Get things from one computer to another, safely. Over IPFS (which is not even required to receive files thanks to IPFS gateways).
Inspired by magic-wormhole and dat-cp. Initially published here.
On machine A:
ipfs-wormhole.sh send <file or directory>
Will encrypt and add the file (or the directory as a compressed tarball) to
IPFS, and output a tag. This tag contains everything the recipient needs to
retrieve, decrypt and save the file. If xclip is installed, this tag will be
copied to the clipboard.
On machine B:
ipfs-wormhole.sh receive <tag>
Will retrieve the file over IPFS if IPFS is installed and running, or if it's not, over HTTPS thanks to IPFS gateways, decrypt it and save it locally.
ipfs-wormhole.sh checkdeps
ipfs-wormhole.sh update
The default behavior/settings can be modified by environment variables.
IWPASSWORDLENGTH=<int> can be used to set the length of the temporary password
used by the symmetric encryption (default: 40).
e.g.: IWPASSWORDLENGTH=50 ipfs-wormhole.sh send FILE will use a longer
password to encrypt FILE.
Note: Temporary passwords are limited to alphanumeric characters to be easily
added to the gpg command line and to the tag.
IWIPFSENCRYPTION=<symmetric|asymmetric|no> can be used :
- to replace the default symmetric encryption by
gpg's key-based asymmetric encryption. This removes the need for a secure side channel to send thetag, as the encrypted content can only be decrypted by the private key of the recipient(s) (a password still appear in thetag, but is useless). This is the most secure mode but is less easy to use than the symmetric encryption mode, that's why the latter is the default. E.g.:IWKEYBASEDENCRYPTION=asymmetric ipfs-wormhole.sh send FILE, the usualgpgprompt will ask you to choose the public key(s) of the recipient(s). Note: No specific configuration is required on the client side, asgpgis smart enough to ask for your passphrase if necessary. - to disable encryption completely. In this case, a direct link to the IPFS gateway (see below) will be printed and copied to the clipboard. The file/directory tarball can be retrieved from any browser, as the cost of encryption, ala transfer.sh.
IWIPFSGATEWAY=<url> can be used to set the fallback IPFS gateway, if the
recipient's machine does not have ipfs daemon running (default: Cloudflare's
gateway).
e.g.: IWIPFSGATEWAY=https://gateway.ipfs.io/ipfs ipfs-wormhole.sh receive TAG
will retrieve the encrypted file through the official IPFS gateway if the IPFS
daemon is not running.
Your data is encrypted on the sender's machine, using gpg and its default
symmetric cipher (which depends on your specific gpg configuration), with a
temporary random password generated by /dev/urandom. Asymmetric (key-based)
encryption is also supported, see 'Parameters' for details.
Once encrypted, your data is made available to others from your machine using IPFS.
The temporary password (as well as the base64 encrypted file name, for that
matter) is concatenated to the IPFS hash in a tag, which consequently has to
be transmitted over a secure channel to the recipient's machine (e.g. ssh).
On the recipient's machine, the encrypted data is retrieved:
- from IPFS if IPFS is running
- over HTTPS from an IPFS gateway if IPFS it not running (or not installed)
The encrypted data is subsequently decrypted on the recipient's machine with the password (extracted from the tag), and saved with the proper file name (also extracted from the tag). When the asymmetric (key-based) encryption is used, the private key of the recipient will be used to decrypt the file.
Confidentiality is not an issue as long as you trust gpg and /dev/urandom.
TL;DR No one. ipfs-wormhole is end-to-end encrypted with gpg. See above for
more details.
Your data are provided by the sender's machine and routed to the recipient's machine over IPFS.