SafeMonk LogoSafeMonk

🔧 How SafeMonk Works

Understanding the technology behind secure secret sharing. See exactly how your data stays private every step of the way.

The Complete Process

🔑

1. Generate Key

Browser creates random 256-bit encryption key

🔒

2. Encrypt Data

Your secret is encrypted locally using AES-GCM

☁️

3. Store Safely

Only encrypted data reaches our servers

🔓

4. Decrypt & Burn

Recipient decrypts locally, then data is destroyed

🔐 Key Point: Your encryption key never leaves your browser. We only store encrypted gibberish that's useless without the key.

Creating a Secret

1Key Generation

When you click "Create Secure Link", your browser generates a cryptographically secure random 256-bit key using the Web Crypto API.

const key = crypto.getRandomValues(new Uint8Array(32))

2Initialization Vector

A unique 96-bit initialization vector (IV) is generated for each secret. This ensures the same message encrypted twice produces different ciphertext.

const iv = crypto.getRandomValues(new Uint8Array(12))

3AES-GCM Encryption

Your secret is encrypted using AES-GCM (Galois/Counter Mode), which provides both confidentiality and authenticity. This means the data is encrypted AND tamper-proof.

  • • Authenticated encryption
  • • Detects tampering
  • • Industry standard
  • • Hardware accelerated

4Server Upload

Only the encrypted data and metadata (IV, expiry time, view count) are sent to our servers. The encryption key stays in your browser.

Sent to server: Encrypted gibberish + metadata
Kept in browser: Encryption key

Two Ways to Share

🔗

Link-with-Key Mode

The encryption key is embedded in the URL fragment (after the # symbol). This part of the URL never reaches our servers.

https://www.safemonk.com/n/abc123#encryption-key-here

The highlighted part never leaves the recipient's browser

Pros:

  • • Quick and easy to share
  • • Single link contains everything
  • • No additional passwords needed

Best for:

  • • Quick password sharing
  • • Trusted communication channels
  • • Convenience over maximum security
🔐

Passphrase Mode

The encryption key is derived from a passphrase using PBKDF2 with 210,000 iterations. The passphrase never touches our servers.

Link: https://www.safemonk.com/n/abc123
Passphrase: Share separately via SMS/call

Pros:

  • • Maximum security
  • • No key in URL
  • • Brute-force resistant

Best for:

  • • Highly sensitive data
  • • Untrusted communication channels
  • • Maximum security requirements

Retrieving a Secret

👆

Safe Reveal

Recipient must click "Reveal Secret" button. This prevents accidental burns from link previews and crawlers.

Atomic Fetch

Database atomically decrements view counter and returns encrypted data. No race conditions possible.

🔓

Local Decrypt

Browser decrypts the data locally using the key from URL fragment or derived from passphrase.

🔥 Automatic Destruction

Secrets are automatically destroyed based on type:

Text Notes:

  • • View count reaches zero (burn-after-read)
  • • Expiration time is reached

Files:

  • • After successful download (burn-after-download)
  • • Expiration time is reached

Once destroyed, secrets cannot be recovered by anyone - including us.

File Encryption Process

Small Files (≤100MB)

1

Read File

Browser reads entire file into memory as ArrayBuffer

2

Encrypt Whole

Entire file encrypted with single AES-GCM operation

3

Upload Blob

Encrypted blob uploaded to secure storage

Large Files (>100MB)

1

Chunk File

File split into 1MB chunks for memory efficiency

2

Encrypt Chunks

Each chunk encrypted with unique IV and authenticated

3

Stream Upload

Chunks uploaded progressively as they're encrypted

🔒 File Security Features

  • • Each chunk has unique IV to prevent pattern analysis
  • • Additional Authenticated Data (AAD) binds chunks to their position
  • • Tampering with any chunk makes entire file unreadable
  • • Original filename encrypted and stored separately

Technical Specifications

Encryption

  • Algorithm: AES-GCM
  • Key Size: 256 bits
  • IV Size: 96 bits
  • Tag Size: 128 bits
  • Key Source: CSPRNG

Key Derivation

  • Function: PBKDF2
  • Hash: SHA-256
  • Iterations: 210,000
  • Salt Size: 128 bits
  • Output: 256 bits

Storage

  • Database: PostgreSQL
  • Files: Supabase Storage
  • Encoding: Base64URL
  • Cleanup: Automated
  • Backups: Encrypted only

Ready to Share Securely?

Now that you understand how SafeMonk works, review our security best practices for maximum protection.

Security Best Practices

Learn how to choose the right sharing mode, create strong passphrases, and stay secure.

Security Overview

Dive deeper into our security architecture and encryption standards.

Common Questions

Can SafeMonk see my secrets?

No. Your secrets are encrypted in your browser before being sent to our servers using our zero-knowledge architecture. We only store encrypted data that's useless without the encryption key, which never leaves your browser.

What happens if SafeMonk gets hacked?

Even if our entire database was stolen, attackers would only get encrypted gibberish. Without the encryption keys (which are never stored on our servers), the data is worthless.

How do you prevent link previews from burning secrets?

We use a "safe reveal" mechanism that requires a user click to fetch the secret. Automated systems like link preview generators can't trigger this action, so they can't accidentally burn your secret.

Can I recover a secret after it's burned?

No. Once a secret reaches its view limit or expires, it's permanently deleted from our systems. This is by design - true burn-after-read means no recovery is possible.