[eridius]

Regarding the access logs angle, the image shown on the front page shows a URL that starts with "https://sharelock.io/1/cuwcRv64IR5ivYP...". Presumably that garbage text is the start of the secret.

It would probably be a really good idea to move the secret into the fragment of the URL instead. Fragments aren't sent to servers, so they can't possibly show up in access logs. But the client can still access the fragment, and since the decryption presumably happens client-side, there's no reason for the server to ever even see the secret.

[tjanczuk17]

The decryption happens server-side - the server is the sole holder of encryption keys. Besides, it is the server that generated that ciphertext in the first place, so it already had access to the secret at that point.

[eridius]

Oh geeze, I didn't realize the server also did the encryption/decryption. The bit about the secret only being in the URL and not on the server made me think it was done client-side.

If it's happening server-side then it seems like this is only appropriate to use when you're hosting your own instance. Using anybody else's instance (for anything that actually needs to be encrypted) means handing your plaintext to the server operator.