2026-03-20 · 8 min read

Announcing OOShare: Secure Secret & Image Sharing with Zero-Knowledge Encryption

By Diogo Hudson Dias

Every team has the same dirty secret: passwords, API keys, credentials, and sensitive screenshots get shared over Slack DMs, email, and text messages every single day. These messages sit in chat logs forever, backed up to corporate archives, indexed by search, synced across devices — a goldmine for anyone who gains access.

We built OOShare (Only Once Share) to fix this. Today we are launching it as a free, open-source tool at ooshare.io.

The Problem We Kept Running Into

At DHD Tech, we work with clients across multiple organizations. That means a constant stream of credentials flowing between teams: database passwords, SSH keys, API tokens, cloud console access, third-party service credentials. The handoff points are where security breaks down.

Here is what we saw happening — and what is probably happening at your company right now:

  • Slack messages with passwords — searchable forever by anyone in the workspace, persisted in backups, visible to admins, synced to every connected device
  • Emails with credentials — forwarded, archived, synced to phones, and backed up in ways nobody tracks
  • Shared documents with API keys — Google Docs and Notion pages that outlive the project they were created for
  • Screenshots of console passwords and ID documents — sitting in camera rolls, synced to iCloud, backed up to Google Photos, accessible from any linked device

The root problem is persistence. These channels are designed to store everything permanently. That is great for conversations — it is terrible for secrets. And images are even worse: unlike a password you can rotate, a leaked passport scan, medical record, or signed contract cannot be un-leaked.

What OOShare Does

OOShare lets you create encrypted, self-destructing links for sensitive information — both text and images in the same link. The workflow is simple:

  1. Type or paste your secret — text up to 50,000 characters
  2. Attach an image (optional) — JPEG, PNG, GIF, or WebP up to 10 MB
  3. Set an expiration — choose from 1, 4, 12, 24, 48, or 72 hours
  4. Get a one-time link — share it over any channel you like
  5. Recipient opens it once — text and image are displayed, then the link self-destructs permanently

If the link expires before being opened, the encrypted data is deleted automatically. If someone tries the link a second time, they see "Secret Not Available." There is no archive, no search index, no backup. The secret existed for exactly one viewing.

Why Encrypted Image Sharing Matters

Most secret-sharing tools only handle text. But some of the most sensitive information people need to share comes as images:

  • Identity documents — passports, driver's licenses, and national IDs contain your full name, date of birth, photo, and document numbers. HR teams request these during onboarding. Real estate agents need them for lease agreements. Once leaked, you cannot change your passport number.
  • Medical records and imaging — healthcare providers share diagnostic images between specialists. These are protected by regulations like HIPAA and GDPR, yet they still get emailed as attachments.
  • Legal documents — signed contracts, settlement agreements, and court filings. Lawyers regularly share these with clients and opposing counsel via email.
  • Financial records — bank statements, tax documents, and payment confirmations containing account numbers and personal data.
  • Screenshots of admin consoles — configuration screenshots, error logs with sensitive data, and access credentials captured from dashboards.

Unlike passwords, compromised images cannot be easily rotated or changed. A leaked passport scan is permanently compromised. OOShare is the first free, open-source tool that encrypts images with the same zero-knowledge architecture used for text — the server never sees the original image.

How the Encryption Works

The most important design decision in OOShare is client-side, zero-knowledge encryption. Here is exactly what happens when you create a secret:

  1. Your browser generates a random encryption key using the Web Crypto API
  2. Both your text and image are encrypted locally with AES-256-GCM — the same standard used by governments and financial institutions worldwide
  3. Each secret gets its own unique key derived using HKDF-SHA-256 (HMAC-based Key Derivation Function), with the secret ID as context — so compromising one secret reveals nothing about any other
  4. The secret ID is bound as Additional Authenticated Data (AAD) during encryption, cryptographically tying each encrypted payload to its specific secret. Any tampering attempt causes decryption to fail
  5. Only the encrypted ciphertext is sent to the server and stored temporarily in Redis
  6. The decryption key is placed in the URL fragment (the part after the #). Per RFC 3986, browser URL fragments are never sent to servers in HTTP requests — the key never leaves the sender's and recipient's browsers

When the recipient opens the link, the server performs an atomic GETDEL operation in Redis — it retrieves the encrypted data and deletes it in a single operation, making it impossible to read twice. The browser then uses the key from the URL fragment to decrypt everything locally.

This means even if someone compromises the OOShare server, they get a pile of encrypted blobs with no keys to decrypt them. The keys only ever exist in the browser of the sender and the recipient. We cannot read your secrets. Nobody can.

Why Open Source Matters for Security Tools

Security tools that ask you to trust them without showing their work have a fundamental credibility problem. We made OOShare open source under the MIT license (github.com/dhdtech/oos) because trust should be verifiable:

  • Audit the cryptography — verify that AES-256-GCM, HKDF-SHA-256, and the zero-knowledge architecture are implemented correctly
  • Self-host on your infrastructure — deploy OOShare with Docker on your own servers. The stack is React + Flask + Redis, fully containerized. Keep everything inside your network for data residency and compliance requirements
  • Fork and customize — adapt it to your organization's specific policies, expiration rules, or branding
  • Contribute — report bugs, suggest features, improve translations, or submit code. The community makes it stronger

Closed-source secret sharing tools ask you to trust their marketing. Open-source tools ask you to trust the math — and let you check it.

How OOShare Compares

There are other secret sharing tools available. Here is where OOShare is different:

  • vs. OneTimeSecret: OneTimeSecret encrypts server-side — your plaintext travels across the network and the server handles it before encryption. OOShare encrypts in your browser before anything is transmitted. OOShare also supports encrypted image sharing (OneTimeSecret does not), uses HKDF key derivation with AAD binding for cryptographic isolation, and is fully open source with Docker self-hosting
  • vs. Privnote: Similar server-side encryption concerns. No image support. Closed source — you cannot verify what happens to your data
  • vs. Password managers with sharing: Tools like 1Password and LastPass require both parties to have accounts on the same platform and often require paid plans for sharing features. OOShare requires nothing — no account, no subscription, just a link
  • vs. Encrypted messaging apps: Signal and WhatsApp are excellent for conversations, but messages persist on both devices indefinitely. They are designed for ongoing communication, not one-time credential handoffs. OOShare guarantees the secret exists for exactly one viewing

Built for Everyone

OOShare is completely free with no premium tier, no usage limits, and no account required. We built it because we needed it ourselves, and we believe every team deserves access to proper security tooling without a procurement process.

The tool is available in six languages — English, Chinese, Spanish, Hindi, Arabic, and Portuguese — with automatic detection from your browser settings. Whether you are a developer sharing API keys, an HR team onboarding new employees across countries, or an individual sending personal documents to a lawyer, OOShare works for you.

Key specifications:

  • Encryption: AES-256-GCM with HKDF-SHA-256 key derivation (browser-side)
  • Text: Up to 50,000 characters per secret
  • Images: JPEG, PNG, GIF, WebP up to 10 MB — encrypted with the same zero-knowledge architecture
  • Expiration: 1h, 4h, 12h, 24h, 48h, or 72h
  • Languages: English, Chinese, Spanish, Hindi, Arabic, Portuguese
  • Self-hosting: Docker Compose deployment with React + Flask + Redis
  • License: MIT — use it, fork it, deploy it however you want

Try OOShare Now

Head to ooshare.io and create your first encrypted link. No signup, no setup — paste your text, attach an image if needed, choose an expiration, and share the link.

Want to self-host or contribute? Check out the GitHub repository. Want to understand the security architecture in depth? Visit the security page.

Stop sending passwords and sensitive screenshots over Slack. Your future self — and your security team — will thank you.

Related Articles
2026-03-10 · 8 min read

Nearshore vs. Offshore Development: A Decision Framework for US CTOs

Read article →
2026-02-24 · 9 min read

How to Hire Senior Developers in Brazil: A Complete Guide

Read article →

Ready to scale your engineering team?

Tell us about your project and we'll get back to you within 24 hours.

Start a conversation