An end-to-end encrypted scratchpad for people juggling VMs, RDP sessions, SSH boxes, Azure Bastion tabs, and locked-down admin desktops. Pair a password with a 5-character code and move anything from one side to the other — text, screenshots, logs, config snippets, files, video. Real-time sync in under 100 ms over WebSocket. A plain gpg + curl path helps when direct scp, sftp, or clipboard sync is blocked or annoying. The server only ever sees ciphertext.
It stays in your browser. PBKDF2-SHA256 derives the session key locally; nothing crosses the wire until it's already AES-256-GCM ciphertext.
A fresh pad is reserved in memory on the server. Hand the code to your other machine through whatever channel you trust.
Ctrl+V text or images. Drag files. Drop a video. Every other device in the same pad sees it live over a WebSocket.
Every paste is authenticated-encrypted in the browser. 12-byte IV per item, item id bound as additional data. The server only ever sees opaque ciphertext as it fans messages out.
Your password never leaves the tab. Only the salt crosses the wire, and security rests on the password plus the AEAD tag.
Anything the clipboard and drag-and-drop accept. Previews render client-side after decryption, lazily per card.
Each pad gets its own random 32-byte token at creation. The ciphertext goes to joiners in the challenge; the raw bytes stay private to the server. Joiners must decrypt with the right key and echo the bytes exactly. Knowing the 5-char code doesn't help — without the password, the echo can't be forged.
Your content lives in the browser tabs that hold the pad open. The server forwards ciphertext between peers and keeps only each pad's 5-char code, PBKDF2 salt, and its challenge token (ciphertext + private plaintext) — routing metadata, nothing else.
When the last device disconnects, a 15-minute timer starts. If nobody rejoins, the pad's routing metadata is discarded and the 5-char code becomes reusable.
Every pad ships a gpg --symmetric --cipher-algo AES256 + curl -T recipe. Push a log file up, pull a screenshot down with curl | gpg --decrypt. Your password is the passphrase — the server sees only OpenPGP ciphertext.
Text crosses devices in well under 100 ms. Binary payloads are bandwidth-bound, not server-bound — the bytes flow straight through and never cache.
Pick a password, get a code, go. No sign-up, no email, no app. Works in any modern browser and on any box with gpg and curl — standard tools, nothing extra to install.
Live pads, lifetime totals, and a 30-day activity graph are all open at /stats. No ips, no pad codes, no content in the log — just enum counts. Raw JSON at /api/stats.
You're in an Azure Bastion session and just need a log bundle, a config file, or a screenshot on your local machine. Open the pad in the Bastion-side browser, then pull or push through the same code from your laptop or a terminal.
You're SSH'd into a box with no GUI. Paste the traceback into a pad from the CLI, Ctrl+V it into Slack or a bug tracker on your laptop.
scp is the wrong level of effortYou do not need to reconfigure firewall rules, open SFTP, or mount a shared drive just to move one archive, cert, or env file through a Linux bastion or admin box.
Remote desktops love to eat your clipboard. Grab a screenshot on the remote, paste it into the pad, and it's instantly on your local machine ready for an email or ticket.
scpCI runner pushes the .zip into the pad; your laptop pulls it down. No SSH keys to exchange, no file share to set up, no cloud account to log into.
Two machines, two tabs, one password. Paste JSON, env files, or a long URL on one side and it appears on the other in milliseconds.
Pad is ephemeral. Share a password + code over Signal, paste the file, they download it, everyone walks away, the pad evicts itself.
Open the pad on your phone's browser, paste from the share sheet, pick it up on your desktop a second later.
This is not just a generic web paste tool. It is useful in the awkward spaces between a browser, a terminal, a bastion host, and a desktop where normal file transfer is blocked, overkill, or unreliable.
When you are already inside Azure Bastion and just need to get a log, config, screenshot, or small archive in or out, ctrlc-ctrlv gives you a fast handoff path without turning the task into a full SFTP or shared-storage exercise. Open the pad in the Bastion-side browser, then pull from your local browser or a terminal with the CLI.
Sometimes the problem is not how to automate a whole deployment. It is how to move one traceback, cert, JSON payload, or build artifact from a Linux shell to your workstation right now. The CLI path keeps that flow simple: join the same pad, authenticate with the password, and upload or download without setting up another transfer channel.
VDIs, RDP hosts, secure admin workstations, and browser hardening policies regularly block clipboard sync or make it flaky. That is exactly where a browser tab plus a 5-character code helps: type or paste on one side, open the same pad on the other, and use the item-level CLI or manual-copy fallback when browser clipboard APIs are restricted.
During an incident, the fastest path matters more than the perfect path. Teams use pads to hand off support bundles, screenshots, exported traces, and temporary config patches between a shell, a browser, and another engineer. The pad stays ephemeral, the content stays encrypted, and the operator does not have to stop to wire up a heavier transfer mechanism.
The pattern is simple: one machine has the thing, another machine needs the thing, and the normal transfer path is blocked, flaky, slow to set up, or too broad for a one-off handoff.
Support teams often need one screenshot, one exported settings file, or one crash log out of a remote session right now. A temporary pad is lighter than asking the user to upload to another system or opening a broader shared folder path.
SOC and IR work regularly happens across segmented tools and locked-down desktops. Pads are useful for moving a suspicious URL, a few hashes, a clipped event sample, or a small exported report without relying on email, chat paste limits, or unrestricted clipboard sync.
Managed-service teams and consultants are constantly in different Bastion hosts, RDP sessions, tenant portals, and temporary admin desktops. A browser-first encrypted handoff flow is useful when every client has a different rule set and you still need to move a file or snippet in minutes, not hours.
Test environments are full of machines that are technically reachable but awkward to work with. When you only need the failing artifact, not a full automation pipeline, the pad gives testers a fast way to move evidence onto the machine where the bug ticket or analysis actually happens.
In training labs and classroom environments, participants often need a simple way to move starter files, answers, logs, or screenshots between a lab VM and their own machine without teaching a whole separate transfer tool first.
When a technician has one browser window, one remote session, and a local admin laptop, getting a config dump or diagnostic artifact off the target can be more important than building the perfect permanent workflow. A short-lived encrypted pad is often enough.
The frontend is plain HTML, CSS, and ES-module JavaScript — no bundler, no minifier, no transpiler. What you read is what your browser runs. Every crypto call happens in files you can open in a new tab and read top to bottom.
/index.html
The page itself. Same markup you're looking at now.
/js/crypto.js
PBKDF2 + AES-256-GCM via WebCrypto. ~60 lines, nothing else.
/js/app.js
UI controller: paste, drop, decrypt-per-card, peer replay.
/js/ws-client.js
WebSocket with automatic HTTP long-poll fallback.
/js/gpg.js
OpenPGP symmetric glue for the gpg + curl transfer path. Loads openpgp.js on demand.
/stats.html
Public usage-stats page. Same header, same theme, same footer.
/js/stats.js
Fetches /api/stats, renders the counters and the 30-day inline SVG chart.
/css/stats.css
Layout for the stats page. Reuses theme tokens from the rest of the site.
/api/stats
The raw aggregate JSON the stats page renders. Public, cached 10s, no PII.
gpg --symmetric --cipher-algo AES256 file, then curl -T file.gpg host/g/<CODE>. A browser tab open in the pad decrypts the .gpg blob with the same password and re-emits it to the other peers — the server never sees plaintext. Every item card also has a one-shot /g/<TOKEN> pull link, so curl | gpg --decrypt works in the other direction too.scp, or sftp is blocked, flaky, or just excessive for the job, you can use the pad in a browser tab on the Bastion or desktop side and the same pad on your local machine or terminal. It works well for logs, screenshots, config snippets, support bundles, and one-off files that need to move quickly without opening a broader transfer path./index.html — this page/js/app.js — UI controller, paste/drop, card rendering/js/crypto.js — PBKDF2 + AES-256-GCM via WebCrypto/js/ws-client.js — WebSocket / long-poll transport/js/gpg.js — OpenPGP symmetric glue for the gpg + curl transfer path/stats.html — the public usage-stats page/js/stats.js — stats fetch + inline-SVG chart rendering/css/stats.css — stats page layout (shares theme with the rest of the site)/api/stats — raw aggregate JSON feed (public, no PII)/api/stats. The stats database holds small enum rows (kind, timestamp, optional byte count) — no ips, no pad codes, no item ids, no content. If the DB leaked you would learn the service load and nothing about any user.
Insecure mode. The server will briefly see this file decrypted
while it streams it to curl. Only use this when gpg
is unavailable and the file is not that sensitive — otherwise use
the GPG button,
which keeps the bytes encrypted end-to-end.
generating…
The link works once and expires in 5 minutes. This browser tab must stay open for the server to relay the decrypted file.
Encrypt locally with the pad password using plain gpg, then push the
.gpg file with curl. No Python, no extra script — just
the tools that ship with every Linux box.
A browser tab must stay open in this pad while the upload runs: this tab
decrypts the blob with the same password and relays it to other peers.
gpg will prompt for a passphrase on the terminal — type the same password you used
in this browser. For a single-file pull, click the
GPG button on that card.
The server never sees plaintext in either direction: the .gpg blob is already
encrypted with your password.
Run this on any box with gpg and curl. The link works once
and expires in 5 minutes. Enter the same password you used in this browser when gpg asks.
This browser tab must stay open in the pad while the command runs —
it's what encrypts the bytes before they ever reach the server.
Clipboard access is blocked here. Select the text below and copy it manually.