Anonymous File Sharing with OnionShare 2.0

Secret Files

Article from Issue 228/2019

OnionShare lets you share files without revealing IP addresses or domain names. The latest version also allows uploads.

The Tor Project [1] has spawned a whole global community dedicated to the concept of anonymous browsing. The project's Tor Browser [2], which lets the user surf the web without leaving a trail or trace, was originally intended to help dissidents in totalitarian countries communicate without surveillance, but since then, it has become popular with whistle-blowers, drug buyers, and millions of everyday users who simply don't want to submit to the culture of tracking and targeting that exists on the mainstream Internet.

The core technology behind the Tor Browser is a technique known as onion routing. Onion routing routes a message through a message of participating routers that could be anywhere on the Internet. A data packet takes a random path through a series of the routers. The packet is encapsulated in multiple layers of encrypted routing information. Each router receives the packet and uses its private key to decrypt the outermost layer, which contains a destination address for where to forward the packet, and then sends the data on to the next link in the chain.

The power of onion routing is that no single router on the network has complete knowledge of where the packet came from and where it is going. Each router can only read the single layer specifically encrypted and addressed to it. This technique is known as onion routing, because the many layers of encrypted routing information resemble the layers of an onion that are gradually peeled away as the packet makes its way through the network. (For more information, see the "How Private?" box.)

How Private?

The onion routing process is considered relatively secure, although various attack scenarios are known [4]. One of the points of criticism lies in the inexperience of the users. To really protect your privacy, you need to do more than simply route your traffic through Tor. You also have to harden the browser and preferably the whole system. For this reason, the project offers the preconfigured Tor Browser with an integrated Tor client for all common operating systems. As an alternative, the developers are also working on Tails [5], a live distribution that offers an inherently secure platform.

Tor comes with the Onion Service Protocol [6] and the hidden services that help users not only use, but also to provide, services anonymously.

Like so many things, hidden services have two sides. Although anonymous routing allows criminal machinations on the one hand, on the other, it genuinely helps people to protect their privacy. Hidden services can also be used to exchange files without participants having to reveal IP addresses, domain names, or account details.

The Tor Browser is a standard tool at this point that is well known to many Linux users, and tutorials on how to use Tor have appeared in many forms – including in this magazine.

Less well known is OnionShare [3], a useful tool that lets you anonymously share files on Tor networks. Even users who are not interested in long-term participation in the Tor community have learned that OnionShare can be an easy and secure way to post a file without the need for commercial cloud services.

Anonymous File Sharing

Version 2.0 of OnionShare was released earlier this year and is not yet available in the package sources of the major distributions. Even the brand-new Ubuntu 19.04 "Disco Dingo" runs version 1.3.2 of the program. On the homepage, however, the developers point users to an Ubuntu PPA that supports the installation of the latest version with just a few commands (Listing 1). On Arch Linux, you will find OnionShare in the AUR of the same name. If you can't find a suitable package for your distribution, see the instructions online for tips on building the current version from scratch [7]. (For a CLI variant, see the "OnionShare as a Service" box.)

OnionShare as a Service

On Linux, OnionShare installs two executable files. onionshare-gui calls the version with the graphical environment. If you want to run OnionShare on a server without a desktop, start the program by typing onionshare file_name or – to receive data – by typing onionshare --receive. The CLI variant supports all functions of the desktop version (Listing 2).

Listing 1

Installing on Ubuntu


Listing 2

At the Command Line


After you install, OnionShare will appear in the application menu of the desktop environment. At startup, the program automatically connects to the Tor network. The user interface is very simple. At the top there are two tabs named Share Files and Receive Files. The settings can also be opened via the gearwheel icon. The arrow below expands information about the history in a sidebar.

To share files, drag the desired files from the file manager into the application window or use the Add button at the bottom of the window to open a selection dialog. Once you have added one or more files, start the service by pressing the green Start sharing button (Figure 1).

Figure 1: File sharing made easy: Drag files into the window, click on Start sharing, and send the URL to the contact. Configuration of the router is not required.

Download via Browser

To send data to a contact, communicate the OnionShare address now displayed in the window in the style of http://Tor_address.onion/slug (Figure 2).

Figure 2: Send the OnionShare address to your contact. The history shows how often and when a file was downloaded – but not by whom.

The Tor address is a string of characters assigned to you by Tor (as shown in Figure 2). The slug consists of a random combination of two words at the end of the address, adding an additional layer of complexity to resist guess attacks.

You can share the information either through a secure chat or some manual method. Note that the OnionShare address changes each time the application is started, as long as you do not enable a persistent address in the settings. The text cannot be selected directly in the window; to copy it to the clipboard, click Copy Address. Port forwarding or further configuration of the WiFi router are not usually required.

Your contact does not need a special program to download the data. All they need is the Tor Browser, which is available for all common operating systems or any browser with a Tor client enabled in the system (Figure 3). After you press Download Files, the shared data ends up as a ZIP archive on the user's hard disk. However, version 2.0 of the OnionShare client no longer bundles individual files in an archive. In the test, downloading the files also worked on an Android smartphone connected to the Tor network with Orbot [8].

Figure 3: To download data shared via OnionShare, you need the Tor Browser or an active Tor client on your own computer.

Receiving Anonymous Data

OnionShare 2.0 not only allows users to share files anonymously but also to receive them anonymously [9]. To receive files anonymously, switch to the Receive Files tab and activate Receive mode by pressing Start Receive Mode. You will again see an OnionShare address, similar to the one you received when you sent the mail; you have to give this address to your contact. If, for example, you would like to offer whistle-blowers a portal for sending data in the scope of your journalistic work, you can also publish the address on your homepage.

Uploading data does not differ much from downloading. The Tor Browser acts as the client again. Instead of the list of offered files, you will see an almost empty page. A click on Browse… opens a file browser where you can select the data to be uploaded. On pressing Send Files, the browser then transfers the file. On the OnionShare program page, you will see the transferred files arriving. After the transmission has been completed, terminate the service by clicking on Stop Receive Mode. By default, the program stores the data below OnionShare/ in the user's home directory.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Subgraph OS

    Kid-tested and Snowden approved – is Subgraph, the privacy-oriented OS, now ready for humans?

  • Mofo Linux

    Mofo Linux enables secure digital communications, even in places where it is politically or ideologically unwelcome.

  • FOSSPicks

    After watching Ubuntu help NASA with its first controlled flight on another planet, Graham spent far too much time this month visiting Mars in Elite Dangerous, via Proton on Linux.

  • This Month's DVD

    Tails 4.22 and Q4OS 4.6

  • This Month's DVD

    Parrot OS 4.11 and Fedora Workstation 35

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.