In this blog post, I’ll be using Golang to develop a super small web service that people or organizations can use to share secrets in a slightly more private way. We all have the occasional need to share a secret with a co-worker or another person. It may be an API key, a password or even some confidential data from a customer. When we share secrets via channels such as Slack, Teams or Email, we essentially send the secret to the servers of a complete stranger. We have no oversight over how the data is being handled, how long it will persist on third-party servers and who the people are who have access to it. Sending secrets directly via Slack or Teams can also pose other unwanted side effects. For instance, new employees who get added to an existing channel could discover previously shared confidential data via a channel’s chat history. That could be a security breach in itself if those employees didn’t have the clearance beforehand. Overall secrets and/or confidential data should never be shared directly via (untrusted) third-party channels.
I thought writing a small data-sharing app could be a good way of learning Go. The goal is to create a small web service that can be run as a single binary or from a Docker container inside a company’s own infrastructure. Why rely on an (untrusted) third party service (noterip, safenote, onetimesecret, circumvent or privnote) if one could run their own?
The Golang Project Foundation
This is going to be an MVP so we’ll be making some fast gains by keeping the service extremely simple and making use of Redis as the main persistence layer. Redis seems to be a good fit for an MVP as it can be easily hosted in a container and used as a distributed data store that can serve multiple instances of our app. We can also use the TTL (time to live) feature, which gives us a quick and dirty implementation of short-lived, self-destructing links.
Our web service will be a simple Go executable which can also run in a container and which will implement basic functionality to persist and retrieve a secret.
The entire solution will be open source with an OSS friendly Apache 2.0 license so that people can fork it and make their own modifications to it.
I call this project
For the purpose of this blog post, I’ll keep the service very rudimental and use as few third-party dependencies as possible. I’m actually coding this project as I’m writing this blog post so one can follow the evolution of this app through this article or the associated commit history in Git.
Creating a new Golang project
First let’s create a simple Golang project to kick things off.