Share Private Keys Securely

Transfer cryptocurrency wallet keys, SSL certificates, or any private keys with encryption.

Why secure share private keys securely matters

A private key in the wallet, TLS, or code-signing sense is bearer authority over money, identity, or distribution. A 12- or 24-word BIP-39 seed reconstructs every Bitcoin and Ethereum account under BIP-32/BIP-44; whoever types those words into Sparrow or MetaMask owns the coins, no chargeback. A leaked TLS server key paired with your Let's Encrypt certificate lets an on-path attacker impersonate your domain until OCSP propagates. A leaked Authenticode or `DeveloperIDApplication` key lets attackers ship malware that customer machines trust.

Default channels punish you in unusual ways. Photos of a Ledger or Trezor recovery card uploaded to iCloud run through OCR and become indexed text. A `.p12` PFX bundle in Slack sits in the workspace export forever. A seed dictated over Zoom is captured by Otter.ai into a transcript. Apple Notes syncs through CloudKit unless explicitly locked.

PasteOnce fits narrow handoffs that genuinely need a key in transit: provisioning a hardware wallet from a custodian's offline keygen, restoring a TLS key onto an edge node before ACME is wired, or escrowing a signing key into HashiCorp Vault's Transit Engine. Pair with hardware-backed storage (Ledger, Trezor, YubiHSM 2, AWS CloudHSM) and rotate on import.

What goes wrong when share private keys securely is shared insecurely

Irreversible theft of wallet funds. On-chain transactions are final — no issuer to call, no reversal window. A leaked BIP-39 seed lets the attacker derive every address you generated and sweep balances within minutes, often via Tornado Cash or a Monero swap before you notice.
TLS impersonation until revocation propagates. If your server key leaks, an attacker on path serves your site under your real certificate. CRL and OCSP propagation can take hours, and most browsers soft-fail OCSP entirely. Certificate Transparency does not help retroactively — only short-lived certs do.
Code-signing keys becoming malware distributors. Authenticode, Apple Developer ID, and Android upload keys are trusted by user machines and stores. A leaked key (the 2022 NVIDIA leak, the Realtek incident) gets weaponized to sign Cobalt Strike loaders. Revocation lags, and signed binaries already in circulation keep validating.
Memory-resident exposure during paste. Plaintext keys sit in clipboard history (Windows Clipboard History, macOS Universal Clipboard, GNOME Clipman) for whatever retention is configured. A subsequent paste delivers the value to the wrong app — Discord, a search bar — and screen-capture utilities archive the moment.

Share Private Keys Securely

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share private keys securely work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share private keys securely

Generate seeds on an air-gapped device

For high-value wallets, run Ian Coleman's BIP-39 tool on an offline laptop, or use a Coldcard Mk4 or SeedSigner. The 24-word phrase ideally never touches a connected machine; when transit is unavoidable, send via PasteOnce.

Wrap PEM keys with a passphrase before transit

Re-encrypt with `openssl pkcs8 -topk8 -v2 aes-256-cbc -in server.key -out server.enc.key` before pasting. The passphrase travels on a different channel — voice call, signed Signal — so leaking either half alone is non-fatal.

Escrow code-signing keys inside an HSM

Move signing material into AWS CloudHSM, YubiHSM 2, Azure Key Vault Premium (FIPS 140-2 Level 3), or HashiCorp Vault Transit. The key never leaves the boundary; engineers submit artifacts to a sign endpoint and receive the signature with audit logs.

Use Shamir Secret Sharing for seed redundancy

Trezor's SLIP-0039 and `ssss-split` divide a seed into N shares with a K threshold. Distribute shares geographically; no single courier holds enough to reconstruct. PasteOnce one share at a time over distinct channels rather than the full seed.

Related Secure Sharing Tools

Share API Key Securely Share SSH Private Key Share .env Variables Share Database Credentials Share Software License Key Share Encryption Keys Share VPN Credentials Share Server Credentials

Real situations this is built for

Restoring a Ledger after device failure

Your hardware wallet bricks mid-firmware-update; the recovery card sits in a deposit box across the country. A family member reads the words into PasteOnce on an offline-then-bridged laptop, you import into a Nano S Plus, then sweep to a freshly generated seed.

Bootstrapping TLS onto a new edge node

An ops engineer provisions a HAProxy box before ACME is configured. The wildcard private key has to land once. PasteOnce delivers the AES-wrapped `.key` from a jump host; the engineer imports into `/etc/ssl/private` and rotates at the next renewal.

Handing a code-signing key to a build vendor

A Mac packaging firm needs your Developer ID Installer key for a quarterly notarized build. You export with `security export -k login.keychain -t identities -f pkcs12 -P passphrase`, share the `.p12` via PasteOnce and the passphrase by phone, then revoke in App Store Connect after the build ships.

Frequently Asked Questions

Is it ever safe to type my seed phrase into a website?

Effectively never for a hot website. PasteOnce is a narrow exception because encryption happens in your browser and the ciphertext self-destructs on first read. Prefer hardware-wallet recovery flows that keep words on the device, and sweep funds to a fresh seed within the hour.

How do I share an SSL private key without breaking SOC 2?

Auditors accept a documented, time-bounded handoff with rotation evidence. Encrypt the `.key` with AES-256 before paste, log it in change management, and rotate the certificate after import. Long-term, move to ACME automation (cert-manager, Caddy) so keys never leave the issuing host.

How is this different from share-encryption-key or share-ssh-key?

This page covers keypairs that authenticate a person, server, or wallet to the outside world: BIP-39 seeds, X.509 server keys, Authenticode and Apple Developer ID. Use share-encryption-key for symmetric AES and GPG/PGP, and share-ssh-key for OpenSSH login.

Should I split a seed phrase across multiple PasteOnce links?

Yes for high-value wallets. Use a proper Shamir scheme (SLIP-0039 or `ssss-split` 3-of-5) rather than naive halving — splitting words 1-12 from 13-24 still leaks meaningful entropy if one half is intercepted. Assemble shares inside an offline wallet.

Why secure share private keys securely matters

What goes wrong when share private keys securely is shared insecurely

Irreversible theft of wallet funds. On-chain transactions are final — no issuer to call, no reversal window. A leaked BIP-39 seed lets the attacker derive every address you generated and sweep balances within minutes, often via Tornado Cash or a Monero swap before you notice.

TLS impersonation until revocation propagates. If your server key leaks, an attacker on path serves your site under your real certificate. CRL and OCSP propagation can take hours, and most browsers soft-fail OCSP entirely. Certificate Transparency does not help retroactively — only short-lived certs do.

Code-signing keys becoming malware distributors. Authenticode, Apple Developer ID, and Android upload keys are trusted by user machines and stores. A leaked key (the 2022 NVIDIA leak, the Realtek incident) gets weaponized to sign Cobalt Strike loaders. Revocation lags, and signed binaries already in circulation keep validating.

Memory-resident exposure during paste. Plaintext keys sit in clipboard history (Windows Clipboard History, macOS Universal Clipboard, GNOME Clipman) for whatever retention is configured. A subsequent paste delivers the value to the wrong app — Discord, a search bar — and screen-capture utilities archive the moment.

How does share private keys securely work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share private keys securely

Generate seeds on an air-gapped device

Wrap PEM keys with a passphrase before transit

Escrow code-signing keys inside an HSM

Use Shamir Secret Sharing for seed redundancy

Real situations this is built for

Restoring a Ledger after device failure

Bootstrapping TLS onto a new edge node

Handing a code-signing key to a build vendor

Frequently Asked Questions

Is it ever safe to type my seed phrase into a website?

How do I share an SSL private key without breaking SOC 2?

How is this different from share-encryption-key or share-ssh-key?

Should I split a seed phrase across multiple PasteOnce links?