How To Securely Transfer a File To Someone Using The Onion Protocol

There are LOTS of file transfer possibilities these days, ranging from the lowly and limited email address to bigger and better solutions such as WeTransfer , Firefox Send , and various cloud storage platforms.

But the drawback for using any of these methods is that youhave to rely on someone else’s server to pass the file from A to B. And if thatserver has a copy of your file, even if for only a minute or two, it can besubpoenaed by law enforcement, scanned for advertising purposes, and much more.

This is why if you need to send a file to someone secretly(say, if you are a whistleblower talking to the media), it is best to use amethod which does not involve any third-party servers. For that, we turn toOnionShare.

EffortlesslyTransfer a File From A & B With OnionShare

OnionShare is a free open-source tool, based on the Tor Browser . The Tor Browser is a heavily encrypted browser which relies on virtual private networks (otherwise known as “relays”) to mask your actual geographical location.

OnionShare works alongside Tor in the sense that therecipient MUST use Tor to be able to download the files you send them. This isbecause the files are encrypted with the Onion protocol which is only readableby Tor and no other browser.

The files remain solely on your computer and, once a uniqueweb server is started on your computer, OnionShare generates an encrypted Onionaddress which the recipient enters into Tor at their end. This gives them adownload link to get the files.

But your OnionShare must remain open for the files to beavailable. If you close OnionShare, the files are then unreachable by the otherperson. If you try to send them again, a new Onion address is generated. Thereis an option to stop this from happening.

Before you start transferring any files, download OnionShare . Plus make sure your files recipient has the Tor Browser to be able to download everything at their end. You don’t need Tor to send files as Tor is already built into OnionShare.

StartingOnionShare Up

When you open up OnionShare, this is what you will see.

The “Share Files” is the area where you would send the filesto the other person. “Receive Files” is when you can generate a one-offencrypted Onion link for the person to send files back.

But let’s stick with sending files for now. Click “Add Files”or “Add Folder” and navigate to what you want to send. Alternatively, drag thefiles or folders into the OnionShare window using your mouse or trackpad.

When all of the files have been added, click “Start Sharing”.

This immediately generates your encrypted Onion downloadlink.

As you can see, the link has two words at the end –“grinning-overdrive”. According to OnionShare’s Wiki, OnionShare randomlychooses two words from a 6,800-strong list, and adds them onto the end of thelink to make the download URL impossible to guess. As if it wasn’t alreadyimpossible enough!

Now you need to communicate that encrypted download link to the other person, and this (even by OnionShare’s admission) is one of the very few weak parts of the chain.

How you communicate this link to the other person will determine if an undesirable third-party gets their hands on the file. I strongly recommend you use Signal for communicating and I will be discussing Signal in my next article.

When the other person gets the link and enters it into theirTor browser, they will see this :

They then just have to click “Download Files” to get what yousent them.

Receiving FilesBack

If it is necessary for them to send a file back, you can setup a one-time encrypted link to receive that file.

To do so, click over to the “Receive Files” tab and click“Start Receive Mode”. As it says though, only do this if you absolutely trustthe other person.

Then similar to when you were sending files, another Onionaddress will be made with the random two word slug on the end.

Send the person that link (again, Signal would be best) andwhen they enter the link into Tor, they will see this.

They can then upload files and they will appear at your endwith a browser notification.

Interestingly though you cannot approve the files first –they just download immediately. So again, only do this with people you know arenot going to send you malware or any other nasty critters.