A secure, client-side web application for sharing confidential information using split QR codes. The application encrypts sensitive data and splits it across two QR codes, ensuring that both are required to access the information.

Live Demo →

This project was developed with the assistance of AI (Claude Code). While the code has been tested and follows security best practices, users should thoroughly review and audit the code themselves before using it for sensitive information. This is open-source software provided as-is, and you use it at your own risk.

Imagine you need to leave important passwords or confidential information with family members for emergencies—like bank account access if you're unavailable or incapacitated. Simply printing passwords on paper creates a significant security risk: anyone who finds it could access your accounts.

Secret Sharer solves this problem by splitting your information into three parts:

• Part 1: The encrypted data (QR code on first page)
• Part 2: The base encryption key (QR code on second page)
• Part 3: A security code (printed on both pages)

Store the two pages in different physical locations (e.g., one at home, one with family). To decrypt the information, you need both QR codes AND the security code. Without all three parts, the information is completely unusable and secure.

1. Encryption: Enter your confidential information on the website
2. Generation: The app generates a security code, encrypts and compresses the data, then creates two QR codes
3. Printing: Print both QR codes on separate pages with the security code and clear instructions
4. Storage: Store each page in a different physical location
5. Recovery: When needed, scan both QR codes and enter the security code to decrypt and view the information

• Client-side only: All encryption/decryption happens in your browser—no data is ever sent to a server
• Split architecture: One QR code contains the encrypted data, the other contains a base encryption key
• Security code: An 8-character code (with uppercase, lowercase, numbers, and symbols) is combined with the base key to derive the final encryption key
• Service Worker: Temporarily stores scanned data during the two-step scanning process
• Automatic cleanup: All stored data is cleared after successful decryption or errors

The website is completely static with no backend, making it transparent and trustworthy.

• AES-256-GCM encryption: Industry-standard symmetric encryption
• Three-layer security: Requires both QR codes AND the security code
• Key derivation: The security code is cryptographically combined with the base key using SHA-256
• Client-side processing: Your data never leaves your device
• Compression: Data is compressed before encryption to minimize QR code size
• Split storage: Each QR code alone reveals nothing without the other parts
• Automatic cleanup: Temporary data is cleared after use

• Encryption: AES-256-GCM with random IV (first 12 bytes)
• Key Derivation: SHA-256(base_key + security_code) to derive the final encryption key
• Security Code: 8 random characters (uppercase, lowercase, numbers, special characters)
• Compression: gzip compression before encryption
• Encoding: Base64 encoding for QR code compatibility
• QR Codes: One contains encrypted data, the other contains the base encryption key
• Printed Code: The security code is printed on both pages (not in QR codes)

• TypeScript: Type-safe application code
• HTML/CSS: Structure and styling
• Tailwind CSS: Modern, utility-first styling
• Vite: Fast build tool and dev server

• qrcode: QR code generation
• jsPDF: PDF generation for printable documents
• Web Crypto API: Browser-native encryption (AES-256-GCM)
• Compression Streams API: Browser-native gzip compression

• GitHub Pages: Free, reliable static hosting

• User-friendly interface for entering confidential information
• Automatic security code generation
• Real-time QR code generation
• Prominent display of the security code
• Downloadable PDF with both QR codes, security code, and instructions
• Print-optimized layouts

• Step-by-step visual progress indicator (3 steps)
• Mobile-friendly QR code scanning
• Security code input with validation
• Clear instructions for non-technical users
• Error handling with automatic state reset
• Copy-to-clipboard functionality

• Two-page document with clear separation
• Security code prominently displayed on both pages
• User instructions on each page (including security code entry)
• Space to note the location of the other document
• Professional, easy-to-follow layout
• Neutral language (doesn't assume scanner created the document)

• Node.js (v18 or higher recommended)
• npm or yarn

# Clone the repository
git clone https://github.com/robinweitzel/secret_sharer.git
cd secret_sharer

# Install dependencies
npm install

# Start development server
npm run dev

# Build for production
npm run build

# Preview production build
npm run preview

The development server will start at http://localhost:5173 (default Vite port).

secret_sharer/
├── src/
│   ├── pages/
│   │   ├── decrypt.ts       # Decryption page logic
│   │   └── encrypt.ts       # Encryption page logic
│   ├── crypto.ts            # Encryption/decryption utilities
│   ├── compression.ts       # Compression/decompression
│   ├── qrcode.ts           # QR code generation
│   ├── pdf.ts              # PDF generation
│   ├── utils.ts            # Utility functions
│   ├── serviceWorker.ts    # Service worker for data storage
│   └── style.css           # Global styles
├── index.html              # Landing page
├── encrypt.html            # Encryption interface
├── decrypt.html            # Decryption interface
└── public/                 # Static assets

npm run build

This compiles TypeScript and bundles the application into the dist/ directory.

1. Build the project: npm run build
2. Commit the dist/ directory
3. Configure GitHub Pages to serve from the dist/ folder (or use a GitHub Action)

Alternatively, use the gh-pages package:

npm install -D gh-pages
npx gh-pages -d dist

Requires a modern browser with support for:

• Web Crypto API (AES-GCM)
• Compression Streams API
• Service Workers
• ES6+ JavaScript

Tested on:

• Chrome/Edge 90+
• Firefox 90+
• Safari 15+
• Mobile browsers (iOS Safari, Chrome Android)

• No telemetry: The application doesn't collect any data
• No external requests: All processing happens locally
• Open source: The code is fully transparent and auditable
• No dependencies at runtime: All libraries are bundled at build time

• Print QR codes immediately after generation
• Store printed documents in secure, separate locations
• Delete digital copies of the encrypted data after printing
• Test the recovery process to ensure both QR codes work
• Keep printed documents in fire-proof/water-proof containers if possible

This project is open source and available under the MIT License.