Blog
Topics for Founders, Operators, and the Terminally Overwhelmed
KEIBIDROP Series
Talk: Post-Quantum Encrypted P2P File Transfer (Pass the SALT 2026)
Conference talk at Pass the SALT 2026 in Lille. A walk through the KEIBIDROP architecture: the hybrid post-quantum handshake, the on-demand FUSE filesystem, the two latency boundaries (block size on the same machine, round-trip time across the world) and how we hide them, how an edit propagates, and the open problems that remain.
Watch the recording · Slides (PDF) · Talk page
35 min talk
KEIBIDROP in plain language
Non-technical guides on what KEIBIDROP does and how to use it: sharing large files, streaming video from another device, using your programs on files from another computer, and more.
100,000 Files: What Eager Metadata Costs (June 2026)
KeibiDrop announces every shared file to the peer up front. Measured at 100,000 files: 24.6 s to index and announce (about 4,000 files/s), the peer holds the full index in 60 MiB (~270 bytes per file), byte-perfect, and the metadata arrives concurrently so there is no extra wait. Over a real 17 ms WAN (Intel Mac in Iasi to a VPS in Timisoara, mount to mount on demand) the same 100,000 land in about 72 s — most of it the sharer's own file writes, the metadata riding along — and any file then opens on demand in 30 to 40 ms. Cold-path git over the same mount stays sub-second. Why this beats per-open lazy fetches, and why the obvious byte-saving optimization would not make it faster.
5 min read
Smooth On-Demand Playback Over 200 ms (June 2026)
The Singapore link made a full-speed on-demand read fast (22 to 30 MB/s), but a video player reads at its bitrate, not at full speed, so it still froze for a round trip at every 16 MiB boundary. Predictive read-ahead keeps the next blocks buffered ahead of the playhead. A cold 3 MB/s paced playback went from 5 freezes (2.6 s frozen) to 0 on the Windows mount, and 13 to 1 on Linux. Plus why FUSE reads arrive out of order, and a stale binary that almost hid the result.
7 min read
KEIBIDROP Footprint: Memory and Binary Size (June 2026)
What the daemon and app cost at rest and under load. The engine idles at about 13 MiB; resident memory grows with the number of files tracked (0.68 KiB per file with no FUSE, 0.84 to 2.55 KiB with the mount up), not with data moved, so 300,000 files cost about 214 MiB with no mount and up to 761 MiB with FUSE. A 1 GiB transfer holds a flat working set of 102 to 169 MiB. On disk, one statically linked 20 MB binary, with downloads of 19 to 35 MB per platform.
5 min read
Romania to Singapore: KEIBIDROP Over 330 ms (June 2026)
A Windows test box in Singapore, measured from Romania at about 200 and 330 ms over the bridge. 30 to 38 MB/s into the box, 13 to 25 MB/s out, 6.3 s to connect (almost all a failed IPv6 dial before bridge fallback), FUSE on-demand first byte under 1.5 s. What the numbers say about round-trip time, the send path, and Windows FUSE, plus three bugs the box found.
6 min read
PostgreSQL Across Two Machines, Byte-Perfect (June 2026)
The cross-machine database handoff over a cold P2P FUSE mount now round-trips byte-identical: 1000 rows written on a Linux VPS, read on macOS with a matching md5, all fetched on demand. The three bugs in the way: data races on file metadata found with the race detector, git's atomic renames not propagating (the "bad object HEAD" failure), and silently dropped notifications. Plus git-LFS at 3.6 GB, 0 corrupt.
9 min read
KEIBIDROP v0.3.0
Persistence, resumable downloads, presence, and five platforms. Saved files browser, Bonjour discovery, unshare, disconnect detection, iOS background notifications. CLI at full parity. Critical relay fallback bug fixed.
4 min read
Benchmark Matrix: Loopback, WAN, WiFi, and iOS (May 2026)
662 MB/s loopback (50% faster than March), 55 MB/s laptop-to-VPS (88% wire saturation at 500 Mbps), 47 MB/s iPhone-to-laptop over WiFi, 43 MB/s through Timisoara bridge. FUSE-over-WAN at 22.5 MB/s (macOS) vs 7.9 MB/s (Linux). gRPC HTTP/2 window tuning and push-based StreamFile RPC.
8 min read
Architecture Map: From Raw TCP to Encrypted Virtual Filesystem
The complete architecture reference. Identity tiers, hybrid post-quantum handshake, dual-TCP encrypted channels, relay privacy, FUSE evolution from minimal to production, transport stack diagrams, cross-platform matrix, and every source file linked.
18 min read
KEIBIDROP v0.1.0
Source code public, binaries for macOS (arm64 + x86_64), Linux, and Windows. Post-quantum encryption, FUSE virtual filesystem, LAN discovery, bridge relay. Three interfaces: desktop UI, interactive CLI, and JSON daemon for scripts.
5 min read
Building Post-Quantum Encrypted File Sync
The full technical overview. 7,000 lines of Go, 140 hours, and lessons learned building a cross-platform encrypted file sync tool with ML-KEM and X25519.
6 min read
FUSE Disconnect and Reconnect: Six Bugs in One Session
Why cgofuse can only mount once per process, and how we fixed disconnect hangs, reconnect failures, and context cancellation races in a single debugging session.
10 min read
Debugging FUSE Deadlocks on Intel Macs
How lock ordering and brief-lock patterns saved us from frozen filesystems. pprof, structured logging, and the Intel vs M1 difference.
8 min read
Hybrid Post-Quantum Encryption for gRPC
ML-KEM + X25519 handshake, custom gRPC transport credentials, 3ms overhead. Defense in depth applied to cryptography.
10 min read
Cross-Platform File Sync: The Hidden Complexity
macOS atomic saves, Windows mandatory locking, 47 Linux distros. The sync state machine and why you should budget 3x the time.
9 min read
Building KEIBIDROP While Burned Out
127 commits, 60 hours, 9 months. Sustainable development after burnout. Small progress is still progress.
7 min read
The Write/Release Race Condition
When the kernel closes your file mid-write. Timestamp debugging, RWMutex discipline, and knowing when lock rules apply.
8 min read
10x FUSE Performance via Block Size Tuning
One line changed st_blksize from 4KB to 2MB. 300 MB/s became 3,400 MB/s. Empirical systems engineering.
7 min read
Making Git Work Inside a FUSE Filesystem
mmap, fsync races, fcopyfile quirks, and per-file direct_io. Five bugs, five fixes, git works.
9 min read
Why macOS Preview Can't Read Your FUSE Files
Three-layer debugging: sandboxing + Gatekeeper + mmap. Each fix alone does nothing. All three required.
8 min read
Privacy-Preserving P2P Discovery: How the Relay Works
Dual key derivation, encrypted registration blobs, and why the relay sees nothing. Room passwords, lookup tokens, and the privacy model.
8 min read
Forward Secrecy: Automatic Key Rotation During Sessions
Rekey after 1 GB or 1M messages. Hybrid ML-KEM + X25519 rekey protocol. Counter-based nonces with direction prefixes.
9 min read
Building a CLI for AI Agents
The kd tool: daemon + Unix socket, JSON output, direct function calls. How to build CLI tools that AI agents can actually use.
7 min read
Testing P2P Systems Without External Dependencies
Mock relay, TestPair harness, dynamic ports, cgofuse one-mount workaround. 36 integration tests in 139 seconds, all self-contained.
8 min read
Optimizing Encrypted P2P Transfer: From 225 to 452 MB/s
Layer-by-layer benchmarking and six optimizations. Cipher caching, combined TCP writes, in-place decryption, async cache writes, push-based streaming, and the irreducible 51% FUSE overhead.
8 min read
Cutting 29% CPU from the Encrypted Transport
CPU profiling found 29% of time in memmove, not encryption. Replacing bytes.Buffer with direct slice handoff and adding sync.Pool pushed PullFile throughput to 623 MB/s. ~30 lines changed.
8 min read
Adding AES-256-GCM with Hardware Acceleration
Automatic AES-NI detection and cipher negotiation. Encrypted gRPC throughput from 442 MB/s to 490 MB/s (+11%). Same wire format, domain-separated key derivation, ~80 lines of new code.
8 min read
Benchmarks vs croc, wormhole, LocalSend, and scp
Localhost loopback benchmarks with all tools built from source. KeibiDrop gRPC: 442 MB/s. croc: 153 MB/s. wormhole: 126 MB/s. LocalSend protocol: 612 MB/s. Cipher isolation and overhead breakdown included.
10 min read
Git Clone Between Two FUSE Peers: The Last Puzzle Piece
Eight bugs fixed to make git clone, commit, and checkout work between encrypted P2P FUSE peers. Rename races, pack file truncation, kernel cache poisoning, notification flooding, LFS corruption, and cache coherency.
14 min read
How File Descriptor Recycling Broke PostgreSQL on FUSE
POSIX mandates lowest-available fd. In a concurrent FUSE handler with 224 files created per second, fd numbers collide constantly. 50% data loss during initdb, fixed with opaque handle IDs.
8 min read
Benchmarks, April 2026: Encrypted Throughput and PostgreSQL on FUSE
1,707 MB/s encrypted channel, 585 MB/s file transfer, 1,130 MB/s FUSE writes. PostgreSQL runs with full ACID on the FUSE mount. 75.8% POSIX compliance. Honest numbers from two machines.
10 min read
Cross-Peer PostgreSQL: Iasi to Timisoara Over Encrypted P2P
977 files synced in real time between an Intel Mac and a Linux VPS. PostgreSQL initdb, 15,000 rows, VACUUM ANALYZE. It almost worked. One notification timing bug remains.
10 min read
Security Leadership & Strategy
NIST RMF Roles for Startups: Who Does What
How to assign NIST RMF roles across 5 or 50 people. Which roles must never be combined. How two acquired companies handled separation of duties.
10 min read
Building Trust Between Entities: A Philosophy for Security
What trust means in business relationships. Sun Tzu, Richard Stallman, NIST trust models, and practical lessons from security questionnaires and acquisitions.
8 min read
Why Startups Need a Fractional CISO
Senior security expertise without the full-time cost. When it makes sense and what you actually get.
4 min read
Compliance & Operations
ISO 27001 in 90 Days: A Realistic Guide
How to get certified fast without cutting corners. A practical timeline based on real experience.
5 min read
How to Survive Your First Security Questionnaire
Security reviews don't have to be chaos. What B2B startups need to know before they open that spreadsheet.
3 min read
Your SaaS Demo Broke. Again. Time to Fix It.
If your product keeps crashing during sales calls, it's not "bad luck." It's infra debt. You need to stabilize it so you can stop sweating during Zoom calls.
2 min read
Engineering & Architecture
Post-Quantum Cryptography in Practice: ML-KEM + X25519
How KeibiDrop uses ML-KEM-1024 + X25519 hybrid key exchange for post-quantum security. What we use, what we don't use yet, and why hybrid.
4 min read
Detect Security Issues Fast: A Practical DevSecOps Guide
Learn how to integrate security into your CI/CD pipelines using automated scans and best practices based on the OWASP DevSecOps guidelines.
8 min read
Notes on Cryptographic Primitives
Benchmarks and tradeoffs: availability, integrity, and confidentiality of files.
10 min read
go-fp in Production: Metaprogramming + Functional Composition
XSD code generation meets go-fp. 113 generated files, 13 catalogue types, 1 generic function. How we handle healthcare data imports for Romania's national health system.
7 min read
Algorithms & Complexity
The MST Problem: Three Subproblems to Linear Time
Decomposing the famous open problem into three independent targets. Pointer machines, approximate union-find, density partitions, and cycle hierarchies. From my 2018 master's thesis at DIKU.
12 min read