Secrez is a command-line secret manager, working as an operating system. If you don't know about it, please take a look at this previous post:

Version 0.8.0 introduces the ability to exchange end-to-end, encrypted messages between local accounts.

The idea is quite simple, its implementation is a bit complicated.

How it works

The communication is possible thanks to two external components: a courier and a hub.

The courier runs on localhost.
It works as a post office. It sends and receives letters ignoring their content.

The hub must be accessible from anywhere. It is used by couriers to publish themselves and talk to other couriers. The hub does only one thing: generate SSL tunnels towards the couriers.

Any message moving around is composed of a payload and a signature. Hub and courier verify the signature and accept or reject the message, only the Secrez account can generate the payload with the encrypted message, and decrypt others' messages.

The algorithm used for the exchange is x25519-xsalsa20-poly1305 — more info at

The flow

How to chat

If you haven't yet, update Secrez to a version >= 0.8.0:

$ npm i -g secrez@latest

Install the Courier:

$ npm i -g @secrez/courier

Run the courier

$ secrez-courier

If you don't specify the hub you like to use, it will use the default hub on
If there are no issues, it will show something like:

In Secrez, execute courier. It will ask you the port where the courier is listening to. If the courier is listening, Secrez connects to the courier and take ownership of it. Now, you are ready to chat with someone. First, look at your own data running whoami. It will show something like:

You should pass your data to the other user. The easiest way is to use the short url that returns public key and hub url. The short url is not permanent for privacy reasons, but it works for a while. Instead, the url is kept until you don't force the generation of a new subdomain in the hub.

The system is not perfect yet, and sometimes the connection to the hub gets lost — some other time you have to update the contact (using contacts -u …). I am working on it. However, in most cases, just repeat the process and the courier will reset the connection.

A quick video

Your own hub

I have set up a hub on to simplify people's life. But it would be better if you use your own hub. For example, a company could set up the hub that its employees will use. The simplest way is to install the Secrez Hub on a remote server:

npm i -g @secrez/hub

and run it:


If you don't specify otherwise, it will start listening on port 8433.

A more reliable way is to use a process manager. If you clone the Secrez monorepo. You can run the script in the folder packages/hub/bin/pm2. It will use Pm2 and will keep the hub up.

Despite your  preference, you should use a proxy, like Nginx, to expose it to HTTPS. You can generate free certificates using Let's Encrypt.

If you use it in an intranet, you could create a local Authority and using it to generate the certificate. You can take a look at @secrez/tls to have an example of how to do it (the courier uses @secrez/tls to generate its own authority and certificate).

Feedback, requests, suggestions

If you have suggestions, requests, etc. please open an issue at:

You can also join the Discord group. It is very silent, right now, but hopefully, sooner or later, it will become active:

🙏 Acknowledgments

Secrez Hub is based on Localtunnel Server, which has been created by Roman Shtylman. I forked it and added some restrictions to make it suitable for Secrez (and only for it). I want to publicly thank Roman to allow the world to use his brilliant code.