

• Once viewed, the paste is immediately and permanently deleted
• The same URL cannot be used to view the content again
• Ideal for sharing sensitive information that should only be viewed once

Important security note:

• This feature is enforced client-side and shouldn't be relied upon for critical security
• The recipient should save any needed information before closing the page
• For sensitive content, combine with shorter expiration times

The choice depends on your security needs:

• Classical Mode (Default):
  • Perfect for most everyday use
  • Shorter, more manageable URLs
  • Strong security against current threats
• Quantum-Resistant Mode:
  • Protection against future quantum computers
  • Longer URLs (~4.5k characters)
  • Best for highly sensitive or long-term data

Yes! When you create a paste, you'll receive two URLs:

• A decryption URL to view and share the content
• A deletion URL that allows you to permanently remove the paste

Additional security measures include:

• All pastes automatically expire based on your chosen duration
• Without the decryption key (contained in the URL), the data remains unreadable
• For sensitive content, consider using the burn-after-reading feature

Due to our zero-knowledge architecture, we cannot help recover lost URLs:

• Lost Content URL: Since the decryption key is only stored in the URL fragment and never reaches our servers, we cannot decrypt or recover your content. This is a fundamental security feature of our end-to-end encryption.
• Lost Deletion URL: For security reasons, we cannot verify paste ownership without the deletion URL. This prevents unauthorized deletion attempts and ensures only those with the correct deletion URL can remove content.

Important to understand:

• If you lose the content URL, we cannot help you decrypt or recover your content - it's permanently inaccessible. This isn't a limitation, but a core security feature that ensures only those with the decryption key can access the data.
• If you lose the deletion URL, we cannot verify your ownership or help delete the paste. This strict policy prevents unauthorized deletion attempts and maintains the security of our zero-knowledge system.

What you can do:

• Lost deletion URL but want to make content inaccessible? Simply delete or don't share the decryption URL. Without the decryption key, the data remains permanently encrypted and unreadable, even if it's still stored on our servers.
• Lost content URL? If you need the content, you'll need to create a new paste. There is no way to recover or bypass the encryption - this is an intentional security feature.
• Prevention tips:
  • Save both URLs securely if you'll need them later
  • Set appropriate expiration times as a fallback
  • For sensitive content, use shorter expiration times or burn-after-reading
  • Consider storing URLs in a password manager

Remember: All pastes will automatically expire after their set duration, providing a natural cleanup mechanism regardless of URL availability.