Disroot Upload is a temporary file hosting service powered by Lufi, an open source online software to upload and share files in a secure and private way with other people. We can think of it as an alternative to propietary services such as WeTransfer.
Registration is not needed to use this service.
If we have a file we want or need to share, we just drag and drop it in the upload area, it is chunked, encrypted and sent to the server. We then get two links per file: a download link, that we give to the people we want to share the file with and a deletion link, that allows us to delete the file whenever we want.
Yes, it is as simple as that.
Lufi is an E2EE (End-to-End Encryption) file sharing service that encrypts our files through the web browser before they leave our computer, so not only our Internet Service Provider (ISP) cannot see the file's content, Disroot's administrators cannot either. The admins can only see the file's name, its size and its mimetype (what kind of file it is: video, text, etc).
When someone downloads our file, it is decrypted locally in that person's browser after the download. As we have just mentioned, neither the network administrators or the ISP will be able to see what is in the downloaded file.
We can use it, for example:
Upload is not a cloud service since files are only stored online for a certain time, after which they are deleted.
For cloud services we have the Disroot Cloud.
It is also a different service from PrivateBin since it can only shares text, while Upload can be used to share and download any type of file.
We can read more about Lufi here.
The whole encryption/decryption process is done automatically by the browsers, so no need of manually encrypt the files before, or manually decrypt them at the download.
The encryption key (that which allows whomever downloads the file to decrypt it) is a part of the link that is presented to us by our browser after we have uploaded a file.
Let's see an example.
The following is an example link to a file in Upload (https://upload.disroot.org):
https://upload.disroot.org/r/FA7MHOOL
#AgsmqnJEyUZAcybZmOGKljqYRtDhJKsvZC/Qt05N8dE=
It has two components:
Left of the # symbol in the link is the URL to the file:
https://upload.disroot.org/r/FA7MHOOL
Right of the # symbol in the link is the encryption key of the file:
AgsmqnJEyUZAcybZmOGKljqYRtDhJKsvZC/Qt05N8dE=
This encryption key part of the URL is in fact what is called a URI fragment, it is only processed client-side (in our computer) and does not reach the server of the Lufi provider, so they cannot decrypt the file.
In short, only persons that have the full link will be able to download and decrypt the file.
If we try to use just https://upload.disroot.org/r/FA7MHOOL
without the second part (the encryption key) we will get a message like this:
OK. Let's see how to use the Upload service.
The interface is pretty straightforward.
Here we have the following options:
In this section are the upload options where we can choose:
This is where we upload our files by drag and dropping them. We can also do it the traditional way, opening the file browser and selecting the file.
The size limit for the files we can upload is 2GB. And the maximum time a file stays stored online varies according to its size. After that time expired the file is deleted.
So the larger the file size the shorter the time it is stored. The expiration delay of our files will be the minimum between what we choose and the following limitations:
As mentioned above, after setting the upload options (how many days it will stays online, if delete it after download or not and if it will be password protected) we can upload files by dragging it to the upload area and dropping it. Or we can choose to "click to open the file browser", navigate to our file and select it.
After the upload is complete we will get two links:
We will get the following message:
If we delete a file or the expiration date that was set passed, anyone trying to download the file will get a message like this:
We will also have the options to Copy all links to clipboard (it is recommended to do so and save them somewhere else) and to Send all links by email.
This is also very simple. We can either:
copy the link manually and paste it in an email, a text file, or any other option; or
send it directly by email from Upload.
In the case of this last option, we just click on the Send all links by email button, write the email address in the next screen and (optionally) a message to the recipient. Now note that there are two sending options:
Send with this server: this is not recommended for security reasons, because if we send the email from the service provider's server, the links will be sent to that server first and then sent from the provider's email, not our personal one. This means that full links could be seen by the server administrators and therefore they would be able to download and decrypt the files. Disroot is a privacy-conscious provider, but as a matter of principle the best practice to keep our privacy safe is to avoid this option.
Send with your own mail software: if we have an email client installed on our computer or device (e.g: Thunderbird, Evolution, etc.) then clicking this option will open it with the email ready to be sent.
We can manage our uploads by clicking on the My files option in the top bar.
Here we can see the files that we have uploaded as well as:
This list of uploaded files is kept locally in our browser using the "localStorage" (local web storage) in a .json file. So, if we delete our "localStorage" data or use a different browser or computer, we will not be able to access it again.
Other options we have and can use in this screen are: