KEIBIDROP

Post-quantum encrypted. No servers*. Open source.

Two devices, one full-duplex connection. Files transfer directly between peers over IPv6, encrypted with ChaCha20-Poly1305 over a hybrid ML-KEM + X25519 key exchange. No accounts, no cloud, no middleman. Both peers see each other's shared files in real time and download only what they need.

View on GitHub Get Started

What You Get

Synchronous file transfer

Both peers are online at the same time. Files move directly between devices in real time. No upload, no download link, no waiting.

No accounts, no passwords

Identity is an ephemeral cryptographic fingerprint, generated fresh on every startup. No email, no registration.

Keys disappear after the session

Disconnect and your keys are rotated. A new fingerprint is generated, and the previous identity ceases to exist. There is nothing to leak and nothing to revoke.

Files never touch a server

Everything travels directly between your device and your peer. The relay only exchanges ephemeral public keys so the two peers can find each other. It never sees your files, your metadata, or your real keys.

Access on demand

You see all your peer's shared files immediately. Drag folders in, and the listing shows up on the other side in real time. Download only the files you actually need.

Resume on reconnect

Large transfers use chunk-based streaming. If the connection drops, completed chunks are preserved. Reconnect and continue from where you stopped.

Post-quantum encryption

ML-KEM-1024 + X25519 hybrid key exchange. If quantum computers break classical crypto, your session keys are still safe.

IPv6 only (for now). Both peers need globally routable IPv6 addresses. Check yours here. No STUN, no TURN, no NAT traversal hacks. This keeps the design simple and avoids leaking IP metadata to third-party relay infrastructure. IPv4 support may come later.

*A relay server is used to exchange ephemeral public keys between peers and to track how many people use the service. It does not route traffic, store files, or see any plaintext data. Once the handshake completes, the relay is out of the picture; peers talk directly to each other.

How It Works

  1. Start KEIBIDROP on both devices

    Each device generates a unique cryptographic fingerprint. This is your identity for this session.

    KeibiDrop home screen showing generated fingerprint
    Home screen with generated fingerprint
  2. Exchange codes via any channel

    Copy your code and send it over Signal, Telegram, email, whatever. Your peer does the same. Paste their code and hit Add.

    Connect screen with fingerprint exchange
    Registering the peer's fingerprint
  3. Create or join a room

    One peer creates, the other joins. Direct IPv6 connection established. Hybrid post-quantum handshake completed in under 3ms.

  4. Share files

    Drag files into the window or use the CLI. They appear on the other side in real time. With FUSE mode, shared files show up as a virtual folder in Finder or your file manager.

    FUSE mode with shared files No-FUSE mode with file list

See It In Action

FUSE mode: files appear as a virtual folder

FUSE connected view FUSE file browser view FUSE with multiple files

No-FUSE mode: drag and drop, save buttons

No-FUSE file transfer No-FUSE with progress No-FUSE completed transfers

Three Interfaces

Desktop GUI

Rust + Slint native UI. Drag and drop files, progress bars, file type icons. macOS, Linux, Windows.

Interactive CLI

Terminal REPL with a prompt. Type commands, see results. For developers who live in the terminal.

Agent CLI (kd)

Non-interactive daemon with JSON output over Unix socket. Built for AI agents and automation scripts.

Interactive CLI

KeibiDrop interactive CLI session
Interactive CLI session: register peer, create room, share files

All three interfaces support FUSE (virtual folder) and no-FUSE (explicit add/pull commands) operation.

Under The Hood

ML-KEM-1024 NIST post-quantum standard (Kyber). Lattice-based key encapsulation. Go 1.24 standard library.
X25519 Classical elliptic curve, battle-tested. Combined with ML-KEM in a hybrid scheme for defense in depth.
ChaCha20-Poly1305 Fast authenticated encryption for all file data and control messages.
gRPC over TLS Type-safe Protocol Buffers. Custom transport credentials. Direct P2P, no certificate authorities.
FUSE filesystem Mounts as a real folder. Open files in any app. macFUSE, WinFsp, fuse3.
IPv6 direct P2P Global unicast addresses. No STUN/TURN. No NAT traversal.

Privacy

KEIBIDROP sends no analytics, no crash reports, no usage data. Identity is a cryptographic key pair generated locally. Keys rotate on every disconnect; your fingerprint changes and previous sessions cannot be linked to new ones.

The relay exists only to exchange ephemeral public keys between peers. It stores encrypted blobs it cannot decrypt, indexed by a lookup token derived from the fingerprint (not the fingerprint itself). It cannot correlate registrations. After the handshake completes, the relay is no longer involved.

Session keys are rekeyed automatically after 1 GB of data or 1 million messages. If a key is compromised, only a fraction of the session is exposed. Every line of code is auditable under MPL 2.0.

Get Started

Interactive CLI

# Terminal 1 (Alice)
export KEIBIDROP_RELAY=https://keibidroprelay.keibisoft.com
export TO_SAVE_PATH=./SaveAlice TO_MOUNT_PATH=./MountAlice
./keibidrop-cli

keibidrop> register <Bob's fingerprint>
keibidrop> create
keibidrop> add /path/to/file.pdf

# Terminal 2 (Bob)
export KEIBIDROP_RELAY=https://keibidroprelay.keibisoft.com
export TO_SAVE_PATH=./SaveBob TO_MOUNT_PATH=./MountBob
./keibidrop-cli

keibidrop> register <Alice's fingerprint>
keibidrop> join
keibidrop> list
keibidrop> pull file.pdf ./SaveBob/file.pdf

Agent CLI (kd)

The kd tool runs as a background daemon. All commands return JSON. Designed for Claude Code and similar AI agents. 

# Start daemon (FUSE mode recommended for agents)
KD_SAVE_PATH=./saved KD_MOUNT_PATH=./mount \
  KD_SOCKET=/tmp/kd.sock ./kd start

# Exchange fingerprints and connect
./kd show fingerprint
./kd register <peer-fp>
./kd create

# After connecting, the mount path is a live synced folder
ls ./mount/
cat ./mount/readme.txt
cp ./myfile.pdf ./mount/

# Cleanup
./kd disconnect
./kd stop

Full reference: Agent Integration Guide

Desktop GUI (Rust + Slint)

export NO_FUSE=1  # omit for FUSE mode
export TO_SAVE_PATH=./SaveAlice TO_MOUNT_PATH=./MountAlice
./keibidrop-rust

FFI (embed in your app)

KEIBIDROP compiles to a C static library (libkeibidrop.a + libkeibidrop.h). Call from Rust, Swift, Python, or any language with C FFI. 

KD_Initialize(relay, inbound, outbound, mount, save, fuse, prefetch, push);
KD_AddPeerFingerprint(peer_fp);
KD_CreateRoom();
KD_AddFile("/path/to/file.pdf");
KD_SaveFileByName("file.pdf", "/save/path/file.pdf");

Built With

~11,000 lines of Go (plus ~5,000 lines of tests). 10 months, two developers, Claude as a coding partner since November 2025.

The KEIBIDROP Blog Series

Open Source

KEIBIDROP is free and open source under the Mozilla Public License 2.0. The source code is available for inspection, cryptographic audit, and building from source.

GitHub Repository Enterprise Inquiries

Commercial licensing, priority support, custom integrations, and private relay hosting available for organizations.