Vanisec

Vanisec is a self-hosted platform for sharing secrets safely. You paste a secret (API key, password, token, or any sensitive text), get a one-time encrypted link, and share it. The moment the recipient opens the link, the secret is deleted — it can never be viewed again.

Repository: clouddrove/vanisec

Stack: Next.js · TypeScript · Redis · Helm

Features

One-time access — secrets are deleted immediately after the first view
Configurable expiry — 1 hour to 7 days (default 24 hours)
Optional password protection — add a passphrase for a second factor
Cryptographically secure URLs — unguessable link IDs
Redis TTL cleanup — secrets are automatically purged on expiry even if never opened
Non-persistent handling — secrets are never logged or written to disk
Production-ready — Kubernetes/Helm support, non-root Docker container, health endpoints

Deployment

Docker Compose (quickest)

git clone https://github.com/clouddrove/vanisec.git
cd vanisec

# Start app + Redis
export DOCKER_BUILDKIT=1
export COMPOSE_DOCKER_CLI_BUILD=1
docker-compose up -d --build

Open http://localhost:3000.

Local development

Prerequisites: Node.js 20+, Redis 7+

git clone https://github.com/clouddrove/vanisec.git
cd vanisec
npm install

# Start Redis (or use Docker)
docker run -d -p 6379:6379 redis:7-alpine

# Copy and edit env
cp .env.example .env.local
# Set REDIS_URL and NEXT_PUBLIC_BASE_URL

npm run dev

Kubernetes via Helm

# Embedded Redis (default)
helm install vanisec ./_infra/helm/vanisec

# External Redis
helm install vanisec ./_infra/helm/vanisec \
  --set redis.enabled=false \
  --set env.REDIS_URL=redis://your-redis-host:6379

Configuration

Environment variables

Variable	Required	Description
`REDIS_URL`	Yes	Redis connection string (e.g., `redis://localhost:6379/3`)
`NEXT_PUBLIC_BASE_URL`	Yes	Public URL of the app (e.g., `https://secrets.mycompany.com`)
`REDIS_PASSWORD`	No	Redis auth password
`GA_ID`	No	Google Analytics measurement ID
`NODE_ENV`	No	`production` or `development`

Helm values (key options)

Value	Default	Description
`redis.enabled`	`true`	Deploy Redis alongside the app
`replicaCount`	`1`	Number of app replicas
`ingress.enabled`	`false`	Enable Ingress resource
`ingress.tls`	—	TLS configuration for HTTPS
`resources.limits`	—	CPU/memory limits for the container

How it works

User pastes secret
        ↓
Next.js encrypts it
        ↓
Stored in Redis with TTL
        ↓
User shares the one-time URL
        ↓
Recipient opens URL → Redis key deleted immediately
        ↓
Secret is gone — permanently

Running scripts

npm run dev      # Development server with hot reload
npm run build    # Production build
npm start        # Start production server
npm run lint     # Lint TypeScript

Use cases

Sharing database passwords with a new team member at onboarding
Sending API keys or tokens through a messaging app without leaving a permanent trace
Distributing temporary credentials to contractors
Any situation where the recipient should see a secret exactly once

Features​

Deployment​

Docker Compose (quickest)​

Local development​

Kubernetes via Helm​

Configuration​

Environment variables​

Helm values (key options)​

How it works​

Running scripts​

Use cases​