Learn how to securely share files and directories using Orb.
Sharing in Orb follows a simple workflow:
- Select directory - Choose what to share
- Create session - Generate credentials
- Share credentials - Send to recipient securely
- Serve files - Wait for connection and serve files
cd /path/to/files
orb share .orb share /home/user/documentsorb share ~/photos --relay ws://my-relay.com:8080When you start sharing, Orb generates:
Session ID: a1b2c3d4e5f6
Passcode: secure-random-passcode-here
Relay: ws://localhost:8080
- Unique identifier for this sharing session
- Used to route connections through the relay
- Safe to share publicly (like a username)
- 12 characters, alphanumeric
- Secret authentication credential
- Derived to encryption keys
- Must be kept secret
- Random, high-entropy string
- Required for connection
- WebSocket server facilitating connection
- Can be localhost, self-hosted, or public
- Must be reachable by both parties
# Good: Specific directory
orb share ~/project/public-docs
# Risky: Entire home directory
orb share ~
# Bad: System directories
orb share /Good methods:
- Encrypted messaging (Signal, WhatsApp)
- Password managers (shared vault)
- In person
- Phone call
- Encrypted email
Avoid:
- Plain email
- SMS
- Public chat
- Social media
- Shared notes
Watch the sharing terminal for:
[INFO] Client connected from relay
[INFO] Handshake complete
[INFO] Serving file: document.pdf
[INFO] Connection closed
Press Ctrl+C to stop sharing:
^C
[INFO] Shutting down...
[INFO] Session terminated
# Auto-stop after 1 hour
timeout 1h orb share ~/files
# Auto-stop after 30 minutes
timeout 30m orb share ~/sensitive-docsOrb shares are inherently read-only. The connector can:
- List files
- Read file contents
- Download files
The connector cannot:
- Modify files
- Delete files
- Upload files
Currently, one session = one connection. For multiple users:
# Start multiple share sessions
orb share ~/docs --relay ws://localhost:8080 # Terminal 1
orb share ~/docs --relay ws://localhost:8080 # Terminal 2
# Each gets unique credentialsWhen you share a directory, the connector sees:
- All files in the directory
- All subdirectories
- Hidden files (dotfiles)
- Symlinks (as regular files/dirs)
Orb enforces strict path sandboxing:
Shared: /home/user/project
Accessible:
/home/user/project/file.txt
/home/user/project/subdir/file.txt
/home/user/other-project/file.txt
/home/user/project/../sensitive.txt
Protection against:
- Path traversal (
../../../etc/passwd) - Symlink escapes (symlinks pointing outside)
- Absolute path access
[INFO] Creating session...
[INFO] Session ID: abc123
[INFO] Passcode: xyz789
- Server generates random credentials
- Session stored with 24-hour expiration
- Rate limit: 5 failed attempts
[INFO] Waiting for connection...
[INFO] Client connected!
[INFO] Handshake in progress...
[INFO] Handshake complete
[INFO] Ready to serve files
- Sharer waits for connector
- Performs Noise Protocol handshake
- Establishes encrypted tunnel
[INFO] Request: LIST /
[INFO] Request: STAT /documents
[INFO] Request: READ /documents/report.pdf
- Connector browses and downloads files
- All operations encrypted end-to-end
- Logs show activity
[INFO] Connection closed
[INFO] Session ended
- User presses
Ctrl+C - Connector disconnects
- Session can be reused if within 24h
Error: dial tcp: connection refused
Solutions:
- Check relay is running:
curl http://localhost:8080 - Verify relay URL is correct
- Check firewall settings
- Try different port
Error: failed to create session
Solutions:
- Check session server is reachable
- Verify network connectivity
- Check server logs for errors
Error: handshake timeout
Solutions:
- Verify passcode is correct
- Check both parties using same relay
- Ensure session hasn't expired
- Try creating new session
Error: permission denied: /path/to/file
Solutions:
- Check file permissions
- Verify you own the files
- Run as appropriate user
- Check directory is readable
All file data is encrypted using:
- ChaCha20-Poly1305 for AEAD encryption
- Noise Protocol for key exchange
- Argon2id for password-based key derivation
The relay server sees only encrypted bytes.
- Passcode required for connection
- Rate limiting prevents brute force
- Sessions expire after 24 hours
- No persistent authentication
- File names are encrypted in transit
- Directory structure is private
- Relay cannot see file metadata
- No logging of decrypted content
# Create temporary directory
mkdir /tmp/share
cp files-to-share/* /tmp/share/
# Share
orb share /tmp/share
# After recipient downloads, cleanup
rm -rf /tmp/share# Share project directory
cd ~/projects/webapp
orb share .
# Colleague connects and downloads needed files# Access home files from work
ssh home-server
orb share ~/documents
# Connect from work machine
orb connect --session <ID> --passcode <CODE> --relay ws://home-server:8080# Prepare deliverables
mkdir client-delivery
cp final-*.pdf client-delivery/
cp -r assets/ client-delivery/
# Share with client
orb share client-delivery- Learn how to Connect
- Explore TUI Browser
- Read Security Details
- Check Troubleshooting