About
ppush is a secure secret-sharing service operated by c4t.lol. It replaces sending passwords over email or messaging apps with encrypted, limited-use, self-destructing links. Delivered via Cloudflare, data hosted in France .
Zero-knowledge: the server cannot read your secrets
When you create a push, your browser generates a random encryption key and encrypts the secret locally (AES-256-GCM). Only the encrypted version is sent to the server. The key lives in the part of the link after the # — a part that browsers never send to the server.
Concretely: even full access to the server or its database cannot reveal a single secret. Only people holding the complete link can decrypt — that is mathematics, not a promise.
Every secret expires automatically after a number of views or a delay you choose. On expiry, the encrypted content is permanently erased from the server.
Frequently asked questions
How do I share a password properly?
Create the push, copy the link, send it to the recipient. For a sensitive secret: limit it to 1 view, add a passphrase and share it over a different channel (phone, in person). That way, even if the link is intercepted, the secret stays protected.
I lost the link, can you recover it?
No — by design. The decryption key only exists in the link: neither the server nor the administrators know it. Simply create a new push.
The recipient saw “this secret has expired”, why?
The push reached its view limit or its expiry date, or it was destroyed (by you or by the recipient). Check the audit log in your history: every view is traced with date and IP address. If a view was consumed by a stranger, the link leaked in transit — create a new push with a passphrase.
What kinds of content can I push?
Passwords, free text (configurations, SSH keys, notes), files (up to 10 MB without an account, 90 MB with one — encrypted in your browser before upload) and secret URLs (the recipient is redirected after decryption).
How much space for files?
The service's file space is shared fairly (fair use): the upload area always shows the space actually available, and each account gets 3 GB of simultaneous active files. Space frees up automatically as files expire — if the service is full, the error message tells you how much space will be freed and when (at the latest), so you can retry at the right time. You can also expire your own file pushes from your history to reclaim quota immediately.
Do I need an account to share a secret?
No: sharing is open to everyone, no sign-up required. Without an account, links are limited to 7 days and 5 views, files to 10 MB, and you have no history. A free account unlocks the history of your links, view tracking (who opened the secret, when), files up to 90 MB and longer retention (30 days / 50 views).
Who can create an account?
Anyone: registration is open and free — an email address and a password (12 characters min.) are all you need, and two-factor authentication is available. Viewing a received secret requires no account at all.
What if I lose my 2FA app?
Contact [email protected]: an administrator can reset your two-factor authentication after verification.
Can the service stop, or a link disappear?
Yes — and it's worth knowing. ppush is a personal, self-funded project, provided “as is”, with no guarantee of availability or continuity. The service may be interrupted, slowed down or permanently shut down at any time; a link or a secret may disappear following a bug, maintenance, an anti-abuse purge or a deliberate deletion. It runs as long as I can maintain it, technically and financially.
So never use ppush as a storage or backup means: always keep a copy of your important information elsewhere. The publisher cannot be held liable for any data loss or unavailability.
Technical details
- Encryption: AES-256-GCM via WebCrypto, key generated client-side, never transmitted (URL fragment). Files encrypted in 8 MiB chunks with reordering protection.
- Accounts: passwords hashed with Argon2id, TOTP two-factor authentication, opaque sessions hashed in the database.
- Hosting: data hosted in France on self-managed, isolated infrastructure. Delivery and network protection (anti-DDoS) go through Cloudflare, which never sees the content of your secrets — end-to-end encrypted, key never transmitted. Cloudflare is only an encrypted network relay: your data stays in France.
- Per-push audit log: creations, views, wrong passphrase attempts, expirations.
- File storage: dedicated volume, fair-use transparency through the public
/api/storageAPI (available space + upcoming releases), quota of 3 GB of active files per account. - REST API with personal tokens — see the API documentation.