Should You Share a Crypto Seed Phrase Through a One-Time Link?
10 de julio de 20267 min de lectura
Usually not. If you absolutely must, encrypt it locally first—never type the mnemonic into a website, including PrivateNote.

A cryptocurrency seed phrase is one of the most valuable secrets you will ever own. It usually cannot be reset. There is no “Forgot password.” Whoever holds it typically controls the wallet and everything in it.
That may sound odd on the blog of a company that builds encrypted one-time links. Security is not pretending every tool fits every job—it is matching the approach to what you are protecting, including our own limits.
For replaceable secrets—such as Wi‑Fi passwords, temporary credentials, MFA recovery codes, many API keys, and confidential business messages—a encrypted one-time link is an excellent solution.
Long-lived master secrets, such as cryptocurrency seed phrases, deserve a different approach.
Rule #1
Do not enter a cryptocurrency seed phrase into a website—including PrivateNote. If transmission is unavoidable, encrypt locally first and share only the ciphertext. PrivateNote is for transporting pre-encrypted data, not for typing the mnemonic.
Legitimate hardware wallet vendors do not ask you to enter your recovery phrase on a website. If a site requests your seed phrase, treat it as highly suspicious—verify authenticity before you proceed.
Avoid entering seed phrases on websites whenever possible.
Do you need to send it at all?
Before encryption, ask: does the phrase need to leave where it is? Often, no.
- Metal backup — stored in a safe or safety deposit box
- SLIP-39 — or similar schemes for inheritance or disaster recovery
- Hardware wallet transfer — when practical, instead of the recovery phrase
Every transmission adds a chance of disclosure. If you can avoid sending it, do. For other channels that also retain secrets indefinitely, see why email is the worst place for secrets.
Why seed phrases are different
A seed phrase is the root secret for an entire digital estate—not “just another password.”
Unlike most credentials, it:
- Grants full control — over assets
- Often lasts decades — without rotation
- Cannot be changed — if compromised
- Has no vendor recovery — if stolen
You are not only defending against today's attackers—you are making choices that may matter ten or twenty years from now.
Browser encryption is strong—but not magic
PrivateNote encrypts in your browser before upload. Our servers see ciphertext only; the key never reaches us. That is far better than email, chat, or cloud docs for everyday secrets—and aligns with a strict end-to-end encryption model for the note contents.
Every browser crypto app shares one constraint: plaintext must exist in the browser before encryption. Malicious JavaScript—from extensions, supply-chain compromise, injection, or a bad CDN—could theoretically read it first. That is inherent to client-side encryption in the browser, not unique to PrivateNote.
For API keys and temp passwords, that trade-off is usually fine. For a seed phrase protecting life savings, you may want to trust fewer systems.
Encrypt before the browser sees it
Encrypt locally, then upload ciphertext only:
Seed phrase
│
▼
Local encryption (age / GnuPG / OpenSSL)
│
▼
Encrypted ciphertext
│
▼
PrivateNotePrivateNote never receives the mnemonic—only encrypted data.
Local encryption does not stop malware on your machine. It keeps plaintext off web apps, cloud services, and servers that do not need it. You shrink the trusted computing base; you do not eliminate a compromised endpoint.
Which tool to use
- age (recommended for most users): simple file encryption with secure defaults — github.com/FiloSottile/age
- GnuPG: excellent if you already use OpenPGP.
- OpenSSL: trusted and powerful; low-level CLI—better for experienced users.
Minimal example (age)
# Install age (pick your platform)
# macOS: brew install age
# Windows: winget install FiloSottile.age
# Linux (apt): sudo apt install age
age --version
age -p -o seed.txt.age seed.txt # encrypt with passphrase
age -d -o seed.txt seed.txt.age # decrypt on a trusted machineNeed a strong passphrase?
Use a long, unique secret for age -p. Generate one locally in your browser—the passphrase generator on passwords.lu runs client-side; nothing is uploaded.
After seed.txt.age is verified, securely erase plaintext on the sender's device. After the recipient imports into a wallet, erase their plaintext copy too.
For regular exchange with someone, age -r (public-key mode) avoids a shared passphrase—worth learning separately.
Use separate channels
Split the encrypted file from the secret that unlocks it. You are separating the .age ciphertext from the age decryption passphrase—not sending the seed phrase mnemonic through a second channel.
- Upload the encrypted file (ciphertext) with PrivateNote
- Send the age passphrase that decrypts that file—via Signal, phone, or in person
An attacker must compromise multiple systems—not one link.
What we recommend
The split is really about replaceable versus long-lived master secrets—not the file format or channel alone.
Good fit for one-time links
Replaceable secrets you can rotate or revoke
- API keys & temporary passwords
- Wi‑Fi credentials
- MFA recovery codes
- Business messages & legal drafts
- Temporary access tokens
Encrypt locally first
Long-lived master secrets that rarely change
- Cryptocurrency seed phrases
- Hardware wallet backups
- CA private keys & signing keys
- Password manager recovery material
- High-value master secrets
For API keys specifically, see our guide on how to share an API key securely.
Match the tool to the risk
Every approach has trust assumptions—password managers, hardware wallets, offline tools, browser crypto. None is perfect; trade-offs differ. The question is whether they fit the value of what you protect.
Our philosophy
We built PrivateNote so encryption happens before data reaches our servers. For temporary, replaceable secrets, that beats email, messaging, or cloud storage. You can also send a secret without an account. Read how PrivateNote works for the full model.
For a seed phrase that could be your life savings:
- avoid transmitting when you can
- encrypt locally
- upload ciphertext only
- erase temporary plaintext
- send the age file passphrase—not the mnemonic—on a separate channel when possible
Sometimes the best advice is not “use our product.” It is “use the right tool for the job.”
Share replaceable secrets—not seed phrases—in the browser
Create an encrypted one-time note for API keys, passwords, and credentials. For seed phrases, encrypt locally with age first, then share only the ciphertext.
Try PrivateNote ->Explore PrivateNote
- Enlaces secretos de un solo uso: compartir información sensible sin dejar un registro permanente
- How to Share an API Key Securely (Without Exposing Your Secrets)
- Why Email Is the Worst Place to Send Secrets
- ¿Qué es el cifrado de extremo a extremo? Una definición criptográfica
- Cómo enviar un mensaje secreto sin crear una cuenta
- 10 secretos que nunca debes enviar por chat (y qué usar en su lugar)