Skip to content

Transio: Cloud‑Native Security Showcase

End‑to‑end encrypted secrets with one‑time, self‑destructing links

Transio is a production‑grade app for sharing sensitive text without leaving a forensic trail. Users create encrypted notes, get a single‑use URL, and—boom—once it’s viewed, the secret is wiped forever.

This project is a live demo of cloud‑native security best practices and defense‑in‑depth on Azure Kubernetes Service (AKS).

👀 See it live! → transio.tiagonunes.cloud

✨ Key Features

🔐 End‑to‑End Encryption

True E2EE: secrets are encrypted in the browser with a key derived from the user’s passphrase. No passphrase? Data still rests under a Fernet key stored in Azure Key Vault—never in code.

🔗 One‑Time Links

Each link works exactly once. After retrieval, the record is securely deleted.

💥 Auto‑Destruct

Unopened secrets expire after a TTL you set; opened secrets vanish instantly.

🛡️ Hardened Infrastructure

AKS with RBAC, network policies, workload identity, and locked‑down pipelines.

🔍 Health Monitoring

Ready / live probes and a /healthz endpoint for zero‑downtime rollouts.

🧪 Battle‑Tested

85 % code coverage, 99 green tests, OWASP Top 10 checks baked in.

🚀 Quick Start

Prerequisites

  • Azure subscription (Owner / Contributor on target RG)
  • Docker + kubectl + Helm 3
  • Azure CLI & Bicep

1. AKS Deployment

# Prereqs: Azure CLI, kubectl, Helm
git clone https://github.com/tiagonunes1491/Transio-Secrets.git
cd Transio
./scripts/build_k8s.sh   # Provision infra & deploy to AKS

2. Serverless Deployment (SWA + Container Apps)

# Prereq: Azure CLI
git clone https://github.com/tiagonunes1491/Transio-Secrets.git
cd Transio
./scripts/build_swa-aca.sh   # Deploy front‑end to SWA, back‑end to Container Apps

Local Development

# Start all services with Docker Compose
cd deploy/compose
docker-compose up -d

# View logs (optional)
docker-compose logs -f

# Stop services when done
docker-compose down

🎬 Demo Workflow

  1. Create Secret – write your message (optional passphrase).
  2. Generate Link – get a unique one‑time URL.
  3. Share – send it via your weapon of choice (Slack, smoke signal, etc.).
  4. View & Vaporise – recipient reads it; Transio erases it.

🎯 Project Goals

  • Prove Security Chops – real‑world cloud security in a live AKS cluster.
  • Production‑Ready – multi‑container app with enterprise controls.
  • Best Practices – defense‑in‑depth, IaC, and identity‑first design.
  • Portfolio Magnet – show why I’m the Cloud Security Engineer you need.

🛠️ Tech Stack

Layer Technology Why
Frontend HTML / JS / CSS + Nginx Lightweight, hardened container
Backend Python (Flask) Encryption API & secret logic
DB Cosmos DB NoSQL with TTL + global replicas
Orchestration AKS Secure, scalable containers
Secrets Azure Key Vault HSM‑backed key storage
Registry Azure Container Registry Image scanning & CI/CD hooks
Ingress App Gateway + AGIC L7 WAF & TLS termination
Identity Azure Workload Identity Pod‑managed, key‑less auth

🚀 Next Steps

Learn More GitHub Repo Connect on LinkedIn

Built by Tiago Nunes – Cloud Security Engineer