Encrypted Pastebin on Tor: Self-Hosted PrivateBin and ZeroBin on .onion

PrivateBin (and its predecessor ZeroBin) implement zero-knowledge encryption using a key that is stored in the URL fragment. When you create a paste: (1) The browser generates a random encryption key. (2) Content is encrypted with AES-256-GCM using this key. (3) The encrypted ciphertext is sent to the server. (4) The server stores only the ciphertext - it never sees the key or plaintext. (5) The paste URL is: https://yourpastebin.onion/?pasteid#encryptionkey. The URL fragment (after the #) is never sent to the server by browsers. The server cannot decrypt the paste even under compulsion - it genuinely does not have the key. Anyone with the full URL (including the # fragment) can decrypt and read the paste in their browser. This is fundamentally different from pastebin.com which stores plaintext and can read everything.

PrivateBin requires PHP 8.1+ and a web server. Install on Debian: apt install nginx php8.1-fpm php8.1-gd. Download PrivateBin from privatebin.info, extract to /var/www/privatebin. Set ownership: chown -R www-data:www-data /var/www/privatebin. Configure Nginx: server { listen 127.0.0.1:80; root /var/www/privatebin; index index.php; location / { try_files $uri $uri/ =404; } location ~ \.php$ { fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; include fastcgi_params; } }. Configure PrivateBin: copy conf.sample.php to conf.php. Key settings: traffic limit (prevent abuse), storage type (filesystem vs database), expiry options, and branding. Expose via Tor HiddenServicePort 80 127.0.0.1:80. Test by creating a paste and verifying the URL contains the # fragment with the decryption key.

Configure PrivateBin for maximum .onion privacy: (1) Disable IP logging: in Nginx config, access_log off. (2) Enable short expiration defaults: conf.php option 'expire' default set to '5min' or '1hour' - encourages minimal data retention by default. Allow 'never' expiration for users who explicitly want permanent pastes. (3) Disable discussion comments: prevents secondary metadata collection about who reads pastes. (4) Set sizelimit conservatively: 2-10 MB maximum paste size to prevent storage abuse. (5) Enable password protection option: PrivateBin supports adding a password to pastes so the URL alone is insufficient to decrypt - requires both the URL fragment key and the password. This adds a second factor for particularly sensitive pastes. (6) Random alias in URL: PrivateBin generates random paste IDs - no sequential enumeration risk.

Encrypted .onion pastebins serve several specific use cases better than alternatives. Temporary credential sharing: share database passwords, API keys, or SSH credentials with a team member securely. Set expiration to 1 hour after which the paste self-destructs. Code review for sensitive code: share code containing security-sensitive logic or proprietary algorithms without it being stored in a clearnet service's database. Incident response documentation: during a security incident, document findings in an encrypted paste shared only with the response team. After incident resolution, let the paste expire. Whistleblower preliminary documents: a journalist can share a preliminary document analysis with a source via encrypted paste URL sent through Signal, enabling the source to verify the journalist received their documents correctly without the content passing through any identifiable service.

A public .onion encrypted pastebin faces abuse: spam pastes, very large pastes consuming storage, and potentially illegal content attempts. Since the server cannot read paste content (zero-knowledge), content-based filtering is impossible. Abuse prevention options: (1) Rate limiting per session: limit paste creation to N pastes per time window using Redis session tracking. (2) Maximum paste size: configure sizelimit in conf.php to prevent large file storage. (3) Captcha: PrivateBin supports Google reCAPTCHA and hCaptcha, but these require clearnet service calls from Tor users - avoid or use a local challenge. (4) Deletion mechanism: allow paste creators (who have the admin key) to delete their own pastes. Provide a reporting mechanism for illegal content that queues for manual review (the reviewer sees only that a paste with a specific ID was reported, not its content). (5) Short default expiry: configuring 1-hour or 1-day default expiry limits long-term storage of any uploaded content, including potential illegal material.