Share Encryption Keys

Transfer AES, RSA, or GPG encryption keys securely with zero-knowledge architecture.

Why secure share encryption keys matters

An encryption key is the secret material that makes a cipher reversible. AES-256 symmetric keys (32 raw bytes, usually written as a 64-character hex string) use one value to encrypt and decrypt; if it leaks, every archive, backup, or LUKS volume sealed under it becomes plaintext. With GPG/PGP and RSA keypairs the math splits into a public half (safe to publish on a keyserver) and a private half that signs and decrypts — and confusing the two is the most common dev mistake we see.

The everyday channels for moving these keys are uniformly hostile. A `gpg --export-secret-keys` blob pasted into a Jira ticket sits in Atlassian's audit trail forever. A `.pem` file emailed as an attachment lands on Gmail's backup tape and on every IMAP-syncing device the recipient owns. Even a 'private' Confluence page exposes the material to space-admin role inheritance and search-index leakage.

PasteOnce is the right surface for moments when a raw key has to move — bootstrapping an HSM operator, rebuilding an offline GPG smartcard, escrow recovery after a departure, handing a backup-decryption key to incident response. Pair it with local format conversion, passphrase-protected exports, and rotation immediately after import.

What goes wrong when share encryption keys is shared insecurely

Pasting the private half by mistake. The classic blunder is exporting with `gpg --export-secret-keys` when a colleague only needed `gpg --export`, or sharing `id_rsa` when the request was for `id_rsa.pub`. ASCII-armored private blocks and public blocks look superficially similar; one decrypts your archive, the other does nothing.
Format-conversion services leaking material. Online PEM-to-DER or PKCS#1-to-PKCS#8 converters receive your private key in cleartext on someone else's server. Several have been observed retaining submissions. Convert locally with `openssl pkcs8 -topk8` or `openssl rsa -in key.pem -outform der`.
Escrow accidents during offboarding. Escrow archives meant to recover an ex-employee's encrypted laptop frequently get pasted into a successor's onboarding ticket alongside the decryption key. The key then propagates through ticket exports, search indexes, and the new hire's local Jira cache.
Symmetric key reuse across environments. A 256-bit AES key generated for staging backups gets copied into production because rotation is annoying. One leaked staging value now decrypts every nightly snapshot in S3, including the database dumps compliance thought were sealed.

Share Encryption Keys

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share encryption keys work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share encryption keys

Export GPG secret keys with a strong passphrase

Use `gpg --export-secret-keys --armor KEYID` and confirm the protection passphrase has at least 80 bits of entropy. The s2k-count and s2k-cipher-algo settings in `~/.gnupg/gpg.conf` control the KDF strength applied to the exported block.

Convert key formats on your own machine

PEM-to-DER conversions run with `openssl rsa -in key.pem -outform der -out key.der`. PKCS#1 to PKCS#8 uses `openssl pkcs8 -topk8 -in key.pem -out key.pk8`. Never paste a private key into a browser-based converter, however convenient.

Distinguish public from private at every step

Public files end in `.pub`, `.crt`, or carry the `-----BEGIN PUBLIC KEY-----` armor; private blocks open with `BEGIN PRIVATE KEY`, `BEGIN ENCRYPTED PRIVATE KEY`, or `BEGIN PGP PRIVATE KEY BLOCK`. Read the first line of any export before sending.

Rotate the wrapped data key after handoff

If you shared an AES data-encryption key, re-wrap the underlying ciphertext under a fresh DEK as soon as the recipient finishes. AWS KMS, GCP KMS, and HashiCorp Vault Transit all expose one-call rewrap APIs.

Related Secure Sharing Tools

Share API Key Securely Share SSH Private Key Share .env Variables Share Database Credentials Share Software License Key Share VPN Credentials Share Private Keys Securely Share Server Credentials

Real situations this is built for

Recovering an offline GPG smartcard

An engineer's YubiKey is destroyed in a luggage incident. The backup secret-key block lives on a USB drive at the office; a colleague exports it, PasteOnces the armored block, and the engineer imports it with `gpg --import` on an air-gapped VM.

Handing a wrapper key to release engineering

Release engineering needs the symmetric key that decrypts a wrapped signing certificate in CI. Security generates a fresh value with `openssl rand -hex 32`, sends it on a one-hour TTL, RE imports it into Vault Transit, and the wrapping rotates same-day.

Escrow recovery after a departure

A former engineer encrypted a critical archive with their personal GPG key before leaving. The escrow officer retrieves the recovery key from the safe, PasteOnces it to the on-call who must decrypt the file today, and logs the access in the escrow ledger.

Migrating a PGP identity between laptops

You are upgrading hardware and want the same long-term PGP identity. Export with `gpg --export-secret-keys --armor`, paste through PasteOnce between two browser sessions you control, import with `gpg --import`, and shred the old `~/.gnupg` directory.

Frequently Asked Questions

what is the difference between gpg export and export-secret-keys

`gpg --export` writes only the public certificate — safe to publish on `keys.openpgp.org`. `gpg --export-secret-keys` writes the private signing and decryption material; treat that output the way you would treat a root password.

can I share an aes key over signal or whatsapp

Both apps encrypt in transit, but history sits in cloud backups (iCloud for Signal opt-in, Google Drive for WhatsApp by default) which fall outside the app's encryption. PasteOnce avoids that residue — the ciphertext is destroyed by `getdel` on first read.

how do I convert a pem private key to der without a website

Run `openssl rsa -in key.pem -outform der -out key.der` for an RSA PKCS#1 key, or `openssl pkcs8 -topk8 -inform pem -in key.pem -outform der -out key.der -nocrypt` for PKCS#8. Both run locally.

is it safe to paste a passphrase-protected private key

Safer than pasting an unprotected one, but the passphrase is the only thing standing between an interceptor and your key. Use real entropy (a long Diceware string, not a memorable phrase) and treat any leaked encrypted block as a brute-force timer.

Why secure share encryption keys matters

What goes wrong when share encryption keys is shared insecurely

Pasting the private half by mistake. The classic blunder is exporting with `gpg --export-secret-keys` when a colleague only needed `gpg --export`, or sharing `id_rsa` when the request was for `id_rsa.pub`. ASCII-armored private blocks and public blocks look superficially similar; one decrypts your archive, the other does nothing.

Format-conversion services leaking material. Online PEM-to-DER or PKCS#1-to-PKCS#8 converters receive your private key in cleartext on someone else's server. Several have been observed retaining submissions. Convert locally with `openssl pkcs8 -topk8` or `openssl rsa -in key.pem -outform der`.

Escrow accidents during offboarding. Escrow archives meant to recover an ex-employee's encrypted laptop frequently get pasted into a successor's onboarding ticket alongside the decryption key. The key then propagates through ticket exports, search indexes, and the new hire's local Jira cache.

Symmetric key reuse across environments. A 256-bit AES key generated for staging backups gets copied into production because rotation is annoying. One leaked staging value now decrypts every nightly snapshot in S3, including the database dumps compliance thought were sealed.

How does share encryption keys work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share encryption keys

Export GPG secret keys with a strong passphrase

Convert key formats on your own machine

Distinguish public from private at every step

Rotate the wrapped data key after handoff

Real situations this is built for

Recovering an offline GPG smartcard

Handing a wrapper key to release engineering

Escrow recovery after a departure

Migrating a PGP identity between laptops

Frequently Asked Questions

what is the difference between gpg export and export-secret-keys

can I share an aes key over signal or whatsapp

how do I convert a pem private key to der without a website

Run `openssl rsa -in key.pem -outform der -out key.der` for an RSA PKCS#1 key, or `openssl pkcs8 -topk8 -inform pem -in key.pem -outform der -out key.der -nocrypt` for PKCS#8. Both run locally.

is it safe to paste a passphrase-protected private key