Hi Product Hunt! I am Dippan, a student developer, and I am incredibly excited to share ZeroKey with you today. I built ZeroKey because I realized most "secure" file-sharing and messaging platforms still handle your decryption keys on their backend. If their servers are breached, or if an admin decides to peek, your data is compromised. I wanted to build a system where the server mathematically cannot read the data it holds. Here is how the architecture ensures zero-knowledge: Client-Side Only: All AES-256-GCM encryption and PBKDF2 key derivation happens locally in the browser using the native Web Crypto API. The URL Fragment Exploit: The decryption key is appended to the shareable link as a hash (#). Browsers never transmit URL fragments to the server, meaning the Vercel/Supabase backend only ever sees ciphertext. True Burn-After-Reading: Once the frontend successfully decrypts the payload, a serverless function executes a hard DELETE command on the PostgreSQL row and storage blob. There is strictly zero data retention. I also added geofencing (locking decryption to a 50m radius of the sender) and support for media attachments. As a student, building this was a massive deep dive into cryptography and backend security. The entire project is open-source, and I would be incredibly grateful for your feedback, code reviews, or attempts to break the encryption pipeline!

ZeroKey

Open-source, burn-after-reading encrypted vault.

Open-source, burn-after-reading encrypted vault.