Skip to main content
HashnodeFileShot

Command Palette

Search for a command to run...

How I built zero-knowledge file sharing where the server is literally blind to your files

Published
2 min read
F
FileShot
Building FileShot.io — a privacy-first, zero-knowledge file sharing platform. All encryption happens in your browser with AES-256-GCM. The server is 100% blind to your files. Web app, desktop (Electron), Chrome extension, and Android APK. GPL v2 open source.

Zero knowledge means exactly what it says

I built FileShot.io — a file sharing platform where the server is mathematically incapable of reading your files. This isn't marketing language. It's a property of the cryptographic architecture.

Here's how it works.

The core mechanism

When you upload a file on FileShot, your browser runs this before a single byte leaves your machine:

const key = await crypto.subtle.generateKey(
  { name: 'AES-GCM', length: 256 },
  true,
  ['encrypt', 'decrypt']
);

const encrypted = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  key,
  fileBuffer
);

The key is generated locally. The encryption happens locally. The server receives only the encrypted blob — a stream of bytes it cannot interpret.

Where does the key go?

After encryption, the key is exported and appended to the download URL as a URL fragment:

https://fileshot.io/d/abc123#key=base64encodedkey...

The fragment (everything after #) is never sent to the server by browsers. It's a browser-only concept. When someone opens that link, their browser reads the fragment, fetches the encrypted blob, and decrypts it locally.

The server never sees the key. Not once, not ever.

What this means practically

  • FileShot's servers store encrypted ciphertext
  • FileShot cannot read your files even if compelled by law
  • A subpoena gets the attacker nothing useful
  • A database breach exposes only encrypted blobs
  • Even FileShot's own engineers cannot access your files

This is zero-knowledge encryption (ZKE) — the server processes data it cannot understand.

The free tier

This isn't a freemium product where the good stuff is paywalled.

  • 500MB per file
  • 7-day link lifetime
  • Unlimited uploads
  • Zero account required

Drop a file, share the link. That's it.

Desktop app + Chrome extension

The same AES-256-GCM pipeline runs in the desktop app (Electron) and the Chrome extension. Whether you're uploading from a browser tab, right-clicking a file in Windows Explorer, or dragging into the desktop app — the encryption is identical.

Transparency

The full ZKE architecture is documented at fileshot.io/zke. No hand-waving, no vague "military-grade encryption" claims — the actual implementation.

Try it

fileshot.io — no account, no email, no tracking. Upload a file and inspect the network tab if you want to verify the claims above.

#javascript#privacy#showdev#webdev
1 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

FileShot

7 posts