diff --git a/README.md b/README.md index a1278de..05207e4 100644 --- a/README.md +++ b/README.md @@ -105,29 +105,30 @@ pip install cryptography ### Basic Usage ```bash -# Create paste from file -./fpaste create file.txt +# Create paste from file (encrypts by default) +./fpaste file.txt +# Returns: https://paste.example.com/abc123# + +# Shortcut: file path auto-selects "create" command +./fpaste secret.txt # Same as: ./fpaste create secret.txt # Create paste from stdin echo "Hello" | ./fpaste -# Create encrypted paste (E2E, zero-knowledge) -./fpaste create -e secret.txt -# Returns: https://paste.example.com/abc123# +# Disable encryption (upload plaintext) +./fpaste -E file.txt +./fpaste create --no-encrypt file.txt # Create burn-after-read paste (single access, auto-deletes) -./fpaste create -b secret.txt +./fpaste -b secret.txt # Create paste with custom expiry (1 hour) -./fpaste create -x 3600 temp.txt +./fpaste -x 3600 temp.txt # Combine options: encrypted + burn-after-read -./fpaste create -e -b secret.txt +./fpaste -b secret.txt -# Get paste content -./fpaste get abc12345 - -# Get encrypted paste (auto-decrypts if URL has #key fragment) +# Get paste content (auto-decrypts if URL has #key fragment) ./fpaste get "https://paste.example.com/abc123#" # Get paste metadata @@ -142,12 +143,13 @@ echo "Hello" | ./fpaste ### End-to-End Encryption -The `-e` flag encrypts content client-side using AES-256-GCM before upload: +Content is encrypted by default using AES-256-GCM before upload: - Key is generated locally and never sent to server - Key is appended to URL as fragment (`#...`) which browsers never transmit - Server stores only opaque ciphertext - Retrieval auto-detects `#key` fragment and decrypts locally +- Use `-E` or `--no-encrypt` to disable encryption This provides true zero-knowledge storage: the server cannot read your content. diff --git a/app/api/routes.py b/app/api/routes.py index 341f3b5..e425cde 100644 --- a/app/api/routes.py +++ b/app/api/routes.py @@ -456,7 +456,7 @@ class IndexView(MethodView): 400, size=content_size, min_size=min_size, - hint="Encrypt content before uploading (-e flag in fpaste)", + hint="Encrypt content before uploading (fpaste encrypts by default)", ) # Entropy check @@ -476,7 +476,7 @@ class IndexView(MethodView): 400, entropy=round(entropy, 2), min_entropy=min_entropy, - hint="Encrypt content before uploading (-e flag in fpaste)", + hint="Encrypt content before uploading (fpaste encrypts by default)", ) # Binary content requirement (reject recognizable formats) @@ -492,7 +492,7 @@ class IndexView(MethodView): "Recognizable format not allowed", 400, detected=detected_format, - hint="Encrypt content before uploading (-e flag in fpaste)", + hint="Encrypt content before uploading (fpaste encrypts by default)", ) # Deduplication check diff --git a/documentation/api.md b/documentation/api.md index c26f52f..91f142f 100644 --- a/documentation/api.md +++ b/documentation/api.md @@ -558,7 +558,7 @@ export FLASKPASTE_MIN_ENTROPY_SIZE=256 # Only check content >= this size (defaul "error": "Content entropy too low", "entropy": 4.12, "min_entropy": 7.0, - "hint": "Encrypt content before uploading (-e flag in fpaste)" + "hint": "Encrypt content before uploading (fpaste encrypts by default)" } ``` @@ -597,7 +597,7 @@ export FLASKPASTE_REQUIRE_BINARY=1 # Reject recognizable formats (0=disabled) { "error": "Recognizable format not allowed", "detected": "text/plain", - "hint": "Encrypt content before uploading (-e flag in fpaste)" + "hint": "Encrypt content before uploading (fpaste encrypts by default)" } ```