Project

yopass

0.82
No release in over 3 years
yopassjhaals/yopassHomepageDocumentationSource CodeBug Tracker
Web service for sharing secrets more securely
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
47,895
Stars
2,295
Forks
334
Watchers
21
 Releases
Current version
3.0.7
Total releases
19
First release
2014-01-24
Latest release
2015-04-15
 Issues
Open Issues
3
Closed Issues
191
Total Issues
194
Issue Closure Rate
98%
 Pull Requests
Open Pull Requests
5
Closed Pull Requests
654
Merged Pull Requests
2,145
Pull Request Acceptance Rate
76%
 Development
Primary Language
TypeScript
Licenses
Apache 2.0
Average date of last 50 commits
2025-09-04
Reverse Dependencies
0

 Dependencies

Development

rake
~> 10.4
rspec
~> 3.0

Runtime

encryptor
~> 1.3
memcached
~> 1.8
rack
< 1.6, >= 1.5.0
sinatra
~> 1.4
sinatra-contrib
~> 1.4
thin
>= 0
 Project Readme

Yopass-horizontal

Yopass - Share Secrets Securely

Go Report Card codecov GitHub release (latest SemVer)

demo

Yopass is a project for sharing secrets in a quick and secure manner. The sole purpose of Yopass is to minimize passwords floating around in ticket management systems, Slack messages, and emails. Messages are encrypted/decrypted locally in the browser and sent to Yopass without the decryption key, which is only visible once during encryption. Yopass then returns a one-time URL with a specified expiry date.

There is no perfect way of sharing secrets online, and there is a trade-off in every implementation. Yopass is designed to be as simple and "dumb" as possible without compromising security. There's no mapping between the generated UUID and the user who submitted the encrypted message. It's always best to send all context except the password over another channel.

Demo available here. It's recommended to host yopass yourself if you care about security.

  • End-to-End encryption using OpenPGP
  • Secrets can only be viewed once
  • No accounts or user management required
  • Secrets self destruct after X hours
  • Custom password option
  • Limited file upload functionality

History

Yopass was first released in 2014 and has since been maintained by me and contributed to by this fantastic group of contributors. Yopass is used by many large corporations, some of which are listed below.

If you are using Yopass and want to support the project beyond code contributions, you can give thanks via email, consider donating, or give consent to list your company name as a user of Yopass in this readme.

Trusted by

Command-line interface

The main motivation of Yopass is to make it easy for everyone to share secrets quickly via a simple web interface. A command-line interface is also provided to support use cases where program output needs to be shared.

$ yopass --help
Yopass - Secure sharing for secrets, passwords and files

Flags:
      --api string          Yopass API server location (default "https://api.yopass.se")
      --decrypt string      Decrypt secret URL
      --expiration string   Duration after which secret will be deleted [1h, 1d, 1w] (default "1h")
      --file string         Read secret from file instead of stdin
      --key string          Manual encryption/decryption key
      --one-time            One-time download (default true)
      --url string          Yopass public URL (default "https://yopass.se")

Settings are read from flags, environment variables, or a config file located at
~/.config/yopass/defaults.<json,toml,yml,hcl,ini,...> in this order. Environment
variables have to be prefixed with YOPASS_ and dashes become underscores.

Examples:
      # Encrypt and share secret from stdin
      printf 'secret message' | yopass

      # Encrypt and share secret file
      yopass --file /path/to/secret.conf

      # Share secret multiple time a whole day
      cat secret-notes.md | yopass --expiration=1d --one-time=false

      # Decrypt secret to stdout
      yopass --decrypt https://yopass.se/#/...

Website: https://yopass.se

The following options are currently available to install the CLI locally.

  • Compile from source (requires Go >= v1.21)

    go install github.com/jhaals/yopass/cmd/yopass@latest

Installation / Configuration

Here are the server configuration options.

Command line flags:

$ yopass-server -h
      --address string          listen address (default 0.0.0.0)
      --database string         database backend ('memcached' or 'redis') (default "memcached")
      --max-length int          max length of encrypted secret (default 10000)
      --memcached string        Memcached address (default "localhost:11211")
      --metrics-port int        metrics server listen port (default -1)
      --port int                listen port (default 1337)
      --redis string            Redis URL (default "redis://localhost:6379/0")
      --tls-cert string         path to TLS certificate
      --tls-key string          path to TLS key
      --cors-allow-origin       Access-Control-Allow-Origin CORS setting (default *)
      --force-onetime-secrets   reject non onetime secrets from being created
      --disable-upload          disable the /file upload endpoints
      --prefetch-secret         display information that the secret might be one time use (default true)
      --disable-features        disable features section on frontend
      --no-language-switcher    disable the language switcher in the UI

Encrypted secrets can be stored either in Memcached or Redis by changing the --database flag.

Docker Compose

Use the Docker Compose file deploy/with-nginx-proxy-and-letsencrypt/docker-compose.yml to set up a Yopass instance with TLS transport encryption and automatic certificate renewal using Let's Encrypt. First, point your domain to the host where you want to run Yopass. Then replace the placeholder values for VIRTUAL_HOST, LETSENCRYPT_HOST, and LETSENCRYPT_EMAIL in the docker-compose.yml file with your values. Change to the deployment directory and start the containers:

docker-compose up -d

Yopass will then be available under the domain you specified through VIRTUAL_HOST / LETSENCRYPT_HOST.

Advanced users who already have a reverse proxy handling TLS connections can use the insecure setup:

cd deploy/docker-compose/insecure
docker-compose up -d

Then point your reverse proxy to 127.0.0.1:80.

Docker

With TLS encryption

docker run --name memcached_yopass -d memcached
docker run -p 443:1337 -v /local/certs/:/certs \
    --link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211 --tls-key=/certs/tls.key --tls-cert=/certs/tls.crt

Yopass will then be available on port 443 through all IP addresses of the host, including public ones. To limit availability to a specific IP address, use -p 127.0.0.1:443:1337.

Without TLS encryption (needs a reverse proxy for transport encryption):

docker run --name memcached_yopass -d memcached
docker run -p 127.0.0.1:80:1337 --link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211

Then point your reverse proxy that handles TLS connections to 127.0.0.1:80.

Kubernetes

kubectl apply -f deploy/yopass-k8.yaml
kubectl port-forward service/yopass 1337:1337

This is meant to get you started, please configure TLS when running yopass for real.

Monitoring

Yopass optionally provides metrics in the OpenMetrics / Prometheus text format. Use flag --metrics-port <port> to let Yopass start a second HTTP server on that port making the metrics available on path /metrics.

Supported metrics:

  • Basic process metrics with prefix process_ (e.g. CPU, memory, and file descriptor usage)
  • Go runtime metrics with prefix go_ (e.g. Go memory usage, garbage collection statistics, etc.)
  • HTTP request metrics with prefix yopass_http_ (HTTP request counter, and HTTP request latency histogram)

Translations

Yopass accepts translations for additional languages. The modern frontend includes built-in internationalization support using react-i18next, with English and Swedish currently available. Translation contributions are welcome via pull requests.