PrivateBin

Open-source, self-hosted pastebin with client-side encryption, honestly reviewed. No marketing fluff, just what you get when you deploy it.

TL;DR

• What it is: Open-source, minimalist pastebin where the server never sees the content of your pastes — encryption and decryption happen entirely in the browser using 256-bit AES [README].
• Who it’s for: Developers, sysadmins, and small teams who routinely share passwords, config snippets, API keys, and code via email or Slack and want to stop doing that [2].
• Cost savings: PrivateBin is pure self-hosted — no commercial cloud tier exists. A $5/mo VPS with PHP and nginx is all it takes to replace pastebin.com’s Pro tier [2][3].
• Key strength: Genuine zero-knowledge architecture. The encryption key lives in the URL fragment — the part browsers don’t send to servers — so the server operator cannot read your paste even if subpoenaed. They can hand over encrypted blobs but not keys [README].
• Key weakness: It is exactly what it says: a pastebin. No API, no team management, no history dashboard, no search. If you need more than “share this text securely,” you’re looking at the wrong tool.

---

What is PrivateBin

PrivateBin is a minimalist pastebin service you self-host. You paste text, code, or a file into a web form. Before sending anything to the server, your browser encrypts it with 256-bit AES in Galois Counter mode. The server stores an encrypted blob. The decryption key is appended to the paste URL after a # fragment — a part of the URL that browsers deliberately never include in HTTP requests to servers [README].

The practical consequence: the server has zero knowledge of what was pasted. The README puts it plainly: “As a server administrator you don’t have to worry if your users post content that is considered illegal in your country. You have plausible deniability of any of the pastes content.” You can be compelled to delete a paste, but you cannot be compelled to decrypt it because you never had the key [README].

PrivateBin is a fork of ZeroBin, originally built by Sébastien Sauvage. The fork was made to allow cleaner extensions and has since accumulated a meaningful list of additional features: password protection, burn-after-reading, discussions, syntax highlighting, file uploads, Markdown rendering, QR codes, and template support [README].

It sits at 8,114 GitHub stars and is on version 2.0.3. The project is genuinely minimalist in scope — its website lists no pricing page, no cloud dashboard, no enterprise tier, no sales team. It is open-source infrastructure in the old sense: deploy it yourself, configure it yourself, run it yourself.

---

Why people choose it

The honest reason is simple: people keep sharing sensitive information through plaintext channels they don’t control, and PrivateBin is the easiest way to stop doing that.

Florian Burnel at it-connect.tech [1] frames the use case clearly: PrivateBin lets you securely distribute passwords, configuration files, and code snippets without relying on email or messaging platforms. The common failure mode it solves is: someone emails a database password, that email sits in an inbox (and outbox, and backup) indefinitely. A PrivateBin paste with a one-hour expiry and burn-after-reading solves this. The recipient reads it once, it’s gone [1].

The lowendbox.com guide [2] tested three self-hosted pastebin options — Hastebin, Pastey, and PrivateBin — and chose PrivateBin for a specific reason: it needs only PHP and a web server. No Redis, no PostgreSQL, no Node.js runtime. The file system stores the encrypted pastes by default. For a 1GB/1-core VPS running Debian 12, that’s the entire stack [2].

H. Peter Pfeufer’s writeup [3] arrives from a privacy angle: the concern with public pastebin services like pastebin.com is that logs reveal who accessed what, and the service operator can see everything posted. PrivateBin eliminates the “operator can see everything” part. The access log concern remains — the server still knows who requested which paste URL — but the content is inaccessible [README][3].

The comparison that comes up most is pastebin.com, not other open-source alternatives. PrivateBin fills the same basic function but with local hosting, zero content knowledge, and no ads.

---

Features

What the README describes and the install guides confirm:

Core paste mechanics:

• Browser-side encryption before upload — server receives ciphertext only [README]
• 256-bit AES in Galois Counter mode [README]
• Burn after reading option — paste is deleted immediately after first access [README][2]
• Configurable expiration: 5 minutes, 10 minutes, 1 hour, 1 day, 1 week, 1 month, 1 year, or never [README][2]
• Optional password protection — adds a second layer beyond the URL key; the password is required to decrypt [README][1][2]
• QR code generation for paste URLs, useful for mobile handoffs [README]

Content types:

• Plain text [README]
• Source code with syntax highlighting via prettify.js — 4 color themes available [README]
• Markdown with preview [README]
• File upload (disabled by default; size limit configurable — the it-connect.tech guide sets it at 10MB in their conf.php) [README][1]
• Image, media, and PDF inline preview when file upload is enabled [README]

Discussion / collaboration:

• Threaded discussions attached to a paste [README]
• Anonymous participation or optional nicknames [README]
• IP-based identicons or vizhashes for visual identification [README]

Administration:

• Configuration via a single conf.php file [1][3]
• Templates: Bootstrap 5, Bootstrap CSS, Darkstrap included by default; custom templates supported [README][1]
• Multi-language UI with automatic browser language detection [README]
• Admin can delete any paste — including plausible deniability protection for the operator [README]
• Storage backends: flat filesystem (default), or PDO-compatible databases (SQLite, MySQL, PostgreSQL) [3]

What it doesn’t have:

• Search across pastes
• User accounts or authentication for paste creators
• REST API
• Audit logs or admin dashboard
• Team management
• Usage analytics

---

Pricing: SaaS vs self-hosted math

PrivateBin has no SaaS tier, no commercial cloud, no pricing page. There is no company selling access to it. This makes the cost comparison unusually clean.

Self-hosted PrivateBin:

• Software: $0 [README]
• Hosting: A 1GB/1-core VPS on Hetzner, Contabo, or similar runs $3–7/mo [2]
• Stack requirements: PHP 8.1+, nginx or Apache, disk space. No database required by default [2][3]
• SSL: Let’s Encrypt, free [2]

The alternative — pastebin.com Pro:

• Pricing data is not available in the sources cited for this review; the site’s pricing may have changed. Check directly at pastebin.com before making the comparison.
• The meaningful difference is not price — it’s data access. A pastebin.com subscription stores your pastes on servers you don’t control, readable by the operator.

The real cost calculation isn’t about dollars — it’s about what happens when you paste a database connection string or a client API key into pastebin.com and that key later leaks from a breach you didn’t cause and couldn’t prevent. A $5 VPS eliminates that surface entirely. The lowendbox.com guide [2] makes this point: the primary value of self-hosting isn’t the money saved on a Pro subscription, it’s that your data stays local.

For teams already running a VPS for other purposes, the marginal cost of adding PrivateBin is essentially zero — it’s PHP and a web server config file [2][3].

---

Deployment reality check

Three separate guides tested different deployment paths, and the consensus is that PrivateBin is one of the simpler self-hosted tools to get running.

Docker (it-connect.tech approach [1]):

• Uses the official privatebin/nginx-fpm-alpine image
• Two containers: PrivateBin + nginx reverse proxy
• Docker Compose file, a conf.php, a network, and SSL certificates
• The it-connect.tech guide walks through this end-to-end and calls it straightforward [1]

Bare metal on Debian 12 (lowendbox.com approach [2]):

• Install nginx + PHP-FPM
• Download PrivateBin release, extract to web root
• Configure nginx server block
• Let’s Encrypt for SSL
• The guide reports this working on a 1GB/1-core VPS — genuinely minimal requirements [2]

Bare metal vs Docker (ppfeufer.de approach [3]):

• Covers both paths in the same article
• Notes PHP 7.0+ minimum, recommends 8.1+
• Requires GD and zlib PHP extensions
• Docker Compose version uses the same privatebin/nginx-fpm-alpine:latest image [3]

Realistic time estimates:

• Technical user comfortable with Linux: 20–45 minutes from zero to working HTTPS instance
• Non-technical founder following a guide: 1–3 hours, including DNS propagation wait

What can go sideways:

• HTTPS is non-optional. The README is explicit: “a PrivateBin installation has to be used over HTTPS. Otherwise you would also have to trust your internet provider.” If you skip HTTPS, you’ve undermined the entire security model [README].
• The encryption key is in the URL. If someone posts a PrivateBin link publicly in Slack or a public GitHub issue without a password, anyone with the link can read the paste. This is documented clearly in the README [README].
• Server compromise is a specific threat the README names directly: a compromised server could be forced to serve malicious JavaScript that logs decryption keys. The mitigation is: “do not access any PrivateBin instance if you think it has been compromised” [README]. This is an honest acknowledgment that client-side encryption doesn’t fully protect against a compromised server.
• Access logs still exist. Who accessed which paste URL at what time is visible to the server operator and potentially law enforcement [README].

---

Pros and cons

Pros

• Genuine zero-knowledge architecture. The server operator cannot read paste content — it’s architecturally impossible, not just policy [README]. This is rare among pastebin-style tools.
• Minimal server requirements. PHP + web server + disk. No database required by default. Runs on anything [2][3].
• Burn after reading. First access deletes the paste automatically — clean for one-time credential shares [README][2].
• Password protection as a second layer. If you share a paste URL over a logged channel, the password adds meaningful additional protection [README][1].
• Configurable expiration. From 5 minutes to forever. Operators can restrict which options users see in conf.php [1][README].
• Docker support with an official image. The nginx-fpm-alpine image is maintained by the project and used in multiple guides [1][3].
• Plausible deniability for operators. You can delete pastes you never read. Useful for public instances [README].
• File upload with inline preview. Images, media, and PDFs render in-browser, not just text/code [README].

Cons

• Trust the server admin, always. The security guarantee breaks completely if the server is compromised or the admin is malicious. You must trust both the operator’s integrity and their infrastructure [README].
• No user accounts. Anyone with the URL can read a non-password-protected paste. There’s no private paste library tied to an identity.
• No API. You can’t programmatically create or retrieve pastes via a REST endpoint. Integrations into CI/CD or internal tooling require workarounds.
• No search. Paste content is encrypted server-side, so search is architecturally impossible without the keys. You either have the URL or you don’t.
• No admin dashboard. Server operators manage pastes by interacting with the filesystem or database directly, not through a UI [2][3].
• File upload disabled by default. Enabling it requires editing conf.php. The default 10MB limit cited in the it-connect.tech guide [1] may not match your needs and requires manual configuration.
• Access logs remain. Who requested which URL at what time is still visible — only the content of the paste is protected, not the metadata [README].

---

Who should use this / who shouldn’t

Use PrivateBin if:

• You or your team routinely share passwords, secrets, or config snippets over email or Slack and you want a one-time-readable alternative.
• You’re a sysadmin or developer who already runs a VPS and wants a zero-trust paste tool with minimal overhead.
• You need plausible deniability as a server operator running a public or semi-public instance.
• You want burn-after-reading for one-time credential handoffs.
• You’re comfortable with PHP + nginx or can follow a Docker Compose guide.

Skip it if:

• You need team-managed paste history with search and attribution — look at something like Gitea’s snippet system or an internal wiki.
• You need an API to integrate paste creation into automated workflows — PrivateBin doesn’t have one.
• You’re looking for a full secret management solution — you want HashiCorp Vault or Infisical, not a pastebin.
• You’re not comfortable with HTTPS setup. Running PrivateBin over plain HTTP defeats the entire security model and is explicitly warned against in the README [README].
• You need to share pastes with non-technical users who will struggle with password-protected URLs.

---

Alternatives worth considering

• Hastebin — another self-hosted pastebin, mentioned in the lowendbox.com comparison [2]. Simpler feature set, no encryption, no burn-after-reading. Fine for internal code sharing where security isn’t the priority.
• Pastey — Python-based, also considered in [2]. Less mature than PrivateBin, fewer features.
• Pastebin.com — the incumbent public service. No self-hosting, operator can read content, ads on the free tier. Pro subscription removes ads and adds features; pricing not available in sources reviewed.
• GitHub Gists — good for code sharing, version history, public/secret options. GitHub can read all content, and secret Gists are not private — they’re just unlisted. No expiry, no burn-after-reading.
• Infisical / HashiCorp Vault — if the reason you’re pasting things is to share secrets between team members or services, you need a secrets manager, not a pastebin. PrivateBin is for one-time human-to-human handoffs, not persistent secret storage or injection into CI/CD.
• Netcat / SSH — if both parties are technical, piping directly between machines via SSH or netcat is more secure than any web-based paste tool, but it’s not practical for non-technical recipients.

---

Bottom line

PrivateBin does exactly one thing and does it correctly: it lets you share text or files where the server provably cannot read the content. The technical mechanism — browser-side encryption with the key in the URL fragment — is well understood and the README documents its limits honestly, which is more than most tools offer. Setup is genuinely accessible: a $5 VPS, PHP, nginx, and 45 minutes is all it takes [2][3]. The things it lacks (API, search, user accounts, admin dashboard) are not oversights — they’re consequences of the zero-knowledge design. You can’t search encrypted content. You can’t attach accounts to pastes that aren’t supposed to be logged.

If your team shares passwords in Slack threads or emails database credentials, PrivateBin is the specific fix for that specific problem. It’s not a secret manager, not a team knowledge base, and not a collaboration tool. It’s a pastebin that doesn’t know what you pasted.

If the HTTPS setup is the blocker, that’s exactly the kind of one-time deployment that upready.dev handles for clients.

---

Sources

1. Florian Burnel, it-connect.tech — “PrivateBin: how to deploy your own PasteBin on a server?” (April 14, 2025). https://www.it-connect.tech/privatebin-how-to-deploy-your-own-pastebin-on-a-server/
2. raindog308, lowendbox.com — “Set Up Your Own Private Pastebin: Control Your Snippets and Secrets” (September 28, 2025). https://lowendbox.com/blog/set-up-your-own-private-pastebin-control-your-snippets-and-secrets/
3. H. Peter Pfeufer, ppfeufer.de — “PrivateBin – Your Self-Hosted Pastebin Instance” (November 7, 2022; updated March 17, 2024). https://ppfeufer.de/privatebin-your-self-hosted-pastebin-instance/

Primary sources:

• GitHub repository and README: https://github.com/privatebin/privatebin (8,114 stars)
• Official website: https://privatebin.info