Frequently Asked Questions
Everything you need to know about SafeMonk's secure secret sharing. Can't find what you're looking for? Contact us!
1Security & Privacy
Can SafeMonk see my secrets?
No, absolutely not. Your secrets are encrypted in your browser using AES-GCM encryption before being sent to our servers. We only store encrypted data that looks like random gibberish. The encryption keys never leave your browser, so even we cannot decrypt your secrets.
What happens if SafeMonk gets hacked?
Even if our entire database was stolen, attackers would only get encrypted data that's useless without the encryption keys. Since keys are never stored on our servers and only exist in your browser, the stolen data would be worthless. This is the power of zero-knowledge architecture.
How secure is the encryption?
We use AES-GCM with 256-bit keys - the same encryption standard used by governments and banks worldwide. For passphrase mode, we use PBKDF2 with 210,000 iterations to derive keys from passphrases, making brute-force attacks computationally infeasible.
How can I verify SafeMonk's security?
All encryption operations happen in your browser using the Web Crypto API. You can open your browser's developer tools and inspect the Network tab to see that only encrypted data is sent to our servers. The encryption keys never leave your browser.
Do you log or track anything?
We use privacy-focused Plausible Analytics to understand basic usage patterns (like page views) without collecting personal data or using cookies. We also log basic operational data (like when secrets are created or accessed) for system maintenance. We never log the content of secrets, encryption keys, or any personally identifiable information. Our zero-knowledge architecture makes this impossible anyway.
2How It Works
What's the difference between link-with-key and passphrase mode?
Link-with-key mode embeds the encryption key in the URL fragment (after #), making it convenient but requiring secure link sharing. Passphrase mode derives the key from a passphrase using PBKDF2, offering maximum security since no key appears in the URL. Use passphrase mode for highly sensitive data.
How does burn-after-read work?
When someone clicks 'Reveal Secret', our database atomically decrements the view counter and returns the encrypted data. Once the view count reaches zero, the secret is permanently deleted. We use PostgreSQL transactions to prevent race conditions, ensuring secrets are properly destroyed even under high load. Learn more about burn-after-read technology.
What prevents link previews from burning my secret?
We use a 'safe reveal' mechanism that requires a human click to fetch the secret. Automated systems like WhatsApp, Slack, or Discord link previews can't trigger this action, so they can't accidentally burn your secret. The secret is only fetched when someone deliberately clicks the reveal button. This is part of our burn-after-read technology.
How are files encrypted?
Small files (≤100MB) are encrypted as a single blob using AES-GCM. Large files (>100MB) are split into 1MB chunks, with each chunk encrypted separately using a unique IV. This prevents memory issues while maintaining security. Each chunk is authenticated to detect tampering.
Can I recover a secret after it's burned?
No, and this is by design. Once a secret reaches its view limit or expires, it's permanently deleted from our systems. True burn-after-read means no recovery is possible - not by you, not by us, not by anyone. This ensures maximum security for sensitive data.
3Usage & Features
What types of secrets can I share?
You can share any text (passwords, API keys, private messages, code snippets) or files (documents, images, videos, archives). Files up to 500MB are supported. All data is encrypted the same way regardless of type.
How long can secrets be stored?
You can set expiration times from 5 minutes to 30 days. Secrets are automatically deleted when they expire, regardless of view count. Choose shorter times for maximum security, longer times for convenience.
What's the maximum file size?
Currently 500MB per file. Files over 100MB are automatically uploaded in encrypted chunks for reliability. This covers most use cases while keeping the service fast and reliable.
Do I need to create an account?
No! SafeMonk works completely anonymously. No registration, no email, no personal information required. Just create your secret and share the link. This enhances privacy and makes the service accessible to everyone.
Can I see who accessed my secret?
No, we don't provide access logs or tracking information. This is intentional - it maintains the privacy of both senders and recipients. You'll only know if a secret was accessed by checking if it's still available (if it was set to burn-after-read).
What happens to expired secrets?
Expired secrets are automatically deleted by our cleanup processes. For notes, this happens immediately when the expiration time is reached. For files, both the database record and the encrypted file storage are cleaned up. Nothing remains on our systems.
4Best Practices
When should I use passphrase mode?
Use passphrase mode for highly sensitive data, when sharing over untrusted channels (like public forums), or when maximum security is required. The trade-off is convenience - you need to share both the link and passphrase through different channels.
How should I share the passphrase separately?
Share passphrases through a different communication channel than the link. For example: send the link via email and the passphrase via SMS, or share the link in Slack and call with the passphrase. This prevents a single compromised channel from exposing everything.
What makes a good passphrase?
Use a long, unique passphrase with mixed case, numbers, and symbols. Avoid dictionary words or personal information. Consider using a passphrase generator or a memorable sentence with substitutions. Remember: longer is better than complex.
Should I use burn-after-read (1 view)?
Yes, for maximum security. Once viewed, the secret is gone forever. Use multiple views only when necessary (like sharing with a team), and always use the minimum number needed. More views = more opportunities for exposure.
How do I verify the recipient got the secret?
Since we don't provide access logs, coordinate with the recipient through another channel. You can check if a burn-after-read secret is still available (if it is, it hasn't been viewed yet). For critical secrets, ask for confirmation through a separate communication method.
What should I do if I accidentally share a secret publicly?
If the secret hasn't been accessed yet, you can try to access it yourself to burn it (if it's set to 1 view). However, there's no way to 'recall' a secret once the link is public. This is why it's crucial to double-check recipients before sharing.
5Technical
Which browsers are supported?
SafeMonk works in all modern browsers that support the Web Crypto API: Chrome, Firefox, Safari, Edge, and their mobile versions. The Web Crypto API is required for secure encryption operations.
Does SafeMonk work offline?
No, SafeMonk requires an internet connection to encrypt/decrypt secrets and communicate with our servers. The encryption happens in your browser, but the encrypted data is stored on our servers.
Can I use SafeMonk programmatically?
Currently, SafeMonk is designed for web browser use only. We don't offer a public API, but you can contact us if you have specific integration needs.
What happens if JavaScript is disabled?
SafeMonk requires JavaScript to function since all encryption operations happen in the browser using JavaScript and the Web Crypto API. Without JavaScript, the service cannot encrypt or decrypt secrets.
How do you handle rate limiting?
We implement basic rate limiting to prevent abuse, but it shouldn't affect normal usage. If you're hitting rate limits, please contact us. We may implement more sophisticated abuse prevention measures in the future.
6Troubleshooting
Why can't I decrypt a secret?
Common causes: wrong passphrase, corrupted URL (especially the fragment after #), secret already burned/expired, or browser compatibility issues. Double-check the passphrase and ensure the entire URL was copied correctly.
The secret link doesn't work. What's wrong?
Ensure the complete URL was copied, including the fragment (everything after #). Some messaging apps or email clients might truncate URLs. Also check if the secret has expired or been accessed already if it was set to burn-after-read.
File upload is failing. Why?
Check that your file is under 500MB and your internet connection is stable. Large files take time to encrypt and upload. Files over 100MB are uploaded in chunks with a progress indicator. If problems persist, try a smaller file first to test if the issue is size-related.
I'm getting a 'Not found or expired' error.
This means the secret has either expired, reached its view limit, or never existed. Secrets cannot be recovered once they're destroyed. Double-check the URL and timing.
The page won't load or looks broken.
Try refreshing the page, clearing your browser cache, or trying a different browser. Ensure JavaScript is enabled. If problems persist, the issue might be on our end - check our status page or try again later.
Still have questions?
We're here to help! If you can't find the answer you're looking for, don't hesitate to reach out.