MdBin, a free markdown pastebin service, shipped end-to-end encryption this week. The feature addresses a longstanding problem: traditional pastebins—including Pastebin, GitHub Gists, and MdBin itself until now—store content in plaintext. Operators can read everything. So can anyone who compromises their database.
The new implementation encrypts pastes in the browser before they leave the user's device. The server stores encrypted blobs it can't decrypt. Recipients decrypt locally using the same password. Worth noting: the service doesn't store passwords and uses industry-standard crypto—AES-256-GCM for encryption, PBKDF2 with 310,000 iterations for key derivation. That iteration count matches OWASP 2023 recommendations and makes brute-force attacks computationally expensive.
The technical choices are sound. MdBin uses the Web Crypto API rather than rolling custom crypto (good). Each paste gets a random salt and initialization vector, meaning identical content with the same password produces different ciphertext (also good). GCM mode provides authenticated encryption—wrong passwords fail cleanly rather than producing garbage output.
The UX is straightforward: a normal/encrypted toggle on the paste form, plus a real-time password strength meter. No buried settings, no friction that kills adoption.
This matters for a specific use case: developers sharing sensitive snippets with teammates. API keys in Slack, config files in tickets, credentials in documentation. The current options are awkward—encrypt manually first, use Signal for everything, or accept the risk. A pastebin that handles encryption automatically while staying fast and free fills a gap.
MdBin runs on Next.js 15, PostgreSQL, and Vercel/Railway. The service is free, handles up to 100KB per paste, and renders GitHub-flavored markdown. Competitors exist—kevinfiol maintains a self-hostable fork with 9 GitHub stars, pastemd offers editable pastes on Firebase—but the encryption feature is new.
The real test: whether teams actually use it when the alternative is pasting API keys into Slack. We'll see.