skip to main content
pastebin.ca
Home Docs Workflow guides

Set up your encryption mailbox and sync keys

Recipient keys, cross-device sync, recovery
Workflow

Set up your encryption mailbox and sync keys

Publish a recipient public key so others can seal pastes to your account, then sync the matching private key across your devices through an end-to-end encrypted keybag — no manual key transport.

When to use it

Use this when

  • You want people, or your own tools, to address encrypted pastes to your account.
  • You read encrypted-to-you pastes on more than one browser or machine and do not want to hand-copy private keys.
  • You want a recoverable, server-mediated way to bring your keys to a new device without trusting the server with plaintext.
Steps

Do this

  1. Publish your recipient key Open Account → Recipient key, set a local private-key passphrase, then choose "Publish new key." This generates an X25519 keypair: the public key is published so others can seal pastes to you, and the private key is encrypted with your passphrase and kept in this browser.
  2. Enable cross-device sync Under "Cross-device sync," choose "Enable sync." Your private key is wrapped into an end-to-end encrypted keybag and uploaded — the server only ever stores ciphertext. You are shown a one-time recovery code. Save it now; it is shown only once.
  3. Optionally allow a passphrase unlock Turn on "Also allow unlocking with a passphrase" and set an unlock passphrase if you want a memorable fallback. A passphrase is more convenient but less private than a recovery code alone.
  4. Link a new device On the other browser or machine, sign in and open Account → Cross-device sync → "Unlock keys on this device." Enter your recovery code (or unlock passphrase). Your recipient keys are decrypted locally and cached on that device — no plaintext key ever crosses the network.
  5. Save the refreshed recovery code Recovery codes are one-time: after you unlock with one, the spent code is retired and a fresh code is minted and shown. Save the new code — the previous one no longer works.
  6. Add a passkey per device After unlocking on a device, choose "Add this passkey" to register that device’s passkey (WebAuthn PRF) as an unlock method. Next time you can unlock with the passkey instead of typing a code. Passkey unlock is per-device.
  7. Rotate or revoke when needed "Rotate keys" issues a fresh recipient keypair and re-keys the keybag; old private keys are retained so previously sealed pastes still decrypt. Rotation resets your unlock methods — you get a new recovery code and must re-add passkeys on each device. "Remove key" unpublishes your recipient key.
Examples

Copyable commands

Someone seals a paste to you (CLI)
pbca new --to-recipient @you --file handoff.txt --expires 7d
Read your encrypted inbox
pbca inbox # CLI
# or open https://pastebin.ca/account/inbox in the browser
Look up your published key (MCP)
lookup_recipient_public_key({ "recipient": "@you" })
Operational notes

Keep in mind

  • The server never sees your recipient private key or your recovery code. It stores only your public key and the encrypted keybag (ciphertext).
  • Your recovery code changes every time you use it. Always save the new code shown after an unlock; the previous one is retired so an observed code cannot open the keybag twice.
  • A recovery code or unlock passphrase is the only way to reach your keys on a brand-new device. If you lose every unlock method, encrypted-to-you pastes that need the current key cannot be recovered.
  • Passkey unlock is per-device: a passkey added on one device does not unlock the others. Add a passkey on each device you use, or keep your recovery code handy.
  • Rotating keys keeps old private keys so historical inbox pastes still open, but contacts who cached your old public key should look up your new key for future sends.

AltStyle によって変換されたページ (->オリジナル) /