Create zero-knowledge encrypted messages that self-destruct after a single view. No accounts, no logs, no way to recover. The ultimate in ephemeral communication.
Type or paste any sensitive content -- passwords, API keys, private notes, or confidential instructions.
AES-256-GCM encryption happens entirely client-side. The server never sees your plaintext data.
Send the generated URL to your recipient. The decryption key is embedded in the URL fragment (#), never sent to the server.
The moment the recipient opens the link, the ciphertext is permanently deleted from the database. No second chances.
Your message is encrypted before it leaves your browser. The server receives and stores only indecipherable ciphertext -- it has no ability to read your content.
When the recipient opens the link, the ciphertext is permanently deleted from the database. It is not merely marked as read or soft-deleted -- the record is removed entirely.
The decryption key lives exclusively in the URL fragment (the part after #). Browsers never send URL fragments to web servers -- this is enforced by the HTTP specification itself.
Send login credentials, database passwords, or SSH keys to a colleague without leaving them sitting in a Slack channel or email thread forever.
Share 2FA backup codes, recovery phrases, or temporary access tokens. The self-destruct ensures they cannot be retrieved by a third party after the intended recipient reads them.
Deliver deployment procedures, server configurations, or private operational details that should not persist beyond their immediate use.
Transmit sensitive information with the assurance that no server-side copy remains after the recipient views it. Zero-knowledge encryption means even CloakBin cannot read the content.
| CloakBin Burn | Signal Disappearing | One Time Secret | |
|---|---|---|---|
| Encryption type | Zero-knowledge (client-side AES-256) | End-to-end (Signal Protocol) | Server-side encryption |
| Self-destruct method | Deleted from DB on first view | Timer-based auto-delete | Deleted after first view |
| Requires account | No | Yes (phone number) | Optional |
| Open source | Yes | Yes | Yes |
| Custom expiry | Yes (time + burn) | Timer only | Limited |
No. Once a burn-after-reading paste is viewed, the ciphertext is permanently deleted from the database. There are no backups, no audit logs, and no recovery mechanism. This is by design.
No. The link works exactly once. After the first view, any subsequent visit to the same URL will show a "paste not found" message. The data no longer exists on the server.
Burn-after-reading protects data at rest (on the server) and in transit (via encryption). It cannot prevent a recipient from taking a screenshot or copying the decrypted text. No digital tool can prevent that.
Zero-knowledge encryption. One-time viewing. No accounts required.
Create Burn-After-Reading Paste