dropKeys is a high-performance, secure web application designed for sharing environment variables, API keys, and sensitive documents with ease. Built with a "security-first" mindset, it combines ephemeral storage with robust encryption to ensure your secrets never stay around longer than they need to.
- End-to-End Encryption: Every secret is encrypted using AES-256 with a unique, randomly generated key before storage.
- Self-Destructing Secrets: Set expiration based on the number of reads or a specific time-to-live (TTL).
- Direct & Recipient Sharing: Share via a secure composite link or restrict access to specific Google-authenticated users.
- Activity Dashboard: Monitor your sent and received secrets. A blue "new" indicator lets you know when a document hasn't been unsealed yet.
- Premium Aesthetics: A sleek, dark-mode interface with snappy transitions and real-time loading feedback.
- Python 3.12+
- A PostgreSQL database (e.g., Neon.tech)
- An Upstash Redis instance
- Google Cloud Console credentials (for OAuth)
Clone the repository and install the dependencies:
git clone https://github.com/felixLandlord/dropKeys.git
cd dropKeys
# Using uv (recommended)
uv sync
# Or using pip
pip install -r requirements.txtCreate a .env file in the root directory and populate it with your credentials:
GOOGLE_CLIENT_ID="your_google_client_id"
GOOGLE_CLIENT_SECRET="your_google_client_secret"
GOOGLE_REDIRECT_URI="http://localhost:3000"
DATABASE_URL="postgresql://user:pass@host/db"
UPSTASH_REDIS_REST_URL="https://your-redis-url.upstash.io"
UPSTASH_REDIS_REST_TOKEN="your_redis_token"Initialize the database tables:
uv run python -c "from dropKeys.database import Base, engine; Base.metadata.create_all(bind=engine)"Start the Reflex development server:
uv run reflex runThe app will be available at http://localhost:3000.
Enter your secret content, set the project name, and define the expiration rules. You can also add specific recipient emails to restrict access.
Once shared, you'll receive a unique "Composite Key" URL. This key contains the document ID and the decryption key itself—the server never stores the decryption key, meaning only those with the link can ever see the content.
When a recipient opens a link or clicks "Unseal" in their activity feed, they are prompted to unseal the document.
The app then fetches the encrypted payload from Redis, decrypts it locally in the session, and displays the plaintext content.
The dashboard provides a central hub to see everything you've shared or received. New documents are clearly marked with a blue indicator.
- Transport: All communication is secured via HTTPS/WSS.
- Encryption: Uses
pycryptodomefor AES-256-GCM encryption. - Storage Isolation: Metadata (names, dates, recipients) is stored in Postgres, while the encrypted blobs are stored in Upstash Redis with a hardware-enforced TTL.
- Zero-Knowledge Keys: The encryption keys are included in the URL fragments (hashes) and are never logged or stored in the database.
Built using Reflex
Inspired by the original envshare by chronark.





