Nurbak Security
We don't trust our servers with your data. And neither should you. Here is how we prove it.
Our security model is based on a simple premise: what we can't read, we can't leak. The encryption key never leaves your device.
Your browser encrypts data using AES-256-GCM with a unique key generated client-side.
Only the encrypted blob is sent to our servers. The key remains in the URL fragment (#).
The recipient's browser uses the key from the URL to decrypt the data locally.
We use the Advanced Encryption Standard with a 256-bit key in Galois/Counter Mode for authenticated encryption.
Keys derived from passphrases use PBKDF2 with high iteration counts to prevent brute-force attacks.
All random values (IVs, salts, keys) are generated using the browser's Cryptographically Secure Pseudo-Random Number Generator.
We designed the system so you don't have to trust us.
The decryption key is part of the URL fragment (after the #). Browsers NEVER send this fragment to the server. We physically cannot read your secrets.
If our database were ever hacked, attackers would only see encrypted garbage. Without the links you share, the data is mathematically impossible to decrypt.
We don't log IPs, access times, or User Agents. When you delete a secret, it is overwritten and gone forever.
All data is transmitted over HTTPS using TLS 1.3. We enforce HSTS to prevent protocol downgrade attacks.
Encrypted data is securely stored in our database. When a secret expires or is read, it is permanently deleted.
We do not use Facebook Pixels, or any invasive trackers. Your activity on Nurbak remains private.
Everything you need to share passwords, API keys, and secrets securely. The modern, privacy-focused alternative for professionals.
Start for free