Install
# Execute to install via shell
curl -sL getdrop.dev/install.sh | bash Quick Start
drop "secret"cat .env | dropDocumentation
Architecture
Drop encrypts locally before anything leaves your machine. A unique AES-256-GCM key is generated per secret.
Security Model
Drop tokens carry the decryption key — these are never sent to the server, giving us zero knowledge of your content.
command_reference.sh
Create
Encrypt and upload. Returns a retrieval token.
drop [data]Retrieve
Fetch and decrypt using a token.
drop get [token]Purge
Immediate server-side destruction without reading.
drop purge [token]Expiry & Reads
Set custom expiry in minutes or a maximum read count.
--ttl 60 --reads 5Copy
Automatically copy the drop token to the clipboard after upload.
--copySign
Sign a drop against a GitHub or GitLab SSH key pair.
--signFAQ
Is Drop Zero-Knowledge?
Keys are generated locally and never sent to our servers. We store only the AES-256-GCM encrypted blob — unreadable without your token.
What is Burn-on-Read?
Secrets self-destruct after being viewed. You can set a custom read limit or TTL — once reached, the data is permanently destroyed.
Can I self-host?
Yes. Both the API and CLI are fully open-source. Audit, fork, or run your own instance for complete infrastructure control.
What are the limits?
Each Drop is capped at 1MB— enough for credentials, config snippets, private keys, and small documents.
How does drop --sign work?
The --sign flag cryptographically signs your drop using an SSH key pair linked to your GitHub or GitLab account. When a recipient retrieves the payload, drop automatically verifies the signature against your public key to confirm authenticity. Because the signature is attached directly to the encrypted payload, it remains secure and never exposes the underlying content.