Data is encrypted and decrypted in the browser using 256bit AES. As a server administrator you don't have to worry if your users post content that is considered illegal in your country. You have no knowledge of any of the pastes content. If requested or enforced, you can delete any paste from your system.
All data you paste through PrivatePaste is encrypted with AES256, which is borderline impossible to crack by bruteforcing. Check the following link to get a better idea. In short, exhausting half of the AES256 keyspace using resources we don’t yet have would take more time than the age of our beloved Universe.
Encryption is done solely on the client side, using an open-source JavaScript encryption library. When you submit a paste, generates a random encryption key and encrypts pasted data with AES256 using that key. Then, it send the cipher to the server and redirects you to the paste page and appends the key to the URL, after the # symbol. Since everything is done on the client side, your data is only transmitted to the server in encrypted form (pure cipher), meaning both the original data you’ve pasted, and the generated key are completely private. The server only stores cipher data. So, reading or decrypting your data is completely impossible on server side, since there is no way to find out the key. This grants PrivatePaste plausible deniability (in theory), since you can’t moderate data you can’t read or decrypt.
Information provided by visitor browser (including the IP address) is never stored on the server. All server logs can be configured to go directly to /dev/null. Take a look at the following snippet from the nginx configuration file you can use:
Robots.txt disallows search engine crawlers to crawl and index pastes. Of course, this guarantees nothing since most of them ignore robots.txt anyway. It's only accessible through SSL. (thanks for the feedback, reddit)
No metadata is stored when you submit a paste (including timestamps).
PrivatePste has no tracking JavaScript code from Google and/or other services. Also, it has no ads that could track you.
Robots.txt disallows search engine crawlers to crawl and index pastes. Of course, this guarantees nothing since most of them ignore robots.txt anyway.
Make it only accessible through SSL.
Now, this is the main question. Is this service completely safe? Since all of the encryption is done by a JavaScript library, modifying the library from the outside can weaken or annul the encryption (like in MITM attacks). JavaScript is not safe, period. But, it’s a lot safer then transmitting raw data or keys to the server, nonetheless.
PrivatePaste does not, in any way, guarantee complete privacy and absolutely unbreakable encryption (as stated in Safety paragraph) while using the service. But, it tries to achieve the best possible privacy by using best practices.
