Get things from one computer to another, safely. Over IPFS (which not even required to receive those things).
Switch branches/tags
Nothing to show
Clone or download
aurelg Added support for a mode, requiring only a browser o…
…n the recipient's side, at the cost of encryption
Latest commit 1d83b56 Nov 27, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Nov 21, 2018 Added support for a mode, requiring only a browser o… Nov 27, 2018 Added support for a mode, requiring only a browser o… Nov 27, 2018


Get things from one computer to another, safely. Over IPFS (which is not even required to receive files thanks to IPFS gateways).

Inspired by magic-wormhole and dat-cp. Initially published here.


Send a file or a directory

On machine A: send <file or directory>

Will encrypt and add the file (or the directory as a compressed tarball) to IPFS, and output a tag. This tag contains everything the recipient needs to retrieve, decrypt and save the file. If xclip is installed, this tag will be copied to the clipboard.

Receive a file or a directory (as a compressed tarball)

On machine B: receive <tag>

Will retrieve the file over IPFS if IPFS is installed and running, or if it's not, over HTTPS thanks to IPFS gateways, decrypt it and save it locally.

Check dependencies checkdeps

Update from the github repo update


The default behavior/settings can be modified by environment variables.

Password length (sender only)

IWPASSWORDLENGTH=<int> can be used to set the length of the temporary password used by the symmetric encryption (default: 40).

e.g.: IWPASSWORDLENGTH=50 send FILE will use a longer password to encrypt FILE.

Note: Temporary passwords are limited to alphanumeric characters to be easily added to the gpg command line and to the tag.

Asymmetric (key-based) encryption (sender only)

IWIPFSENCRYPTION=<symmetric|asymmetric|no> can be used :

  • to replace the default symmetric encryption by gpg's key-based asymmetric encryption. This removes the need for a secure side channel to send the tag, as the encrypted content can only be decrypted by the private key of the recipient(s) (a password still appear in the tag, but is useless). This is the most secure mode but is less easy to use than the symmetric encryption mode, that's why the latter is the default. E.g.: IWKEYBASEDENCRYPTION=asymmetric send FILE, the usual gpg prompt will ask you to choose the public key(s) of the recipient(s). Note: No specific configuration is required on the client side, as gpg is smart enough to ask for your passphrase if necessary.
  • to disable encryption completely. In this case, a direct link to the IPFS gateway (see below) will be printed and copied to the clipboard. The file/directory tarball can be retrieved from any browser, as the cost of encryption, ala

Fallback IPFS gateway (recipient only)

IWIPFSGATEWAY=<url> can be used to set the fallback IPFS gateway, if the recipient's machine does not have ipfs daemon running (default: Cloudflare's gateway).

e.g.: IWIPFSGATEWAY= receive TAG will retrieve the encrypted file through the official IPFS gateway if the IPFS daemon is not running.

How it works

Your data is encrypted on the sender's machine, using gpg and its default symmetric cipher (which depends on your specific gpg configuration), with a temporary random password generated by /dev/urandom. Asymmetric (key-based) encryption is also supported, see 'Parameters' for details.

Once encrypted, your data is made available to others from your machine using IPFS.

The temporary password (as well as the base64 encrypted file name, for that matter) is concatenated to the IPFS hash in a tag, which consequently has to be transmitted over a secure channel to the recipient's machine (e.g. ssh).

On the recipient's machine, the encrypted data is retrieved:

  • from IPFS if IPFS is running
  • over HTTPS from an IPFS gateway if IPFS it not running (or not installed)

The encrypted data is subsequently decrypted on the recipient's machine with the password (extracted from the tag), and saved with the proper file name (also extracted from the tag). When the asymmetric (key-based) encryption is used, the private key of the recipient will be used to decrypt the file.

Confidentiality is not an issue as long as you trust gpg and /dev/urandom.


Who owns my data once I use ipfs-wormhole?

TL;DR No one. ipfs-wormhole is end-to-end encrypted with gpg. See above for more details.

Where does it store my data?

Your data are provided by the sender's machine and routed to the recipient's machine over IPFS.