PrivateBin

PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data.

Data is encrypted and decrypted in the browser using 256bit AES in Galois Counter mode.


Note

For this guide you should be familiar with the basic concepts of

License

PrivateBin consists of PHP and JS code which was originally written by Sébastien Sauvage in 2012 and falls under the Zlib/libpng license. All relevant legal information can be found in the Github repository of the project.

Prerequisites

We’re using PHP in the stable version 8.1:

[isabell@stardust ~]$ uberspace tools version show php
Using 'PHP' version: '8.1'
[isabell@stardust ~]$

The domain you want to use must be set up:

[isabell@stardust ~]$ uberspace web domain list
isabell.uber.space
[isabell@stardust ~]$

Installation

Download the source

Check the Github release section and copy the release tag version of the latest release. Set the variable PBIN_VERSION to the version you just copied. Then cd to your ~/html folder and use wget to download it.

[isabell@stardust ~]$ cd ~/html
[isabell@stardust ~]$ PBIN_VERSION=0.0.0
[isabell@stardust html]$ wget https://github.com/PrivateBin/PrivateBin/archive/$PBIN_VERSION.tar.gz -O "PrivateBin-$PBIN_VERSION.tar.gz"
[…]
Saving to: ‘PrivateBin-1.5.1.tar.gz’

100%[=================================================>] 3,172,029   3.45MB/s   in 0.9s

2022-11-17 16:27:44 (8.32 MB/s) - ‘PrivateBin-1.5.1.tar.gz’ saved [523648]
[isabell@stardust html]$

Untar the archive and then delete it.

[isabell@stardust html]$ tar -xzf PrivateBin-$PBIN_VERSION.tar.gz --strip-components=1
[isabell@stardust html]$ rm PrivateBin-$PBIN_VERSION.tar.gz
[isabell@stardust html]$

Activate the .htaccess file

PrivateBin provides a .htaccess file, which blocks some known robots and link-scanning bots. Activate it by renaming it from .htaccess.disabled to .htaccess.

[isabell@stardust html]$ mv .htaccess.disabled .htaccess
[isabell@stardust html]$

Moving files outside of DocumentRoot

It is recommended to move the configuration, data files, templates and PHP libraries outside of your document root. This is useful to secure your installation. To do that, create a folder privatebin in /home/isabell/ and move the folders to the new location (remember to replace isabell with your own username!). If not already there, go to the html directory before running mv.

[isabell@stardust ~]$ cd ~/html
[isabell@stardust html]$ mkdir ~/privatebin
[isabell@stardust html]$ mv -t ~/privatebin cfg/ lib/ tpl/ vendor/
[isabell@stardust html]$

Changing index.php

Now edit ~/html/index.php to inform PrivateBin about the new location of the folders.

[...]
// change this, if your php files and data is outside of your webservers document root
define('PATH', '/home/isabell/privatebin/');
[...]

Configuration

Configure your PrivateBin Instance

Note

You don’t need to change any of the default settings as they are mostly secure.

You can find an example configuration file at cfg/conf.sample.php with the default settings. To change these, copy the sample file to cfg/conf.php and adapt the values as needed.

[isabell@stardust ~]$ cd ~/privatebin
[isabell@stardust privatebin]$ cp cfg/conf.sample.php cfg/conf.php
[isabell@stardust privatebin]$

The file is in ini format, meaning that lines beginning with semicolons ; are comments, configuration options are grouped in sections, marked by square brackets [ and ] and the option keys are separated by the values with equal signs =.

A full list of the possible configuration values can be found here.

Best practices

Robots.txt

PrivateBin comes with a robots.txt file in the root directory. It disallows all robots from accessing your pastes. If you followed this guide, it is already at the right place in your DocumentRoot. However, if you installed PrivateBin into a subdirectory, you have to move robots.txt back into the DocumentRoot. Of course also adjust the file if you already use a robots.txt.

Making your PrivateBin Instance read-only

This section will teach you how you can limit write access to your PrivateBin instance, i.e. specify who can paste data.

While PrivateBin does not have a concept of access control in itself, the documentation suggests different ways in which a read-only mode can be achieved using some custom configuration. In this guide we will implement the second method that will require basic authentication for POST requests.

Choose a username that should have write access and provide it to the htpasswd command:

[isabell@stardust ~]$ cd ~/html
[isabell@stardust html]$ htpasswd -c .htpasswd sample_user
New password:
Re-type new password:
Adding password for user sample_user
[isabell@stardust html]$

Further users can be added by omitting the -c flag:

[isabell@stardust html]$ htpasswd .htpasswd another-user
New password:
Re-type new password:
Adding password for user another-user
[isabell@stardust html]$

Edit the .htaccess file and add the following lines (exchange isabell by your uberspace username):

AuthType Basic
AuthName "Login to PrivateBin"
AuthUserFile /var/www/virtual/isabell/html/.htpasswd
<LimitExcept GET>
   Require valid-user
</LimitExcept>

The .htaccess file should look similar to this example:

[isabell@stardust html]$ cat .htaccess
RewriteEngine on
RewriteCond !%{HTTP_USER_AGENT} "Let's Encrypt validation server" [NC]
RewriteCond %{HTTP_USER_AGENT} ^.*(bot|spider|crawl|https?://|WhatsApp|SkypeUriPreview|facebookexternalhit) [NC]
RewriteRule .* - [R=403,L]

AuthType Basic
AuthName "Login to PrivateBin"
AuthUserFile /var/www/virtual/isabell/html/.htpasswd
<LimitExcept GET>
   Require valid-user
</LimitExcept>

The PrivateBin site is still visible to the public. When a user tries to publish content in your pastebin, a Basic-Auth popup will ask for username and password. The generated links are accessible to everyone.

Updates

Note

Check the update feed regularly to stay informed about the latest version.

Backup your config:

[isabell@stardust ~]$ cd ~/html
[isabell@stardust html]$ cp -p .htaccess .htaccess.backup
[isabell@stardust html]$ cp -p .htpasswd .htpasswd.backup
[isabell@stardust html]$ cp -rp ~/privatebin/ ~/privatebin-backup
[isabell@stardust html]$

Then repeat the steps of the Installation chapter. Your configuration file won’t get overwritten.

Check the Release-Notes if the configuration changed between cfg/conf.sample.php and your conf.php. Also check .htaccess.disabled if further adjustments needed to be made.


Tested with PrivateBin 1.5.1, Uberspace 7.15.1, PHP 8.1

Written by: Nepomacs <https://github.com/Nepomacs/>, franok <https://franok.de>