username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update for encrypt-by-default CLI
Some checks failed
CI / Lint & Format (push) Failing after 14s
Details
CI / Tests (push) Has been skipped
Details
CI / Security Scan (push) Failing after 21s
Details

Browse Source 
Update README.md, api.md, and error hints to reflect:
- encryption is now default (no -e flag needed)
- use -E/--no-encrypt to disable
- file path shortcut (fpaste file.txt)
This commit is contained in:
Username
2025-12-20 18:12:00 +01:00
parent ba29b6e319
commit a2c5a013ef
3 changed files with 20 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@@ -105,29 +105,30 @@ pip install cryptography
### Basic Usage
```bash
# Create paste from file
./fpaste create file.txt
# Create paste from file (encrypts by default)
./fpaste file.txt
# Returns: https://paste.example.com/abc123#<key>
# Shortcut: file path auto-selects "create" command
./fpaste secret.txt # Same as: ./fpaste create secret.txt
# Create paste from stdin
echo "Hello" | ./fpaste
# Create encrypted paste (E2E, zero-knowledge)
./fpaste create -e secret.txt
# Returns: https://paste.example.com/abc123#<key>
# Disable encryption (upload plaintext)
./fpaste -E file.txt
./fpaste create --no-encrypt file.txt
# Create burn-after-read paste (single access, auto-deletes)
./fpaste create -b secret.txt
./fpaste -b secret.txt
# Create paste with custom expiry (1 hour)
./fpaste create -x 3600 temp.txt
./fpaste -x 3600 temp.txt
# Combine options: encrypted + burn-after-read
./fpaste create -e -b secret.txt
./fpaste -b secret.txt
# Get paste content
./fpaste get abc12345
# Get encrypted paste (auto-decrypts if URL has #key fragment)
# Get paste content (auto-decrypts if URL has #key fragment)
./fpaste get "https://paste.example.com/abc123#<key>"
# Get paste metadata
@@ -142,12 +143,13 @@ echo "Hello" | ./fpaste
### End-to-End Encryption
The `-e` flag encrypts content client-side using AES-256-GCM before upload:
Content is encrypted by default using AES-256-GCM before upload:
- Key is generated locally and never sent to server
- Key is appended to URL as fragment (`#...`) which browsers never transmit
- Server stores only opaque ciphertext
- Retrieval auto-detects `#key` fragment and decrypts locally
- Use `-E` or `--no-encrypt` to disable encryption
This provides true zero-knowledge storage: the server cannot read your content.

6
app/api/routes.py
View File

@@ -456,7 +456,7 @@ class IndexView(MethodView):
400,
size=content_size,
min_size=min_size,
hint="Encrypt content before uploading (-e flag in fpaste)",
hint="Encrypt content before uploading (fpaste encrypts by default)",
)
# Entropy check
@@ -476,7 +476,7 @@ class IndexView(MethodView):
400,
entropy=round(entropy, 2),
min_entropy=min_entropy,
hint="Encrypt content before uploading (-e flag in fpaste)",
hint="Encrypt content before uploading (fpaste encrypts by default)",
)
# Binary content requirement (reject recognizable formats)
@@ -492,7 +492,7 @@ class IndexView(MethodView):
"Recognizable format not allowed",
400,
detected=detected_format,
hint="Encrypt content before uploading (-e flag in fpaste)",
hint="Encrypt content before uploading (fpaste encrypts by default)",
)
# Deduplication check

4
documentation/api.md
View File

@@ -558,7 +558,7 @@ export FLASKPASTE_MIN_ENTROPY_SIZE=256 # Only check content >= this size (defaul
**Caveats:**
- Small data is exempt (configurable via `MIN_ENTROPY_SIZE`, default 256 bytes)
- Compressed data (gzip, zip) also has high entropy — not distinguishable from encrypted
- This is a heuristic, not cryptographic proof of encryption
- This is a heuristic, not cryptographic proof of encryption
**Recommended thresholds:**
| Threshold | Effect |
@@ -597,7 +597,7 @@ export FLASKPASTE_REQUIRE_BINARY=1 # Reject recognizable formats (0=disabled)
**Detected formats:**
- `text/plain` (valid UTF-8 text)
- `image/png`, `image/jpeg`, `image/gif`, `image/webp`
- `application/pdf`, `application/zip`, `application/gzip`
- `application/pdf`, `application/zip`, `application/gzip`
**vs Entropy enforcement:**
| Method | Detects | False positives |