Security and privacy

The pb protocol should never be used for sending confidential or private information unencrypted.

All pastes are public, given one knows their URL. A less-guessable identifier may be obtained from pbpst using the -p option, but this does not provide real security or privacy.

Content of all pastes is always available to the operator of the service, and anyone who can access its servers.

UUID is the only way to authenticate with a pb service. If one loses the UUID, there is no way to manage a paste. If an adversary gets an access to the UUID, they have full access to it.

The pb protocol doesn't allow the recipient to reliably determine who has created a paste.


Install the nodejs-gruntAUR and pb-gitAUR packages, and enable pb.service.

To configure the server, edit the /etc/uwsgi/pb.ini file.



For general usage of the command-line, see Bash and Core utilities.


The curl package is available in the base group.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Taken verbatim from Pastebin (Discuss in Talk:Pb#)
You can access the, and pastebins using curl. For example pipe the output of a command to ptpb:
command | curl -F c=@- 
or upload a file (including images):
curl -F c=@- < file


Note: Default, pb instance can be configured

Install the pbpst package, or pbpst-gitAUR for the development version.

  • man pbpst
  • man pbpst_db

Pastes are created with -S, taking data from standard input by default. As such, shell pipes, here documents or here strings may be used. For example, to paste the output of the PRIMARY (selection) clipboard:

$ xclip -o | pbpst -S
Note: When taking standard input from a terminal, press Ctrl+D twice to process the data. [1]

A file can be uploaded with -Sf:

$ pbpst -Sf foo.txt

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Note how pbpst has "quiet" output by default, unlike the curl approach. This is however configurable (Discuss in Talk:Pb#)

For all of the commands above a response is received that contains an URL:

$ echo 'ArchLinux: livin’ on the edge!' | pbpst -S

In this example, is the URL at which the paste is available.

Managing pastes

To manage a paste, one needs its UUID. These are stored in a local database located in $XDG_CONFIG_HOME/pbpst/db.json. Since it's inconvenient to manually search through the database, a descriptive message may be attached to a paste and then searched for from command line. The example below creates a paste containing a random text and then deletes it (-R option):

$ thePaste="$(cat /dev/urandom | tr -cd [:print:] | head -c 32)"
$ echo "$thePaste"

$ echo "$thePaste" | pbpst -S -m 'A random test message'

$ curl ''

$ pbpst -Dq test
deadbeef-dead-beef-dead-000000000000	A random test message	N/A

$ pbpst -Ru deadbeef-dead-beef-dead-000000000000
Paste deleted

$ curl ''
status: not found

$ pbpst -Dq test

Note that the paste is also removed from the local database, so -Dq can't find it.

One can't manage pastes for which one doesn't have UUID - this includes pastes that are, upon creation, matching already existing ones.

Tip: Finding pastes for a given URL

Currently pbpst can't search for pastes using their URL directly. However, the identifier from an address may be used to search the database. For an URL in form, the bold part (RAs8) is the identifier. It may be passed to -Dq to find matching entries:

$ pbpst -Dq RAs8
3bac4f7b-79dd-4eb4-b0d0-42b72f1c681e	-	N/A


By default pastes are created with no expiration time. They'll last as long as the service's operator let them. -x option may be used to set the number of seconds after which a paste should be removed:

$ thePaste="$(cat /dev/urandom | tr -cd [:print:] | head -c 32)"
$ echo "$thePaste"

$ echo "$thePaste" | pbpst -S -m 'A test message that expires after 60s' -x 60

$ date; curl ''
Tue Apr 12 19:11:41 CEST 2016

$ date; curl ''
Tue Apr 12 19:13:06 CEST 2016
status: not found

The expired pastes, while no longer available from the remote service, are still listed in the local database:

$ pbpst -Dq expires
deadbeef-dead-beef-dead-1111111111	A test message that expires after 60s	1460481140

To prune them -Dy should be used:

$ pbpst -Dy
$ pbpst -Dq expires

Shortening URLs

The -s option (lowercase -s) is used to create short URLs:

$ pbpst -s ''

Signing pastes using GnuPG

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: Duplicate of GnuPG (Discuss in Talk:Pb#)

Details on setting up and using GnuPG are available on the relevant Wiki page.

Clearsigning the output of a command:

$ command | gpg2 --clearsign | pbpst -S
gpg: using "FFFFFFFF" as default secret key for signing

$ curl ''
Hash: SHA256

A signed message
Version: GnuPG v2


Since gpg2 allows one to input the message to be signed, the following command may be used to manually type data to be sent:

$ gpg2 --clearsign | pbpst -S

The drawback of using clearsigning is that the process is destructive: GnuPG includes no tool for removing the signature, and the signing may change end-of-line characters. An alternative approach is to use --sign --armour

$ command | gpg2 --sign --armour | pbpst -S


$ gpg2 --sign --armour | pbpst -S

The signature may then be verified and removed in one step with --decrypt:

$ echo 'A signed message' | gpg2 --sign --armour | pbpst -S
gpg: using "FFFFFFFF" as default secret key for signing

$ curl '' | gpg2 --decrypt
A signed message
gpg: Signature made Wed 13 Apr 2016 04:02:57 AM CEST using RSA key ID FFFFFFFF
gpg: Good signature from "-"