Sharing Secrets
CloudKeep provides multiple ways to share secrets securely — whether you need to send a production API key to a teammate or share a Wi-Fi password with a guest. Every sharing method preserves end-to-end encryption and gives you full control over who can access the data and for how long.
Secure Sharing Links
The fastest way to share a secret with someone — even if they do not have a CloudKeep account — is to create a sharing link.
- Open the secret you want to share.
- Click Share in the toolbar.
- Configure the link settings (see below).
- Click Create Link.
- Copy the generated URL and send it to the recipient through your preferred channel (Slack, email, etc.).
When the recipient opens the link, the secret is decrypted in their browser using a key fragment embedded in the URL hash (which is never sent to the server). The server only stores the encrypted payload.
Setting Expiration and Access Limits
Every sharing link supports the following constraints:
| Setting | Options | Default |
|---|---|---|
| Expiration | 1 hour, 24 hours, 7 days, 30 days, custom | 24 hours |
| Max views | 1, 5, 10, 25, unlimited | 1 (burn-after-reading) |
| Password protection | Optional passphrase | None |
Once either the expiration time or the view limit is reached, the encrypted payload is permanently deleted from the server.
Password-Protected Shares
For an extra layer of security, you can require the recipient to enter a passphrase before the secret is revealed. The passphrase is used to derive an additional decryption key on the recipient's device — it is never sent to the server. This means even if the sharing link is intercepted, the attacker also needs the passphrase.
URL key fragment + passphrase → derived key → decrypt secretSend the passphrase through a different channel than the link itself (e.g., link via Slack, passphrase via SMS) for maximum security.
Revoking Shared Links
You can revoke any active sharing link at any time:
- Open the secret and click the Share icon.
- You will see a list of all active links for that secret.
- Click Revoke next to the link you want to disable.
Revoking a link deletes the encrypted payload from the server immediately. Anyone who visits the URL after revocation will see an error message.
Access Requests
When a team member needs access to a secret in a vault they do not belong to, they can submit an access request:
- The requester searches for the secret and clicks Request Access.
- Vault owners and admins receive a notification with the request details.
- An approver can grant temporary (time-limited) or permanent access directly from the notification.
Access requests are logged in the vault audit trail for compliance purposes.
Emergency Access
Emergency access allows a trusted contact to access your vaults if you become unavailable (e.g., medical emergency, leaving a company abruptly). Here is how it works:
- Go to Settings → Emergency Access and add a trusted contact by email.
- Set a waiting period (e.g., 3 days, 7 days, 14 days).
- If your trusted contact initiates an emergency access request, you will be notified and have the duration of the waiting period to deny the request.
- If you do not deny the request within the waiting period, the trusted contact is granted read-only access to your designated vaults.
You can revoke a trusted contact or change the waiting period at any time from your settings.