Frequently Asked Questions

What is The File Share Place?

A desktop app and landing website for sending files to anyone via a secure download link. You connect it to your own S3-compatible cloud storage (Backblaze B2, Wasabi, AWS S3, Cloudflare R2, and more) - your files live in your bucket, this platform just coordinates the access. Don't want to set up storage just to try it? The Community Bucket is a shared storage pool funded by donations that you can use right away. Recipients open a link in their browser and decrypt with the passphrase you share with them - no install required.

What does it cost?

The app and relay service are free. You pay an S3 compatible cloud storage provider for the storage and egress that you use. Backblaze B2 runs around $6.95 / TB / month with 3x storage free egress and my recommended vendor. Use of the service is subject to the Terms of Service.

Can I use my homelab / self-hosted storage?

Yes. Any S3-compatible endpoint works, so you can point the app at your own server and keep every byte inside your network. Garage is a great fit for homelab users - it's a lightweight, distributed, open-source S3-compatible object store designed to run on commodity hardware and stay online across geographically distributed nodes. It doesn't support S3 object versioning, which is fine: the app detects that and falls back to standard object listing when cleaning up expired sends. Just drop your endpoint URL, access key, and secret into the app's bucket configuration. Garage is also what our end-to-end integration tests run against on every push, so the upload/download path is exercised against a real Garage instance before every release.

What's the difference between uploading through the browser and the desktop app?

You can send files from the browser using the Community Bucket, no install required. The desktop app unlocks several advantages:

• Bring your own bucket. Optionally connect your own S3-compatible storage (Backblaze B2, Wasabi, Cloudflare R2, etc) instead of relying on the Community Bucket - no markup!
• Faster uploads. Parallel multipart uploads that fully saturate your bandwidth.
• Pause & resume. Stop a transfer and pick it up later, even after restarting the app.
• No file-size limits. Send and receive files of any size without hitting browser memory constraints during encryption or decryption.
• Send emails directly. Configure your own SMTP server and the app will mail download links to recipients for you - no copy/paste into a separate email client.

Can the desktop app email download links for me?

Yes. In Settings → Email Notifications (SMTP) you can configure any SMTP server the app will use to send download links on your behalf. Credentials are stored locally on your device and are never uploaded. Recipient email addresses stay between you and your SMTP provider - the platform never sees them.

Don't have an SMTP server? Two transactional email services with generous free tiers work well:

• Resend - modern developer focused, free tier covers ~3,000 emails/month.
• Postmark - excellent deliverability reputation, free trial and inexpensive paid tiers.

Either provider gives you an SMTP host, port, username, and password you can drop straight into the app's settings.

Can I use my own domain or add custom branding?

Maybe. If you're interested in a branded version of this platform, reach out and we can talk through your needs and pricing. With enough interest, I could consider making a subscription service for branded landing pages on your domain.

Why don't you just send the email for me?

Because we don't want your recipients' email addresses, and your recipients shouldn't have to trust us either. A download link that arrives from you - from your own email address, in your own words - is something your recipient can verify and trust. A link from a service they've never heard of is not.

After your upload completes, we generate a ready-to-paste email draft with your title, message, file list, expiry, and download link already formatted. Copy it into whatever email client you use and send it yourself. Your recipients stay yours, and we never see a single address.

Why does the server need my S3 credentials?

When a recipient downloads a file, the server generates a short-lived presigned S3 URL on their behalf. The credentials are only used for this purpose, are stored encrypted, and are deleted when the send expires. I recommend creating a dedicated API key scoped to the minimum required permissions - you can revoke it at any time from your storage provider's dashboard.

Can you read my files?

No. Every send is end-to-end encrypted before anything leaves your device. Downloads go directly from the storage bucket to your recipient's browser, where they are decrypted locally - the server never sees plaintext. I couldn't read your files even if I wanted to. See the Privacy Policy for full details.

If you aren't storing my passwords, how are you granting access when the recipient supplies one?

When you create a send, the app derives a 32-byte master key from the passphrase using Argon2id (m=64 MiB, t=3, p=1) over a freshly generated 16-byte random salt. That master is then split via HKDF-Expand (HMAC-SHA256) into two independent keys: a file key for AES-256-GCM encryption and a verifier sent to the server. The server stores SHA-256(verifier) alongside the salt -- never the passphrase, master, or file key.

When your recipient enters the passphrase in their browser, the same Argon2id + HKDF derivation runs client-side. The resulting verifier is sent to the server over HTTPS, which SHA-256-hashes it and compares using a constant-time equality check. If it matches, a presigned download URL is issued; otherwise a 403 is returned. The plaintext passphrase never leaves the browser. The file key stays in memory for local decryption only.

The demo below runs the same Argon2id derivation in your browser. Hit Hash it more than once with the same passphrase: each run produces a different result because the salt is regenerated every time, just like it is for each new send.