A lightweight and secure way to transfer files between two computers on a local network (LAN).
Files are fully encrypted, streamed in chunks, and transferred over TLS — making the data unreadable and format-agnostic in transit.
No HTTP headers, MIME types, or filenames are exposed.
- Chunked transfer – streams large files efficiently (supports multi-GB files)
- AES-GCM encryption – encrypts each chunk with authentication
- Pre-shared password – simple symmetric key agreement (derived via PBKDF2 + HKDF)
- TLS layer – protects against packet sniffing and tampering
- Format-agnostic – no clues about file type or structure
- Ephemeral receiver storage – temporary folder for received files
- Progress bar with tqdm – displays real-time chunk progress and throughput
- Clean shutdown – explicit end-of-stream marker for reliable completion
| File | Purpose |
|---|---|
navi_tls_send.py |
Client script to send files |
navi_tls_receive.py |
Server script to receive files |
cert.pem, key.pem |
TLS certificate and private key (self-signed for testing) |
sessions/ |
Directory where received files are stored |
- Python 3.8+
- Packages:
pip install cryptography tqdm
- OpenSSL (for generating test certificates)
-
Generate a test certificate (for TLS encryption):
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 openssl req -new -x509 -key key.pem -out cert.pem -days 365 -subj "/CN=lan-transfer" -
Start the receiver (server) on one machine:
export UPLOAD_PASSWORD="SuperSecret123!" python navi_tls_receive.py --cert cert.pem --key key.pem --host 192.168.1.10 --port 8443
- The server listens on your LAN IP (
192.168.1.10in this example). - Files will be saved to
sessions/received_<session_id>.bin.
- The server listens on your LAN IP (
-
Send a file from another machine on the same LAN:
python navi_tls_send.py /path/to/photo.jpg 192.168.1.10 8443 "SuperSecret123!" --cert cert.pemYou’ll see a progress bar like:
Sending chunk 37/295 (12.5%): 25.6MB [30.2MB/s]
| Layer | Mechanism | Purpose |
|---|---|---|
| Application | AES-GCM (256-bit) per chunk | Confidentiality + integrity |
| Key Derivation | PBKDF2 + HKDF | Derives strong keys from pre-shared password |
| Transport | TLS 1.2/1.3 | Prevents network sniffing or tampering |
| Metadata | Minimal | No filenames, MIME types, or user data |
| End Marker | 0xFFFFFFFFFFFFFFFF | Reliable stream termination |
- Sender derives
enc_keyandmac_keyusing PBKDF2 + HKDF. - Each chunk is encrypted with AES-GCM and authenticated with HMAC-SHA256.
- Chunks are streamed over a TLS socket (not HTTP).
- Receiver verifies HMAC, decrypts, and reassembles.
- This system is for trusted peers on a LAN. It’s not designed as an anonymous transfer tool.
- Traffic remains visible as TLS-encrypted packets but without identifiable file metadata.
- Use strong passwords (≥16 random characters).
- For production, replace the self-signed cert with a proper CA-signed certificate or your own local CA.
- Resume interrupted transfers
- Optional compression (before encryption)
- Progress reporting on receiver side
- Argon2 key derivation for stronger password hardening
- Configurable TTL for automatic file cleanup
This project is licensed under the GNU General Public License v3.0.