Instead of storing decryption keys separately, researchers are experimenting with zero-knowledge proofs that allow a user to prove they have access to a certain layer without revealing which layer. This enables anonymous credentials within the filesystem—e.g., “I have layer 3 access, but don’t tell the server which user I am.”
Congratulations—you now have a fully functional, primitive Onion FS with network anonymity and local file encryption. onion fs
| Component | Role | | ------------------ | -------------------------------------------------------------------- | | | Tor hidden service (v3) with a .onion address | | File server | Lightweight HTTP server (e.g., Nginx, Caddy) or FTP/WebDAV backend | | Auth layer (optional) | HTTP Basic Auth, client certificates, or shared secret via Tor's auth | | Client | Tor Browser + http://<onion>/ or curl --socks5-hostname localhost:9050 | The source uploads a file, but the system
A journalist sets up an Onion FS endpoint that accepts file uploads via a Tor hidden service. The source uploads a file, but the system writes it to an encrypted, multi-layered storage backend. Even if the journalist’s server is seized, investigators cannot determine which layers correspond to which source. The source uploads a file