No description

HTML 70.9%
Go 26.7%
Dockerfile 2.4%

Find a file

Gab ccc6115f91 Some checks failed Docker Build & Push / build (push) Has been cancelled Details Update main.go		2026-02-04 05:12:58 +01:00
.github/workflows	Refactor Docker workflow for GitHub Actions	2026-02-04 04:30:51 +01:00
static	Change greeting from 'Hello World' to 'Goodbye World'	2026-01-03 04:05:02 +01:00
docker-compose.yml	Harden docker-compose configuration for Vapordrop	2026-02-04 04:28:58 +01:00
Dockerfile	Refactor Dockerfile for multi-stage build and dependencies	2026-02-04 05:09:01 +01:00
go.mod	Upgrade Go to 1.22 and update dependencies	2026-02-04 05:10:30 +01:00
LICENSE	Initial commit	2026-01-03 03:54:31 +01:00
main.go	Update main.go	2026-02-04 05:12:58 +01:00
README.md	Update repository link and modify closing statement	2026-01-03 04:10:04 +01:00

README.md

VaporDrop

Ephemeral encrypted messaging over Tor. Zero logs. RAM only. Non-NIST cryptography.

 _   _                       ____                  
| | | | __ _ _ __   ___  _ _|  _ \ _ __ ___  _ __  
| | | |/ _` | '_ \ / _ \| '_| | | | '__/ _ \| '_ \ 
| |_| | (_| | |_) | (_) | | | |_| | | | (_) | |_) |
 \___/ \__,_| .__/ \___/|_| |____/|_|  \___/| .__/ 
            |_|                             |_|

Features

Brain Key Login - No accounts, no registration. Your identity derives from 6+ words you remember
Zero-Knowledge Architecture - Server stores only encrypted blobs, never sees plaintext
End-to-End Encryption - Messages encrypted client-side before transmission
File Transfer - Drag & drop files up to 1 GB, chunked and encrypted
Numeric ID + QR Code - Easy sharing via 12345678-90 format
Contact Book - Save contacts locally (never sent to server)
Auto-Expiration - Messages and files deleted after 7 days
Tor Hidden Service - Accessible only via .onion address

Cryptography

We reject NIST standards. All algorithms are designed by independent cryptographers:

Function	Algorithm	Designer
Key Exchange	X25519	Daniel J. Bernstein
Encryption	XChaCha20-Poly1305	Daniel J. Bernstein
Hashing	BLAKE3	Aumasson, O'Connor, et al.
Key Derivation	Argon2id	PHC winner (2015)
Signatures	Ed25519	Daniel J. Bernstein

Why no NIST? NIST collaborated with NSA to weaken Dual_EC_DRBG. Trust is broken.

Brain Key Security

Your identity is generated from common words you can easily remember:

Words	Entropy	Crack Time*
6 words	~80 bits	~16 million years
8 words	~106 bits	~10¹⁵ years
12 words	~160 bits	~10³¹ years

*10,000 word dictionary, 1 billion attempts/sec (unrealistic for Argon2id). Universe age: 13.8 billion years.

Example: house cat moon pizza sea sun → unique cryptographic identity

Same words = same identity, always, on any device
Forget words = lose access forever (no recovery)
Never store digitally - keep in your head

Self-Hosting

Requirements

Docker + Docker Compose
Linux server (VPS or dedicated)

Quick Start

# Clone repository
git clone [https://github.com/gabrix73/vapordrop.git](https://github.com/gabrix73/vapordrop)
cd vapordrop

# Create environment file with your passphrase
echo "VAPOR_KEY=your-secret-passphrase-min-16-chars" > .env
chmod 600 .env

# Build and start
docker compose up -d --build

# View logs (wait for .onion address)
docker compose logs -f

Your .onion address will appear in the logs:

✅ VAPORDROP ONLINE
🧅 http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion

Commands

# Start
docker compose up -d --build

# Stop
docker compose down

# View logs
docker compose logs -f

# Destroy everything (including volumes)
docker compose down -v

VAPOR_KEY

The VAPOR_KEY passphrase:

Derives the Ed25519 key for your Tor hidden service
Determines your .onion address
Same passphrase = same .onion address (reproducible)
Does NOT encrypt messages (that's done client-side with user keys)

Store it in .env file with chmod 600. Never commit to git.

Architecture

┌─────────────────────────────────────────────────────────────┐
│                         CLIENT                              │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │  Brain Key  │→ │   X25519    │→ │ XChaCha20-Poly1305  │  │
│  │  (6+ words) │  │  Key Pair   │  │    Encryption       │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
└─────────────────────────────────────────────────────────────┘
                              │
                              │ Encrypted blob only
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                     SERVER (Zero-Knowledge)                 │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │   Tor HS    │  │  RAM-only   │  │   Auto-expiration   │  │
│  │  (Ed25519)  │  │   Storage   │  │     (7 days)        │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
└─────────────────────────────────────────────────────────────┘

Server never sees:

Plaintext messages
Encryption keys
Brain keys
Contact lists

Security Features

Traffic Analysis Protection

Random padding on all messages
Randomized response delays
Constant-time comparisons

Anti-Replay

Nonce cache with 24h expiration
BLAKE3 hashed nonces for privacy

Rate Limiting

Session-based (Tor-compatible, not IP-based)
Prevents abuse without deanonymization

Memory Protection

Uses memguard for sensitive data
Keys zeroed after use
No swap, RAM only

API Endpoints

Endpoint	Method	Description
`/api/register`	POST	Register numeric ID → public key mapping
`/api/resolve/{id}`	GET	Resolve numeric ID to public key(s)
`/api/send`	POST	Send encrypted message
`/api/fetch`	POST	Fetch and delete messages
`/api/file/init`	POST	Initialize file transfer
`/api/file/chunk/{id}/{n}`	POST	Upload encrypted chunk
`/api/file/pending/{pubkey}`	GET	List pending files
`/api/file/download/{id}/{n}`	GET	Download chunk
`/api/file/complete/{id}`	POST	Mark transfer complete, delete
`/api/health`	GET	Health check
`/api/stats`	GET	Public statistics

File Structure

vapordrop/
├── main.go              # Backend server
├── go.mod               # Go dependencies
├── Dockerfile           # Multi-stage build
├── docker-compose.yml   # Container orchestration
├── .env                 # VAPOR_KEY (create this, never commit)
├── .gitignore           # Excludes .env
├── .dockerignore        # Excludes .env from build
└── static/
    ├── index.html       # Application

Threat Model

Protects Against

✅ Mass surveillance (Tor + E2E encryption)
✅ Server seizure (encrypted blobs without keys are useless)
✅ NIST backdoors (we don't use NIST algorithms)
✅ Metadata collection (no logs, no accounts, RAM only)
✅ Traffic analysis (random padding + timing delays)
✅ Replay attacks (nonce cache with expiration)

Limitations

❌ Compromised endpoint (malware on your device)
❌ Screenshot by recipient
❌ State-level Tor correlation attacks
❌ Quantum computers (future threat to X25519)

Contributing

Fork the repository
Create feature branch (git checkout -b feature/improvement)
Commit changes (git commit -am 'Add feature')
Push branch (git push origin feature/improvement)
Open Pull Request

License

MIT License - See LICENSE file.

Acknowledgments

Daniel J. Bernstein - X25519, ChaCha20, Poly1305, Ed25519
BLAKE3 Team - BLAKE3 hash function
Tor Project - Anonymous communication
bine - Go Tor library

All those who fight against oppression and the oppressors