zKettle - Zero-Knowledge Secret Sharing

        ) )
       ( (
     _  ~)~   _   _   _
 ___| |/ /___| |_| |_| | ___
|_  / ' // _ \ __| __| |/ _ \
 / /| . \  __/ |_| |_| |  __/
/___|_|\_\___|\__|\__|_|\___|

encrypted. ephemeral. evaporated.

Zero-knowledge encrypted secrets that boil away.

Self-Host for Free View on GitHub

how it works

Encrypt

AES-256-GCM encryption happens locally. The server never sees your plaintext or key.

Get a one-time URL. The decryption key lives in the fragment—never sent to the server.

Evaporate

Secret auto-deletes after the configured view limit or time-to-live expires.

why zkettle

> zero-knowledge encryption

AES-256-GCM encryption with the key in the URL fragment. The server stores only ciphertext—it never sees the plaintext or the decryption key.

> configurable burn

Set view limits (1–100) and time-to-live (1 min–30 days). Secrets auto-delete when either threshold is reached.

> AI-native

MCP server, CLI, REST API, and web UI. Ships with a SKILL.md so agents can self-onboard and manage secrets programmatically.

> runs anywhere

Single Go binary, embedded SQLite, no external dependencies. Your laptop, a server, Docker, or behind a reverse proxy.

quick start

terminal

# Install
go install github.com/benderterminal/zkettle@latest

# Start the server
zkettle serve --tunnel

# Create a secret
echo "my secret" | zkettle create --views 1 --minutes 60
→ https://your-tunnel.trycloudflare.com/s/abc123#key

# Read it back
zkettle read "https://your-tunnel.trycloudflare.com/s/abc123#key"
→ my secret