chay' peH Qap

SG/Send AES-256-GCM rap peH lo', De'wI'lIjDaq neH Qaplu'. De'lIj, De'wI' ghItlh ponglIj, ngaSruqlIj leghbe' yaHwI'. ghItlhvam QIj chay' Qap.

rap peH: wa' ngaSruq, cha' mIw

SG/Send rap peH lo' — ngaSruq rap peH 'ej peghHa'. nap law' Hoch nap puS 'ej nom law' Hoch nom puS peH Duj 'oH, 'ej QaQ law' Hoch QaQ puS De'wI' ghItlh ngeHmeH — QaQchugh chenmoHlu'.

nuq 'oH AES-256-GCM'e'?

AES (Advanced Encryption Standard) qo' naQ lo'bogh ta', ngaQ, 'ej QI' peH mIw 'oH. 256 ngaSruq 'ab bit — 2256 ngaSruq tu'lu', HoS ngoH laHbe'. GCM (Galois/Counter Mode) 'ay'moH peH chel — peH neH Qapbe', ngoq choHlu'pu''a' je tu'.

qatlh rap peH?

rap peH wa' ngaSruq lo' peH peghHa' je. pIm peH (RSA rur) ngaSruq cha' lo'. De'wI' ghItlh ngeHmeH, rap peH QaQ: nom, Sov QaQ, 'ej Web Crypto API qo' naQ De'wI' Qap lo' nob.

Sov potlh: ngaSruq nuqDaq chenmoHlu' 'ej nuqDaq jaH DaSeHchugh, rap peH naQ pegh nob. SG/Send De'wI'lIjDaq ngaSruq chenmoH, 'ej yaHwI' SIqbe' ngaSruq.

peH mIw: mIw wa' mIw cha'

SG/Send lo' De'wI' ghItlh DangeHDI' nuq qaSbej — naDev 'oH.

1

ngaSruq chenmoH

De'wI' ghItlh DawIvDI', De'wI'lIj mIw 256-bit AES ngaSruq chenmoH Web Crypto API (crypto.subtle.generateKey) lo'lu'. jan De'wI' Hung mIw mI' lo'. ngaSruq De'wI'lIj qawHaqDaq neH tu'lu'.

Browser Server | | | crypto.subtle.generateKey( | | { name: "AES-GCM", length: 256 }, | | true, | | ["encrypt", "decrypt"] | | ) | | | | Key generated: 3a7f...b2c1 (256 bits) | | Key stays here. Server knows nothing. | | |
2

IV chenmoH

12-byte IV (Initialisation Vector) mIw chenmoHlu' (crypto.getRandomValues). De'wI' ghItlh rap cha'logh peHchugh ngoq pIm chenmoH IV. IV pegh 'oHbe' — ngoq peH yor chellu' 'ej ngoq tlhej ngeHlu'.

3

peH

De'wI'Daq De'wI' ghItlh peHlu' crypto.subtle.encrypt lo'lu' AES-GCM mIw, ngaSruq chenmoHlu'bogh, 'ej IV. ngoq peH + 128-bit 'ay'moH per 'oH. 'ay'moH per GCM naQ lay' 'oH — ngoq peH wa' bit choHlu'chugh, peghHa' luj.

Browser Server | | | plaintext ──► AES-256-GCM ──► ciphertext | | ▲ | | | | | key + IV | | | | Output = IV (12 bytes) | | + ciphertext (same size as plaintext) | | + auth tag (16 bytes) | | |
4

yIngeH

ngoq peH (IV + ngoq peH + 'ay'moH per) neH yaHwI' ngeHlu'. mIw byte blob Hev yaHwI'. ngeH pong (mIw 12 Degh) nob 'ej ngoq peH pol. De'wI' ghItlh pong pagh, ngoq Segh pagh, ngaSruq pagh — peH byte neH.

Browser Server | | | POST /transfers/create | | ──────────────────────────────────────────► | | | Stores: | PUT /transfers/{id}/upload | transfer_id: "a7x9k2m4p1" | Body: [IV + ciphertext + auth tag] | data: [encrypted bytes] | ──────────────────────────────────────────► | ip_hash: SHA256(ip + salt) | | timestamp: 2026-02-28T... | Key NEVER sent. File name NEVER sent. | | |
5

rarwI' ngeH

ngeHwI' laj rarwI' Suq. URL pergh (# tlhop) retlhDaq ngaSruq peghHa'wI' lanlu'. URL pergh yaHwI' ngeHbe' De'wI' — RFC 3986 mab 'oH. rarwI' wIv lo' ngeHwI' lI' (QIn, QumpIn, nuv).

Link format: https://send.sgraph.ai/download/a7x9k2m4p1#3a7f...b2c1 ├──────────── domain ────────────┤├─ transfer id ─┤├─ key ─┤ ▲ │ URL fragment (#) Never sent to server Stays in the browser
6

peghHa'

HevwI' rarwI' poSmoH. De'wI'chaj yaHwI'vo' peH byte laj, URL pergh ngaSruq tlhap, IV ngoq peH wav, 'ej crypto.subtle.decrypt lo' peghHa'. 'ay'moH per rap Qapbe'chugh (choH tu'lu'), peghHa' luj. yaHwI' peghHa' mIwDaq jeS pagh.

Recipient's Browser Server | | | GET /transfers/{id}/download | | ──────────────────────────────────────────► | | ◄────────────────────────────────────────── | | Response: [IV + ciphertext + auth tag] | | | | Key extracted from URL fragment (#) | | crypto.subtle.decrypt( | | { name: "AES-GCM", iv: IV }, | | key, | | ciphertext | | ) | | | | ──► plaintext file restored | | Server never saw the key or the plaintext. |

yaHwI' nuq legh — nuq leghbe'

pagh Sovlu'bogh lay' 'oH. yaHwI'Daq De' tu'lu'bogh yIlegh.

yaHwI' pol

ngeH pong — mIw 12 Degh
peH byte — mIw De' pIm tu'laHbe'
IP Hash — SHA-256 IP + jaj tIq choH
poH Degh — ghorgh ngeH chenmoHlu'
De'wI' ghItlh 'ab — ngoq peH blob 'ab (byte)

yaHwI' leghbe'

peH ngaSruq — De'wI'Daq ratlh, URL pergh lo'lu'
De'wI' ghItlh pong — yaHwI' ngeHbe'lu'
De'wI' ghItlh Segh — ngoq Segh polbe'lu'
ngoq poSmoH — ngoq peH neH ngeHlu'
IP HablI' teH — polpa' Hash lo'lu'

yaHwI' naQ QIHlu'chugh — De'Daq naQ, ngoq pol Hoch, ghItlh Hoch — De'wI' ghItlh ngeHlu'bogh pagh 'ang. ngaSruq Hutlhchugh ngoq 'ej mIw pagh pIm.

De'wI' laH pat

patlh Hoch wIvlu' — nap, Hung, 'ej pagh poQ qach.

patlh De'wI' laH QuQ
Qap poH Python 3.12 / arm64 luch yaHwI' Hol
Hut pat FastAPI via osbot-fast-api HTTP Dev 'ej poQ Qap
Qap AWS Lambda + Mangum yaHwI' pagh Qap, lo' DIl
pol Memory-FS (Storage_FS) choHlaHbogh bIng: qawHaq, DIr, pagh S3
peH Web Crypto API (AES-256-GCM) lo'wI' De'wI'Daq peH
Segh pat Type_Safe (osbot-utils) Pydantic lo'be'bogh SeH mab
HaSta yor Vanilla JS + Web Components pagh pat poQ (IFD)
ngoH pytest, qawHaq pat mock pagh, patch pagh, teH chenmoH
CI/CD GitHub Actions ngoH, per, qach mIw pat

luch qach

cha' Lambda Qap, wa' pol patlh, wa' CDN. nap qach.

lo'wI' Lambda (poS)

poS Qap — De'wI' ghItlh ngeH, QaD poj, peH ngeH, nuv ngoqDaq, 'ej MCP tay'moH QaD. Lambda Function URL CloudFront bIngDaq 'ellu'.

18 rarwI'

Admin Lambda ('ay'moHlu'bogh)

DevwI' neH Qap — chaw' SeH, poj, yaHwI' De', 'ej MCP DevwI' jan. 'ay'moH poQ. Lambda le' = Hung veH le'.

55 rarwI'

Memory-FS (Storage_FS)

pol Hoch patlh wav lo'. ngoq luch qawHaq, DIr, pagh S3 Sovbe'. 7 qach DoH naQ ngoq rap — ngoq luch wa' mIw choHbe'.

choHlaHbogh bIng

CloudFront CDN

ratlhbogh De', ngoq pol, SSL mev, 'ej WAF. Lambda URL HTTPS rarwI' nob — API Gateway poQbe'.

veH pat

qach DoH

wa' ngoq, Soch qach DoH loS pat 'oH.

Lambda

potlh qach. cha' Lambda Qap Lambda Function URLs bIngDaq. HTTPS rarwI' SIQ, API Gateway poQbe'.

luch Qap

ngoqDaq

Docker, AWS Fargate, 'ej GCP Cloud Run. luch rap — ngoqDaq 'oH.

Docker / Fargate / GCP

yaHwI'

EC2 jan 'ej AMI chen. ghom naQ runtime Daq SeH poQbogh.

EC2 / AMI

CLI

ngoq mIw ngeH, CI/CD pat, 'ej HoS lo'wI' ra'wI' pat.

Terminal
18
IA yaS
73
HTTP rarwI'
393
ngoH Qapbogh
7
qach DoH
GitHub ngoq yIlegh →