Nextcloud Secrets: An ethical and lightweight alternative for secure secret sharing

TL;DR

Nextcloud Secrets enables the temporary sharing of secrets, encrypted on the client side, with auto‑destruction after reading.
Designed for self‑hosting and simplicity, it integrates natively into the Nextcloud ecosystem and stands out thanks to its ‘burn after reading’ approach.
Unlike heavier commercial solutions such as HashiCorp Vault or Bitwarden Secrets Manager, it focuses on lightness, sovereignty and friendliness.
Other open‑source alternatives like Infisical, Vaultwarden or Passbolt meet more advanced use cases, but require more infrastructure.

1. 🔍 What is Nextcloud Secrets?

Nextcloud Secrets is a Nextcloud app dedicated to secure, one‑off, encrypted sharing of textual secrets (passwords, API keys, confidential messages, etc.). The user writes their message, obtains a unique link containing the decryption key and can send this link to a recipient. Once read, the secret is automatically destroyed.

End‑to‑end encryption is performed client side in the browser with JavaScript.
Neither the server administrator nor third parties can read the message.
It operates similarly to PrivateBin but is directly integrated into the Nextcloud interface.
Compatibility: Nextcloud 26 to 31, with regular updates.
An API and CLI have been available since version 2.0 for power users or automated integrations.

👉 It’s an ideal tool for organisations already using Nextcloud and wanting to avoid third‑party or centralised platforms for transmitting sensitive information.

2. 🏢 Comparison with commercial solutions

🔒 HashiCorp Vault – For DevOps giants

HashiCorp Vault is a benchmark in enterprise DevSecOps environments, allowing management of dynamic secrets, access tokens, certificates and more. But its learning curve is steep, its deployment requires advanced technical skills and its licence change in 2023 (to BSL) has raised concerns in the open‑source community.

✅ Strengths:

Automatic secret rotation
Deep integration with Kubernetes, AWS, etc.
Audit and fine‑grained access management

❌ Less suitable for small teams or occasional use

❌ Heavy infrastructure and potentially high costs

💼 Bitwarden Secrets Manager – The in‑between solution

Bitwarden offers a secrets manager aimed at small teams or developers, with a familiar interface. However, its freemium model limits features in the free version and its use is more oriented towards secure centralisation than temporary sharing.

✅ Simple interface

✅ Integration with existing Bitwarden accounts

❌ Advanced features are paid

❌ Not designed for auto‑destruction or anonymous encryption

3. 🌱 Open‑source alternatives to suit your needs

✨ Infisical – Modern and Dev‑friendly

Infisical is gaining ground as a modern alternative to Vault, with a polished UX and developer‑centric approach.

MIT licence, simple deployment
Support for Kubernetes, CI/CD, PKI
Complete REST API

👉 Infisical targets technical teams looking for a sovereign, complete, self‑hostable solution.

🛡 Vaultwarden – Efficient minimalism

A lightweight version of Bitwarden written in Rust, Vaultwarden is a favourite of the self‑hosting community.

Compatible with official Bitwarden clients
Very low resource consumption
Deployment in just a few minutes

👉 Perfect for individuals or small teams managing passwords, but not geared towards temporary secret sharing.

🤝 Passbolt – Collaboration and security

Designed for teams, Passbolt excels at secure sharing of passwords and secrets, with a group‑ and permission‑oriented approach.

Two‑factor authentication
SSO and Active Directory integration
Smooth interface and CLI access

👉 Passbolt meets structural and collaborative needs rather than one‑off exchanges.

4. 🧩 Nextcloud Secrets’ sovereign niche

What distinguishes Nextcloud Secrets isn’t the richness of its features but the clarity of its purpose. The application focuses on a clear, controlled use case: sending a sensitive piece of information on a one‑off basis without leaving a trace.

Key advantages:

No account required to read a secret
Auto‑destruction of data after reading
Zero third‑party dependency – everything is hosted locally
Minimalist interface familiar to Nextcloud users

It’s therefore a tool of everyday “cyber‑hygiene,” at the crossroads of common sense and sovereignty.

🦊 Blue Fox’s take

At Blue Fox, we believe that simplicity can also mean security.

Nextcloud Secrets isn’t intended to replace an infrastructure secrets manager—but to complement your toolkit, especially if you already use Nextcloud in your organisation.

It’s a fine illustration of what cybersecurity can be: ethical, lightweight, useful.

And above all: you remain master of your data.

🔗 Sources

GitHub – Nextcloud Secrets (theCalcaholic) https://github.com/theCalcaholic/nextcloud-secrets
Nextcloud App Store – Secrets https://apps.nextcloud.com/apps/secrets
PrivateBin – Minimalist, open‑source pastebin https://privatebin.info/
HashiCorp Vault documentation https://www.vaultproject.io/
Business Source License (BSL) and open source impact https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
Infisical – Secrets management on autopilot https://infisical.com/
Vaultwarden GitHub https://github.com/dani-garcia/vaultwarden
Bitwarden Secrets Manager https://bitwarden.com/products/secrets-manager/
Passbolt – The open‑source password manager for teams https://www.passbolt.com/
Akeyless – What is Secrets Management? https://www.akeyless.io/blog/what-is-secrets-management/

Would you like us to help you integrate Nextcloud Secrets into your instance?

Or to choose a manager better suited to your needs? We’re here for that. 😊

#Nextcloud #Secrets #Privacy #Self‑Hosting #OpenSource #BlueFox #DigitalSovereignty #DataSecurity

#FOSS #Licences #Process #Digital sovereignty #Security #Privacy #Ethics

Olivier Morneau

Share this article