RedPaste is an anonymous, end-to-end encrypted pastebin. Your paste is encrypted in the browser before it ever leaves — the server only ever stores ciphertext. No accounts, no logins, no trackers.
RedPaste ships as a single self-contained binary with the frontend embedded — one process, embedded SQLite by default, nothing else to run.
Use it to:
- Share code or text, always end-to-end encrypted, AES-256-GCM
- Set burn-after-read, view limits, expiry, and optional passphrases
- Collaborate in real time on an encrypted pasteboard (CRDT-based)
- Diff two texts or two existing pastes, computed entirely client-side
- Get syntax highlighting for 30+ languages with automatic detection
- Run the whole thing as one binary, or in Docker, with SQLite or Postgres
Docker, one command:
docker run -d -p 8080:8080 -v redpaste:/data ghcr.io/720pixel/redpasteOpen http://localhost:8080. The redpaste volume keeps your data (and an
auto-generated capability key) across restarts.
Prebuilt binary:
curl -fsSL https://raw.githubusercontent.com/720pixel/RedPaste/main/install.sh | sh
redpaste-serverA small production stack (RedPaste + Postgres). It won't start without a pepper:
export REDPASTE_SERVER_PEPPER=$(openssl rand -hex 32)
docker compose up -dPut a TLS reverse proxy in front for a real deployment — see deploy/nginx.
You'll need Go 1.25+ and Node 20+ (Node only builds the frontend; it isn't needed at runtime).
make build # builds the frontend and embeds it into the binary
./redpaste-serverOr run in dev mode with SQLite:
make devEverything is configured through REDPASTE_* environment variables — see
.env.example for the full list with comments. The
essentials:
| Variable | Purpose | Default |
|---|---|---|
REDPASTE_BASE_URL |
Canonical public origin | http://localhost:8080 |
REDPASTE_LISTEN_ADDR |
Listen address | :8080 |
REDPASTE_DATABASE_URL |
Postgres DSN (empty = embedded SQLite) | (empty) |
REDPASTE_SERVER_PEPPER |
HMAC pepper for capability hashing (≥32 bytes in prod) | (dev ephemeral) |
Generate a pepper with openssl rand -hex 32.
Your browser encrypts before upload. The server stores encrypted data and never receives the decryption secret in your share link. Anyone with the complete link can read or edit the paste according to its access type. RedPaste cannot recover lost keys or passphrases, prevent screenshots, or delete copies a recipient already saved.
See docs/threat-model.md for the full threat model,
docs/security/ddos.md for the abuse/DDoS posture,
and SECURITY.md to report a vulnerability.
cmd/redpaste-server the server binary
internal/ backend packages (config, store, crypto, http, live, …)
web/ React + Vite frontend (built into the binary)
migrations/ reserved for versioned migrations; schema is currently
inline in internal/sqlite and internal/postgres
deploy/ nginx, systemd, docker, compose
docs/ ADRs, threat model, security notes
git clone https://github.com/720pixel/RedPaste.git
cd RedPaste
make build
./redpaste-servermake test runs the Go test suite; cd web && npm test runs the frontend
suite.
MIT.