A full-stack secure file transfer application built with post-quantum cryptography, featuring user authentication, encrypted file sharing, and digital signatures.
- Kyber: Key encapsulation mechanism for secure key exchange
- Dilithium: Digital signature algorithm for file authentication
- AES-GCM: Symmetric encryption for file content
- User registration with automatic PQC key pair generation
- Secure password hashing with bcrypt
- JWT-based authentication
- User-specific key management
- Secure file upload with recipient selection
- Automatic encryption and signing
- File inbox for received files
- Download and decryption with signature verification
- Sent files tracking
- Backend: FastAPI with SQLite (via SQLAlchemy)
- Frontend: Next.js with modern UI
- Database: SQLite for user and file storage
- Security: All cryptographic operations server-side
- FastAPI: Modern Python web framework
- SQLite: Serverless SQL database (via SQLAlchemy ORM)
- pyOQS: Post-quantum cryptography library
- PyCryptodome: AES-GCM encryption
- JWT: Token-based authentication
- bcrypt: Password hashing
- Next.js: React framework
- Tailwind CSS: Utility-first CSS framework
- Axios: HTTP client
- React Hook Form: Form management
- React Hot Toast: Notifications
- Python 3.8+
- Node.js 16+
- (No database server required; uses local SQLite file)
- Virtual environment (already set up)
Create a .env file in the backend directory with the following variables:
# JWT Configuration
SECRET_KEY=your-super-secret-key-change-this-in-production
ACCESS_TOKEN_EXPIRE_MINUTES=30
# Server Configuration
HOST=0.0.0.0
PORT=8000
# File Configuration
MAX_FILE_SIZE=100
# CORS Configuration
CORS_ORIGINS=*# Make the startup script executable (if not already)
chmod +x start.sh
# Run the complete setup
./start.shThis script will:
- Activate the virtual environment
- Install all dependencies
- Run database migration for SQLite
- Start both backend and frontend servers
- Frontend: http://localhost:3000
- Backend API: http://localhost:8000
- API Documentation: http://localhost:8000/docs
If you prefer to set up manually:
# Activate virtual environment
source .venv/bin/activate
# Install dependencies
cd backend
pip install -r requirements.txt
# Run database migration (creates SQLite DB if not present)
python migrate_db.py
# Start server
python main.py# Install dependencies
cd frontend
npm install
# Start development server
npm run dev- Each user gets unique Kyber and Dilithium key pairs
- Private keys never leave the server
- Keys stored securely in SQLite
- Sender: Uses recipient's Kyber public key to encapsulate shared secret
- Encryption: AES-GCM encrypts file with shared secret
- Signing: Sender signs encrypted file with Dilithium private key
- Storage: Encrypted file + metadata stored in database
- Recipient: Uses their Kyber private key to decapsulate shared secret
- Verification: Verifies sender's signature with their Dilithium public key
- Decryption: AES-GCM decrypts file with shared secret
| Column | Type | Description |
|---|---|---|
| id | Integer | Primary key |
| username | String | Unique username |
| String | Unique email | |
| hashed_password | String | Hashed password |
| kem_public_key | Text | Kyber public key (Base64) |
| kem_secret_key | Text | Kyber secret key (Base64, encrypted) |
| kem_salt | Text | Salt for KEM key encryption |
| kem_nonce | Text | Nonce for KEM key encryption |
| sig_public_key | Text | Dilithium public key (Base64) |
| sig_secret_key | Text | Dilithium secret key (Base64, encrypted) |
| sig_salt | Text | Salt for signature key encryption |
| sig_nonce | Text | Nonce for signature key encryption |
| created_at | DateTime | Account creation timestamp |
| Column | Type | Description |
|---|---|---|
| id | Integer | Primary key |
| file_id | String | UUID for file |
| encrypted_key | Text | Encrypted file key (Base64) |
| nonce | Text | Nonce for file encryption |
| signature | Text | Digital signature (Base64) |
| sender_public_key | Text | Sender's Dilithium public key |
| sender_id | Integer | Foreign key to users (sender) |
| recipient_id | Integer | Foreign key to users (recipient) |
| encrypted_metadata | Text | Encrypted metadata (Base64) |
| created_at | DateTime | Timestamp |
| is_read | Boolean | Read status |
POST /api/register- User registrationPOST /api/login- User login
GET /api/users- Get all users (for recipient selection)POST /api/upload- Upload and encrypt fileGET /api/files/received- Get received filesGET /api/files/sent- Get sent filesPOST /api/download- Download and decrypt fileGET /api/files/{file_id}/metadata- Get file metadata
- Visit http://localhost:3000
- Click "Register" to create an account
- System automatically generates your PQC key pairs
- Log in to your account
- Go to "Upload File" tab
- Select a file and choose a recipient
- Click "Upload & Encrypt"
- Go to "Received Files" tab
- Click "Download & Decrypt" on any file
- File will be automatically decrypted and downloaded
- View sent files in "Sent Files" tab
- Refresh lists to see new files
- All operations are secure and authenticated
Dependencies Issues
# Reinstall backend dependencies
cd backend
pip install -r requirements.txt --force-reinstall
# Reinstall frontend dependencies
cd frontend
rm -rf node_modules package-lock.json
npm installEnvironment Variables Not Loading
# Make sure .env file exists in backend directory
ls -la backend/.env
# Check if python-dotenv is installed
pip list | grep python-dotenv- Private keys are never exposed to the frontend
- All cryptographic operations happen server-side
- Passwords are hashed with bcrypt
- JWT tokens have expiration times
- File access is restricted to authorized users only
- Signature verification prevents tampering
spurhacks/
βββ backend/
β βββ main.py # FastAPI application
β βββ database.py # SQLite models and connection
β βββ auth.py # Authentication utilities
β βββ crypto_utils.py # PQC cryptography functions
β βββ requirements.txt # Python dependencies
β βββ .env # Environment variables (create this)
βββ frontend/
β βββ src/app/
β β βββ page.js # Main application
β β βββ AuthContext.js # Authentication context
β β βββ LoginForm.js # Login component
β β βββ RegisterForm.js # Registration component
β β βββ Dashboard.js # Main dashboard
β β βββ FileUpload.js # File upload component
β β βββ FileInbox.js # Received files component
β β βββ SentFiles.js # Sent files component
β βββ package.json # Node.js dependencies
βββ start.sh # Startup script
| Variable | Default | Description |
|---|---|---|
SECRET_KEY |
your-secret-key-change-in-production |
JWT secret key |
ACCESS_TOKEN_EXPIRE_MINUTES |
30 |
JWT token expiration time |
HOST |
0.0.0.0 |
Server host |
PORT |
8000 |
Server port |
MAX_FILE_SIZE |
100 |
Maximum file size in MB |
CORS_ORIGINS |
* |
CORS allowed origins |
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
- NIST: For post-quantum cryptography standards
- liboqs: For the pyOQS Python bindings
- FastAPI: For the excellent web framework
- Next.js: For the React framework