Home | Security | File Encryption | FAQ's | Privacy | About Us

What is OneTimeMessage?

Each link is unique and designed for a single successful view or download. After that, the encrypted payload is deleted. If a link expires or is opened once, it cannot be recovered.

Unlike email or chat apps, your content isn’t left sitting in an inbox. It’s encrypted end-to-end with a one-time link and optional controls (password, IP Lock, Ultra Encrypt). We also avoid invasive tracking.

What is “double encryption”?

By default, your content is encrypted on our system using strong, modern cryptography (AES-256-GCM with randomized IVs and salts; keys derived via PBKDF2-HMAC-SHA-256). If you enable Ultra Encrypt, your browser first encrypts the message locally with your password before upload-then we encrypt that ciphertext again server-side. Two independent layers.

Do you store keys or passwords?

No. We never store your password. Keys are derived on the fly and are not available to staff. If you lose a password, we cannot recover it.

What is Ultra Encrypt?

Client-side AES-GCM encryption performed in your browser using your password (derived via PBKDF2). We then re-encrypt the already-encrypted payload. Without your password, neither we nor a server attacker can decrypt the content.

What password strength do you recommend?

At least 12 characters with a mix of upper/lowercase, digits, and symbols. Ultra Encrypt requires a minimum length before enabling its button.

What happens if I forget my password?

There’s no recovery. That’s by design.

When does a one-time link expire?

On first successful view/download or when its time-to-live (TTL) elapses-whichever occurs first. The active TTL is shown when you create the link.

Can I undo a view or restore a deleted/expired item?

No. One-time means gone.

What is IP Lock?

IP Lock restricts a message to a specific public IP. Only requests from that IP can decrypt the payload (in addition to any password).

Any IP Lock caveats?

Dynamic IPs, VPNs, office NATs, and mobile networks can change a user’s public IP. Only use IP Lock when the recipient’s public IP is stable and known.

Which file types are supported?

All file types can be encrypted. During decryption, you must provide a file previously encrypted by our tool; otherwise you’ll see “Unsupported file format.”

Why do I see “Unsupported file format” vs “Incorrect password”?

Unsupported file format means the file doesn’t match our encryption header/signature (likely never encrypted by this site). Incorrect password means the file matches our format but your password doesn’t authenticate.

What’s the maximum file size?

The current limit is shown near the upload field and may change over time.

How do I decrypt a file?

Select Decrypt, upload the file produced by our site, and enter the correct password. If the password is wrong, you’ll get a clear error; the process never “half-decrypts.”

What extra protection does Ultra Encrypt add?

Your message is encrypted in your browser before it ever leaves your device. We store ciphertext-of-ciphertext. Even full server compromise plus code disclosure wouldn’t reveal your plaintext without your password.

How should I share passwords safely?

Share the password separately from the link (ideally via a different channel). For example, send the password via a one-time message first; once you see it’s been viewed, share the file/message link.

Should I reuse passwords?

No. Use different passwords for messages and files (and ZIPs if you add that layer). This prevents one leak from compromising multiple assets.

Why add password-protected ZIPs?

They add an additional independent layer we never know. A passworded ZIP + site encryption + Ultra Encrypt = layered defense.

How do I create a one-time message?

Type your message, optionally set a password and/or IP Lock, then create. You’ll receive a unique one-time URL.

How do I encrypt a file?

Choose Encrypt, select a file, set a password, and submit. You’ll receive a secure download link or a shareable one-time URL.

How do I decrypt a file?

Choose Decrypt, select the encrypted file from our site, and enter the matching password.

“Sorry, the password you entered is incorrect.”

Check capitalization and characters. If you used Ultra Encrypt or a passworded ZIP, ensure you’re using the correct password for the correct layer.

“Unsupported file format.”

The file wasn’t generated by our encryption tool or was modified. Make sure you’re decrypting the exact file created by the site.

Clipboard/copy issues

Some browsers or OS privacy settings block programmatic clipboard access. Use the Copy button, or select text and copy manually if needed.

“No message found/already viewed.”

The one-time link was consumed or expired. Ask the sender to generate a new one.

Do you track me?

No. We do not collect IP addresses, user agents, identifiers, or long-term tracking data. We don’t run third-party analytics beacons.

What minimal metrics do you collect?

Only aggregate, non-PII operational counts (e.g., started/completed actions, bytes processed, anonymized error types) to keep the service reliable. No message contents or passwords.

Can staff or attackers read my messages/files?

Not without the password. With Ultra Encrypt enabled, your content is encrypted locally before upload. Even with database snapshots and server code, an attacker faces AES-GCM ciphertext without keys.

Can someone guess a link?

Links contain high-entropy tokens (unpredictable URL keys). Brute-forcing a valid, live, unconsumed link before expiration is computationally infeasible under industry assumptions.

Do you keep decrypted data around?

No. Decryption occurs only for the recipient’s request; one-time content is deleted after a successful view/download.

Which browsers are supported?

Modern browsers with Web Crypto and Clipboard APIs (current Chrome, Firefox, Edge, Safari). JavaScript must be enabled. Older/locked-down environments may limit clipboard features; manual copy still works.

Is mobile supported?

Yes-mobile browsers that support Web Crypto work. Copy/paste prompts vary by OS.

How long do you keep data?

Payloads exist only until first successful view/download or until TTL expiry. We don’t retain deleted/expired items.

Can I customize the TTL?

If adjustable TTL is available in the UI, you’ll see options. Otherwise, we apply the site’s current TTL policy.

Are there rate or size limits?

Upload size limits and any usage caps appear on the page and may change to protect service stability.

Acceptable use?

Don’t use the service for illegal content or abuse. Excessive automated requests may be throttled.

Is this HIPAA/GDPR compliant?

We design for privacy by default and minimal data retention, but we don’t represent the service as a compliance product for specific laws or industries. You must determine suitability.

Liability & warranty (plain English)

Use the service at your own risk. We strive for reliability and security, but make no guarantees of fitness for a particular purpose. Don’t depend on the service as your only copy of critical data-links are one-time and expire.

Can you recover a lost message or password?

No. That’s fundamental to the security model.

Do I need an account?

No account is required for core functionality.

Is it free?

Core usage is free within posted limits. If pricing or tiers change, the site will state it clearly.