ipfs-wormhole
Get things from one computer to another, safely. Over IPFS (which is not even required to receive files thanks to IPFS gateways).
Inspired by magic-wormhole and dat-cp. Initially published here.
Usage
Send a file or a directory
On machine A:
ipfs-wormhole.sh send <file or directory>
Will encrypt and add the file (or the directory as a compressed tarball) to
IPFS, and output a tag
. This tag
contains everything the recipient needs to
retrieve, decrypt and save the file. If xclip
is installed, this tag
will be
copied to the clipboard.
Receive a file or a directory (as a compressed tarball)
On machine B:
ipfs-wormhole.sh receive <tag>
Will retrieve the file over IPFS if IPFS is installed and running, or if it's not, over HTTPS thanks to IPFS gateways, decrypt it and save it locally.
Check dependencies
ipfs-wormhole.sh checkdeps
Update from the github repo
ipfs-wormhole.sh update
Parameters
The default behavior/settings can be modified by environment variables.
Password length (sender only)
IWPASSWORDLENGTH=<int>
can be used to set the length of the temporary password
used by the symmetric encryption (default: 40
).
e.g.: IWPASSWORDLENGTH=50 ipfs-wormhole.sh send FILE
will use a longer
password to encrypt FILE.
Note: Temporary passwords are limited to alphanumeric characters to be easily
added to the gpg
command line and to the tag
.
Asymmetric (key-based) encryption (sender only)
IWIPFSENCRYPTION=<symmetric|asymmetric|no>
can be used :
- to replace the default symmetric encryption by
gpg
's key-based asymmetric encryption. This removes the need for a secure side channel to send thetag
, as the encrypted content can only be decrypted by the private key of the recipient(s) (a password still appear in thetag
, but is useless). This is the most secure mode but is less easy to use than the symmetric encryption mode, that's why the latter is the default. E.g.:IWKEYBASEDENCRYPTION=asymmetric ipfs-wormhole.sh send FILE
, the usualgpg
prompt will ask you to choose the public key(s) of the recipient(s). Note: No specific configuration is required on the client side, asgpg
is smart enough to ask for your passphrase if necessary. - to disable encryption completely. In this case, a direct link to the IPFS gateway (see below) will be printed and copied to the clipboard. The file/directory tarball can be retrieved from any browser, as the cost of encryption, ala transfer.sh.
Fallback IPFS gateway (recipient only)
IWIPFSGATEWAY=<url>
can be used to set the fallback IPFS gateway, if the
recipient's machine does not have ipfs daemon
running (default: Cloudflare's
gateway).
e.g.: IWIPFSGATEWAY=https://gateway.ipfs.io/ipfs ipfs-wormhole.sh receive TAG
will retrieve the encrypted file through the official IPFS gateway if the IPFS
daemon is not running.
How it works
Your data is encrypted on the sender's machine, using gpg
and its default
symmetric cipher (which depends on your specific gpg
configuration), with a
temporary random password generated by /dev/urandom
. Asymmetric (key-based)
encryption is also supported, see 'Parameters' for details.
Once encrypted, your data is made available to others from your machine using IPFS.
The temporary password (as well as the base64 encrypted file name, for that
matter) is concatenated to the IPFS hash in a tag
, which consequently has to
be transmitted over a secure channel to the recipient's machine (e.g. ssh
).
On the recipient's machine, the encrypted data is retrieved:
- from IPFS if IPFS is running
- over HTTPS from an IPFS gateway if IPFS it not running (or not installed)
The encrypted data is subsequently decrypted on the recipient's machine with the password (extracted from the tag), and saved with the proper file name (also extracted from the tag). When the asymmetric (key-based) encryption is used, the private key of the recipient will be used to decrypt the file.
Confidentiality is not an issue as long as you trust gpg
and /dev/urandom
.
FAQ
Who owns my data once I use ipfs-wormhole?
TL;DR No one. ipfs-wormhole
is end-to-end encrypted with gpg
. See above for
more details.
Where does it store my data?
Your data are provided by the sender's machine and routed to the recipient's machine over IPFS.