Get things from one computer to another, safely. Over IPFS (which is not even required to receive files thanks to IPFS gateways).
Send a file or a directory
On machine A:
ipfs-wormhole.sh send <file or directory>
Will encrypt and add the file (or the directory as a compressed tarball) to
IPFS, and output a
tag contains everything the recipient needs to
retrieve, decrypt and save the file. If
xclip is installed, this
tag will be
copied to the clipboard.
Receive a file or a directory (as a compressed tarball)
On machine B:
ipfs-wormhole.sh receive <tag>
Will retrieve the file over IPFS if IPFS is installed and running, or if it's not, over HTTPS thanks to IPFS gateways, decrypt it and save it locally.
Update from the github repo
The default behavior/settings can be modified by environment variables.
Password length (sender only)
IWPASSWORDLENGTH=<int> can be used to set the length of the temporary password
used by the symmetric encryption (default:
IWPASSWORDLENGTH=50 ipfs-wormhole.sh send FILE will use a longer
password to encrypt FILE.
Note: Temporary passwords are limited to alphanumeric characters to be easily
added to the
gpg command line and to the
Asymmetric (key-based) encryption (sender only)
IWIPFSENCRYPTION=<symmetric|asymmetric|no> can be used :
- to replace the default symmetric encryption by
gpg's key-based asymmetric encryption. This removes the need for a secure side channel to send the
tag, as the encrypted content can only be decrypted by the private key of the recipient(s) (a password still appear in the
tag, but is useless). This is the most secure mode but is less easy to use than the symmetric encryption mode, that's why the latter is the default. E.g.:
IWKEYBASEDENCRYPTION=asymmetric ipfs-wormhole.sh send FILE, the usual
gpgprompt will ask you to choose the public key(s) of the recipient(s). Note: No specific configuration is required on the client side, as
gpgis smart enough to ask for your passphrase if necessary.
- to disable encryption completely. In this case, a direct link to the IPFS gateway (see below) will be printed and copied to the clipboard. The file/directory tarball can be retrieved from any browser, as the cost of encryption, ala transfer.sh.
Fallback IPFS gateway (recipient only)
IWIPFSGATEWAY=<url> can be used to set the fallback IPFS gateway, if the
recipient's machine does not have
ipfs daemon running (default: Cloudflare's
IWIPFSGATEWAY=https://gateway.ipfs.io/ipfs ipfs-wormhole.sh receive TAG
will retrieve the encrypted file through the official IPFS gateway if the IPFS
daemon is not running.
How it works
Your data is encrypted on the sender's machine, using
gpg and its default
symmetric cipher (which depends on your specific
gpg configuration), with a
temporary random password generated by
/dev/urandom. Asymmetric (key-based)
encryption is also supported, see 'Parameters' for details.
Once encrypted, your data is made available to others from your machine using IPFS.
The temporary password (as well as the base64 encrypted file name, for that
matter) is concatenated to the IPFS hash in a
tag, which consequently has to
be transmitted over a secure channel to the recipient's machine (e.g.
On the recipient's machine, the encrypted data is retrieved:
- from IPFS if IPFS is running
- over HTTPS from an IPFS gateway if IPFS it not running (or not installed)
The encrypted data is subsequently decrypted on the recipient's machine with the password (extracted from the tag), and saved with the proper file name (also extracted from the tag). When the asymmetric (key-based) encryption is used, the private key of the recipient will be used to decrypt the file.
Confidentiality is not an issue as long as you trust
Who owns my data once I use ipfs-wormhole?
TL;DR No one.
ipfs-wormhole is end-to-end encrypted with
gpg. See above for
Where does it store my data?
Your data are provided by the sender's machine and routed to the recipient's machine over IPFS.