The Lore-Book

A treatise on encrypted passage, swift delivery & the Handshake of Fellowship

· · ᛞ ᚢ ᚱ ᛁ ᚾ · ᚠ ᚱᛖᛟᚾᛞ · ᛖᚾᛏᛖᚱ · ·

What is Durin's Door?

Durin's Door is a zero-knowledge encrypted file-sharing web application. Like the ancient gate of Moria — it reveals itself only to those who know the word — Durin's Door encrypts your files entirely in your browser before they ever reach the server. The key lives only in the URL fragment, which is never sent to the server.

  • Zero-knowledge encryption — AES-256-GCM, key stays in the URL fragment (#), never sent to the server
  • Auto-expiry — links vanish after the time you set
  • Download limits — restrict to N downloads and the door seals itself
  • Optional password — adds a verification gate atop the key
  • Handshake mode — peer-to-peer ECDH key exchange, no shared URL needed
  • Zero server-side decryption — the server stores encrypted blobs only
· · · ᚢ · · ·

How to Share a File

To place an artifact in the vault, drag a file onto the door — or click it to browse. The door will encrypt your file in-browser, upload the ciphertext, and carve a link.

  1. Drag or click the door on the home page to select your file
  2. Set options — expiry, download limit, optional password
  3. Click “Send Through the Door” — your browser encrypts with AES-256-GCM before upload
  4. Copy the link — the decryption key is in the #fragment, invisible to the server
🛡️

The key is NEVER sent to the server. URL fragments (the #key=… part) are a browser-only construct — they don't appear in server logs, proxies, or CDN records. Share the full URL with your recipient.

· · · ᚱ · · ·

How to Download

The bearer of the link visits the download page. The door presents what lies within. If a password was set, the door asks for the word. Speak truly, and it opens. Decryption happens entirely in your browser — plaintext never touches the server.

  1. Open the link — the download page shows file details
  2. Enter password (if required) — verified locally against a hash
  3. Click “Open the Door & Download” — encrypted blob fetched, decrypted in browser, saved to device
· · · ᚨ · · ·

Handshake Mode — Peer-to-Peer Transfer

Handshake Mode enables direct peer-to-peer encrypted transfers without sharing a URL. The receiver generates a short pairing code; the sender enters it. An ECDH (P-256) key exchange derives a shared secret — the server never sees the key.

  1. Receiver clicks “Handshake” → gets a 6-character code (e.g. GANDALF)
  2. Receiver shares the code with the sender verbally or via any channel
  3. Sender enters the code on the send page — ECDH keys are exchanged
  4. Both see a verification phrase — 3 Tolkien words derived from the shared secret. Confirm they match!
  5. Sender uploads file — encrypted with the ECDH-derived AES key
  6. Receiver auto-downloads — decrypted in their browser with the same derived key
🤝

The verification phrase (3 Tolkien words) works like Signal safety numbers — both sides must see identical words to confirm the shared secret was derived correctly and no man-in-the-middle is present.

· · · ᛊ · · ·

Security & Encryption

🛡️

AES-256-GCM authenticated encryption. Each file gets a unique 256-bit key. For Handshake mode, ECDH P-256 derives the shared key — mathematically impossible to recover without one party's private key. Passwords use SHA-256 for the web version.

  • AES-256-GCM — authenticated encryption detects tampering
  • Unique key per share — compromise of one share exposes nothing else
  • ECDH P-256 — Handshake keys derived in-browser, never transmitted
  • Browser-side decryption — plaintext never written to any server
  • Auto-expiry — expired files are purged from storage
  • Zero-knowledge — the server stores only encrypted blobs

“Not all those who wander are lost.” — J.R.R. Tolkien
· · ᛁ ᛜ ᛞ ᚢ ᚱ ᛁ ᚾ · ·

← The DoorThe Vaults →