🔐 How PasteDB End-to-End Encryption Works

PasteDB performs encryption and decryption entirely in your browser. The server stores encrypted data but never decrypts your paste.

1. Account Setup

Browser
 ├─ Generate RSA Key Pair
 ├─ Generate KEK
 ├─ Encrypt KEK
 ├─ Upload Public Key + Encrypted KEK
 └─ Store accountKEK in IndexedDB

2. Creating an Encrypted Paste

Generate PEK
      │
Encrypt Title / Content / Images
      │
Encrypt PEK using KEK
      │
Upload Everything

3. Why Metadata Isn't Encrypted

Only the title, content and images array are encrypted. Metadata remains readable because the server needs it to provide core functionality such as syntax highlighting, visibility rules, timestamps, ownership, expiration, searching and other application features.

4. Retrieving an Encrypted Paste

Download Encrypted Paste
          │
Load accountKEK
          │
Decrypt PEK
          │
Decrypt Title / Content / Images
          │
Display Paste

5. Sharing Unlisted Encrypted Pastes

For unlisted encrypted pastes, the PEK is appended to the URL fragment (#...). URL fragments are processed by the browser and are not sent to the server during HTTP requests.

https://pastedb.netlify.app/paste/abc123#PEK

What the Server Can See

What the Server Cannot See

Summary

Your browser performs all encryption and decryption. PasteDB stores encrypted data and the metadata required for application features, but never has access to your plaintext title, content or images.

🔐 Create an Encrypted Paste