Encrypted File Share Tool

Email attaches a file forever. Once a sensitive document leaves your outbox, it sits in the recipient's inbox, their cloud backup, their mobile sync, and any forensic image taken since — and you have no kill switch. Encrypted File Share answers a narrower problem: deliver one file to one recipient, prove it landed, and leave nothing behind.

The problem it solves

Professionals who move sensitive documents — lawyers, accountants, M&A advisors, MSPs, HR teams — face the same recurring failure mode. An attachment goes out via email, Dropbox, or Slack; the recipient receives it; the file then quietly multiplies into three to seven copies across that recipient's mailbox, mobile sync, cloud backup, and IT archive. None of those copies can be recalled, and any one of them can surface in a future breach, audit, or discovery cycle. The original sender carries the consequences — civil exposure, regulatory fines, malpractice risk — long after the engagement closed.

The commercial alternatives are not shaped for one-off operators. Enterprise secure-share platforms price at $15-30 per seat per month, require the recipient to create an account, install a plugin, or accept a watermark that defeats the workflow. For a solo lawyer sending a settlement PDF to a one-time client, that friction is higher than the perceived value, and the file ends up in plain email anyway. The gap is a self-hosted utility that delivers a single file once, confirms receipt, and erases itself — without per-seat licensing, without third-party storage, and without making the recipient sign up for anything.

Who needs this most

• Solo attorneys and small-firm partners sending settlement drafts, NDAs, M&A redlines, or redacted discovery to one-off clients and opposing counsel between meetings. The moment it hurts: a client asks "can you still pull that file?" six months after the engagement closed, and the right answer needs to be "no — it self-destructed on schedule, here's the audit entry."
• Fractional CFOs, M&A advisors, and accounting professionals handling five to fifteen active engagements at once, moving tax returns, financial models, and due-diligence packages between counterparties under tight NDAs. The moment it hurts: a deal closes, the file is now circulating in five inboxes, and there is no clean way to confirm it has been retired.
• MSPs and IT consultants delivering generated credentials, SSL keys, configs, and audit reports to client contacts who refuse to use a password manager. The moment it hurts: every onboarding handoff, every credential rotation, every offboarding teardown — repeatedly, every week.

The solution — in plain terms

Drop a file, get a one-time link, paste it into whatever channel you and the recipient already use. When the recipient opens the link, the file decrypts once, downloads once, and self-destructs. The next person to follow the same link — or the same recipient on a second device — gets a clean "this file is gone" page. There is no recipient account to create, no plugin to install, no watermark on the file.

Each share has three controls. A passphrase locks the file behind a second factor that travels separately from the link itself — useful when the link channel (email, Slack) is itself sensitive. A time-to-live between one and thirty days expires the file automatically even if it is never opened. And a manual burn button on the sender's receipt page wipes the file from disk immediately — the right tool when the wrong link goes out by mistake. The admin dashboard shows, for every share, whether it was viewed, when, and from which IP — the audit trail a compliance reviewer expects to see.

Value delivered — what you get

• Files don't linger in client inboxes or your own sent folder — the share delivers once and erases itself. Nothing to surface in a discovery cycle, nothing left to leak in a future breach.
• Replaces $15-30 per seat per month commercial secure-share subscriptions — own the infrastructure, no per-recipient surcharge, no vendor disappearing your account during a billing dispute.
• Confirms delivery without trusting recipient honesty — the admin dashboard shows when each file was opened and from which IP. An audit trail you can defend in a compliance review.
• A thirty-day maximum TTL prevents orphan files — every share self-destructs by default within a month; no janitor process required, no stale files accumulating on disk.
• Manual burn override for mistake recovery — if the wrong link goes out, click burn on the receipt page; the file is wiped from disk before the recipient can act on it.
• No third-party storage between you and the recipient — files never touch Dropbox, Google Drive, or any SaaS provider. Self-hosted on infrastructure you control, including air-gapped environments where SaaS is not an option.

Where it delivers outsized value

Professional-services firms with compliance exposure — law, accounting, M&A advisory — where every outbound file is a potential discovery target and the audit trail matters more than convenience. Distributed and remote-first teams that need to ship credentials, offer letters, or onboarding artifacts to new hires without enrolling them in a corporate identity provider on day zero. And independent operators — fractional CFOs, MSPs, security consultants, investigators, journalists — who carry the same compliance posture as a 200-person firm but without the licensing budget for an enterprise share platform. The common thread: small-to-mid practices where a single mishandled file is six figures of consequence and the cost of prevention has to stay proportional to the engagement value.

Distinctive features — why this over the alternatives

• Server-side AES-256-CBC streaming encryption — files encrypt on upload and decrypt on download via Node streams. A 500 MB transfer never holds the full file in memory, so the service runs comfortably on a 1 GB VPS.
• One-time view enforcement — single download token, atomically marked viewed on first reveal, encrypted file unlinked from disk on burn. No "did the link still work?" surprises and no second-chance leaks.
• Bcrypt-hashed passphrase gate — optional second factor that travels separately from the link. Passphrase never stored in plaintext, validated with a constant-time compare.
• JSON file store, no database server — the entire deployment is one Docker container, one persistent volume, one JSON file you can back up with cp. No Postgres or Redis to operate or patch.
• Operator-grade tooling out of the box — start.sh is a deployment wizard, monitor.sh is a live health dashboard, cleanup.sh is a teardown command. Built for a solo operator to run, not a platform team.
• Configurable file ceiling (default 512 MB) — large enough for forensic images, video evidence, or redacted PDF sets; bounded so a single upload cannot fill the host disk.

Under the hood — built to last

The service runs on Node.js 18 and Express 4 — long-supported, boring foundations chosen because secure-share infrastructure has to keep working without daily attention. Bcrypt handles passphrase hashing; AES-256-CBC handles at-rest encryption with a per-file IV. A JSON file store stands in for a database because the data shape is small and the operator should be able to inspect and back it up with shell commands. Everything ships as one Docker container that stands up on a single VPS, an on-premise box, or an air-gapped jumphost. A startup sweep clears partial uploads from prior crashes; an hourly sweep retires expired files; healthchecks expose state to whatever monitor sits in front of the host.

Current maturity

Production-ready and Docker-deployable today. The core service is 619 lines of Node; the full repository — admin dashboard, operator scripts, styled frontend — totals roughly 3,400 lines. Last meaningful update 2026-02-28. The service has been in use as a private-share utility for personal-operator workflows; the single-container deployment and JSON file store are deliberate choices for a one-or-two-operator install. It is not yet hardened for multi-tenant SaaS, and no public hosted instance is offered — every deployment is self-hosted by the customer or operator. Honest characterization: small but complete, ready to extend toward a paid offering.

Roadmap — what's next

Two business-shaped extensions are scoped. The first is a hosted multi-tenant mode — one admin login fronting isolated storage and audit per team, sold per seat or per share volume, suitable for a small law firm or MSP that wants the security model without operating their own VPS. The second is client-side end-to-end encryption — file encrypted in the recipient's browser with a key in the URL fragment, so even a compromised host cannot decrypt the file at rest. Beyond those, a webhook-on-view trigger would let the sender's CRM, ticketing system, or compliance log record delivery confirmation in real time — closing the loop from share to audit without manual reconciliation.

Working with the architect

Three engagement modes apply. Commission a custom build of a private-share utility tuned to your industry's compliance posture — HIPAA, GDPR Article 32, SOC2 evidentiary trails — with branding, identity-provider integration, and retention policy baked in. Extend this codebase with E2E client-side encryption, multi-tenancy, or integration into your existing identity stack. Or engage in strategic advisory on private-share architecture: what to self-host versus consume, how to write the audit trail, where the trust boundaries should sit. Reach out via sintegrium.io or LinkedIn for a 30-minute scoping call.

---

Built by Yurii Staryk · Solution Ecosystem Architect