Skip to content
P.

Lock It Up

Publish a page only the people with the password can read. The secret is encrypted in your browser before it ever leaves your machine — pastehtml.dev stores nothing but scrambled bytes.

End-to-end AES-256-GCM Web Crypto API Zero dependencies

Every paste on pastehtml.dev is served from its own isolated origin — a real https://<token>.pastehtml.dev/ page where your scripts actually run. That one fact is all we need to build a vault: ship a page that carries an encrypted blob plus a tiny unlock screen, and let the reader's own browser do the decryption once they type the password.

The big idea

The plaintext and the password never touch the server. You encrypt locally, publish only the ciphertext, and share the link plus the password through a separate channel. Lose the link and the password and there is genuinely nothing to recover — which is exactly the point.

How it works

The whole scheme rides on the browser's built-in Web Crypto API — no libraries, no CDN:

  1. Your password is stretched into a 256-bit key with PBKDF2 (SHA-256, 250,000 iterations) over a random salt. Stretching makes brute-forcing a weak password slow.
  2. Your content is encrypted with AES-256-GCM using a fresh random IV. GCM is authenticated, so a wrong password (or any tampering) fails loudly instead of silently returning garbage.
  3. The salt, IV, and ciphertext are base64-encoded and baked into a self-contained HTML file alongside a comic-styled unlock screen.
  4. You publish that file. The reader opens it, types the password, and the page decrypts the blob and renders your real content in a sandboxed frame — all client-side.

Below is a working forge that does steps 1–3 for you, right here on this page (it uses your browser's crypto, nothing is uploaded). Paste your secret, pick a password, and download a ready-to-publish locked page.

The Locker Forge

⚠ Read me before you trust it

This is real cryptography, but its strength is entirely your password. A short or guessable password can be cracked offline by anyone who has the link, because they hold the ciphertext. Use a long, random passphrase for anything that matters. This protects against casual snooping and shoulder-surfing search engines — it is not a replacement for a secrets manager.

Publish it

However you built the file, publishing is the same two-button affair:

Option A — Drag & drop

Open pastehtml.dev and drop the .html file onto the zone. You get back a private https://<token>.pastehtml.dev/ link instantly. Share that link one place, the password another.

Option B — The API (great for agents & scripts)

Pipe the file straight up with curl:

curl -F "[email protected]" https://pastehtml.dev/api/pastes

You get 201 with the live_url to share and a one-time update_token — save the token if you ever want to re-encrypt and PATCH the same link in place. Full contract at pastehtml.dev/llms.txt.

What's inside the locked page

No magic — just the mirror image of the forge. The published file embeds your blob in a <script type="application/json"> tag and runs this on unlock. Here is the exact template the forge ships (read it, audit it, tweak it):

Loading template…

When the password is right, the decrypted bytes are dropped into a sandboxed <iframe> via srcdoc, so even full HTML documents render correctly while staying isolated. When it is wrong, AES-GCM's authentication tag rejects it and the unlock screen shakes — no plaintext leaks either way.

Stay secret out there.

A pastehtml.dev field guide. Built with the Web Crypto API and zero dependencies.

pastehtml.dev — share HTML in seconds. Free · Anonymous · Instant.