Turn your Telegram bot into unlimited, encrypted cloud storage.
Free forever. Zero-knowledge. No sign-up. No credit card. No limits.
π Quick Start Β β’Β FAQ Β β’Β Why TAS? Β β’Β Features Β β’Β Security Β β’Β CLI Docs Β β’Β Docker / CI Β β’Β Changelog
TL;DR β One
npm install, onetas init, thentas push yourfile.pdf. Your file is now AES-256 encrypted and stored for free on Telegram's infrastructure. No accounts, no fees, no vendor lock-in. Seriously.
Every major cloud provider has one of three business models: scanning your data, charging you money, or capping your storage. There is no free lunch.
| Provider | Free Tier | Reads Your Data? | CLI-First? | Encryption At Rest (by you)? |
|---|---|---|---|---|
| Google Drive | 15 GB | β Yes (indexes for ads) | β | β |
| Dropbox | 2 GB | β Can access | β | β |
| iCloud | 5 GB | β Apple ToS | β | β |
| Mega | 20 GB | β Closed-source E2EE | β | β |
| Backblaze B2 | 10 GB | β | β | β (you add it) |
| TAS + Telegram | βΎοΈ Unlimited | β Impossible (AES-256) | β First-class | β Always |
Meanwhile, Telegram gives every bot unlimited file storage via its public Bot API β and almost nobody is using it.
TAS compresses, encrypts (AES-256-GCM), chunks, and uploads your files to your own private Telegram bot chat. Your password never leaves your machine. Telegram only ever sees encrypted noise. You get a fully-featured, CLI-native cloud drive with FUSE mount, Dropbox-style sync, expiring share links, and tagging β at $0/month, forever.
Your Machine Telegram Cloud
βββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β β β β
β tas push secret.tar.gz ββββ gzip βββ β π Encrypted Blob #1 β
β tas mount ~/cloud ββββ AES-256 ββββ π Encrypted Blob #2 β
β tas sync start ββββ chunk βββ β π Encrypted Blob #3 β
β β β (Private Bot Chat) β
β tas pull secret.tar.gz ββββ decrypt ββββ β
β (SHA-256 verified) ββββ decomp ββββ β Stream on demand β
β β β β
βββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
SQLite Index Unlimited & Free
Three commands. Under two minutes. Zero cost.
# 1. Install globally
npm install -g @nightowne/tas-cli
# 2. Connect your Telegram bot (guided wizard β takes ~60 seconds)
tas init
# 3. Start using it
tas push secret.pdf # Encrypt + compress + upload
tas pull secret.pdf # Download + decrypt + verify
tas list # See everything you've storedNeed a Telegram bot? Open Telegram β search
@BotFatherβ/newbotβ copy the token. That's it.
|
|
Use Telegram storage exactly like a USB drive β drag and drop, open in any app.
tas mount ~/cloud # Mount your Telegram storage as ~/cloud
ls ~/cloud # Browse your encrypted files normally
cp report.pdf ~/cloud/ # Drop files in β auto-encrypted and uploaded
tas unmount ~/cloud # Clean unmount when doneRequirements:
apt install fuse libfuse-dev(Linux) Β·brew install macfuse(macOS)
Register a local folder and TAS watches it. Any new or changed file is automatically encrypted and uploaded.
tas sync add ~/Documents # Register ~/Documents for auto-sync
tas sync start # Start the watcher (runs in background)
tas sync pull # Pull all synced files back down
tas sync status # See what's queued / synced / pendingGenerate time-limited, download-limited share links. Recipients get a clean dark-themed download page. Your password is never shared β files are decrypted on-the-fly by the local server.
tas share create report.pdf --expire 24h --max-downloads 5
# β http://localhost:3000/d/a1b2c3d4e5f6...
tas share create backup.tar.gz --expire 1h --max-downloads 1 # Burn-after-read
tas share list # See active links with expiry info
tas share revoke a1b2c3d4 # Revoke instantly, anytimetas tag add report.pdf work Q4 finance
tas tag add keys.env secrets production
tas search "report" # Search by filename pattern
tas search -t work # All files tagged "work"
tas search -t secrets # Quickly find your credentialstas doctor
# β Node.js 20.11.0
# β Config v2 (encrypted bot token β AES-256-GCM at rest)
# β Database: 42 files, 1.3 GB total across 28 chunks
# β Disk space: 50 GB free (32% used)
# β Encryption: AES-256-GCM Β· PBKDF2-SHA512 Β· 600,000 iterations (OWASP 2025)
# β Telegram connectivity: OK
# β¨ All systems go!TAS is fully scriptable. No interactive prompts needed when TAS_PASSWORD is set.
# Environment-based automation
export TAS_PASSWORD="your-password"
export TAS_DATA_DIR="/custom/path"
# Pipe to jq
tas list --json | jq '.[].filename'
tas list --json | jq '.[] | select(.size > 1000000)' # Files > 1MB
# GitHub Actions backup step
tas push db-backup-$(date +%Y%m%d).sql.gz
# cron: nightly backup at 2am
0 2 * * * TAS_PASSWORD=$SECRET tas push /var/backups/db.tar.gz
# JSON machine output everywhere
tas status --json
tas list --jsonFROM node:20-alpine
RUN npm install -g @nightowne/tas-cli
ENV TAS_PASSWORD=""
ENV TAS_DATA_DIR="/data"
VOLUME ["/data"]
CMD ["tas", "status"]# .github/workflows/backup.yml
name: Nightly Backup
on:
schedule:
- cron: '0 2 * * *'
jobs:
backup:
runs-on: ubuntu-latest
steps:
- name: Install TAS
run: npm install -g @nightowne/tas-cli
- name: Push backup
env:
TAS_PASSWORD: ${{ secrets.TAS_PASSWORD }}
TAS_DATA_DIR: ${{ runner.temp }}/tas-data
run: |
tas init --token ${{ secrets.TELEGRAM_BOT_TOKEN }} --chat ${{ secrets.TELEGRAM_CHAT_ID }}
tar czf backup-$(date +%Y%m%d).tar.gz ./important-data/
tas push backup-$(date +%Y%m%d).tar.gzTAS implements zero-knowledge encryption β we can't read your data, Telegram can't read your data, and nobody without your password ever can.
| Layer | Implementation | Standard |
|---|---|---|
| Cipher | AES-256-GCM (authenticated encryption) | NIST FIPS 197 |
| Key Derivation | PBKDF2-SHA512, 600,000 iterations | OWASP 2025 |
| Salt | 32 bytes, crypto.randomBytes() β unique per file |
No rainbow tables |
| IV/Nonce | 12 bytes, crypto.randomBytes() β unique per file |
No nonce reuse |
| Auth Tag | 16 bytes GCM tag β any tampered bit = instant rejection | Tamper detection |
| Bot Token | Encrypted at rest in config.json (AES-256-GCM) |
Config v2 |
| Password Verification | crypto.timingSafeEqual() on both PBKDF2 and legacy paths |
Timing-safe |
| Config Permissions | chmod 600 config.json on creation |
No world-readable secrets |
| Integrity | SHA-256 hash verified on every single download | Bit-perfect guarantee |
| Share Server | Binds 127.0.0.1 by default, XSS-escaped, RFC 6266 filenames |
LAN-safe |
π¦ a7f3b2c1e9d4f820.tas β 12.4 MB β application/octet-stream
An opaque, encrypted blob. No filename. No content type. No metadata. Just noise.
| Threat | Mitigated? | How |
|---|---|---|
| Telegram reads your files | β Yes | AES-256-GCM β mathematically impossible without key |
| Someone steals your config.json | β Yes | Bot token encrypted at rest; password hash is PBKDF2 |
| Brute-force your password | β Yes | 600k PBKDF2 iterations β 100ms/attempt minimum |
| Tampered download | β Yes | SHA-256 check + GCM auth tag on every download |
| Timing attack on password | β Yes | crypto.timingSafeEqual() on all comparisons |
| Share link exposure | β Yes | Localhost-only by default; expiry + download limits |
Built with the same philosophy as professional backup tools (restic, borg, rclone):
| Feature | Implementation |
|---|---|
| Exponential Backoff | Auto-retry with jitter on Telegram 429 errors and network timeouts |
| Rate Limiting | Built-in 1 msg/sec β never trips Telegram's rate limits |
| Integrity Verification | SHA-256 hash verified after every single download |
| Resume Uploads | tas resume picks up interrupted multi-chunk uploads |
| Graceful Shutdown | SIGINT/SIGTERM handled β zero corruption risk on Ctrl-C |
| Self-Diagnostics | tas doctor validates your entire setup end-to-end |
Core Commands
tas init # π Interactive setup wizard (create bot in ~60s)
tas push <file> [file2...] # β¬οΈ Encrypt + compress + upload
tas pull <file|hash> # β¬οΈ Download + decrypt + verify
tas list [-l] [--json] # π List all stored files
tas delete <file|hash> # ποΈ Remove from index (--hard removes from Telegram)
tas status [--json] # π Storage stats & database health
tas search <query> [-t tag] # π Find by filename or tag
tas resume # π Resume interrupted uploads
tas verify # β
Verify every file still exists and is intact
tas doctor # π©Ί Full system health checkMount & Sync
# FUSE Mount
tas mount <path> # Mount Telegram storage as a local folder
tas unmount <path> # Clean unmount
# Dropbox-style Folder Sync
tas sync add <folder> # Register folder for auto-sync
tas sync start # Start watching for changes
tas sync pull # Download all synced files locally
tas sync status # Show sync queue and statusShare & Tags
# Expiring Share Links
tas share create <file> [--expire 1h|24h|7d] [--max-downloads N]
tas share list # Active links with expiry countdown
tas share revoke <token> # Instantly revoke a share
# File Tagging
tas tag add <file> <tag> [tag2...]
tas tag remove <file> <tag>
tas tag list [tag] # List all tags, or files with a specific tagEnvironment Variables
TAS_PASSWORD="..." # Skip password prompts (CI/CD, cron, Docker)
TAS_DATA_DIR="/custom/path" # Override default ~/.tas data directorysrc/
βββ cli.js # Commander-based CLI β all commands defined here
βββ index.js # Core streaming upload/download pipeline
βββ crypto/
β βββ encryption.js # AES-256-GCM + PBKDF2-SHA512 (600k iterations)
βββ db/
β βββ index.js # SQLite index: files, chunks, tags, shares, sync
βββ telegram/
β βββ client.js # Bot API wrapper β retry, rate-limit, streaming
βββ fuse/
β βββ mount.js # FUSE filesystem β mount Telegram as a local folder
βββ share/
β βββ server.js # HTTP server β expiring encrypted share links
βββ sync/
β βββ sync.js # fs.watch folder watcher β Dropbox-style auto-sync
βββ utils/
βββ download-stream.js # Shared TelegramβDecryptβDecompress pipeline
βββ compression.js # Smart gzip (skips already-compressed formats)
βββ chunker.js # 49 MB chunks + WAS1 binary file headers
βββ progress.js # Terminal progress bars with MB/s + ETA
βββ throttle.js # Bandwidth limiter (stream transform)
βββ branding.js # ASCII art + version display
βββ cli-helpers.js # Password management + config resolution
Tech stack: Node.js 18+ Β· better-sqlite3 Β· node-telegram-bot-api Β· fuse-native Β· Commander Β· Chalk Β· Ora Β· Inquirer
| Use Case | Example |
|---|---|
| π Personal document vault | Taxes, contracts, scans, receipts β encrypted |
| π Secrets & credentials | .env files, SSH private keys, API tokens |
| ποΈ Password manager sync | KeePass .kdbx, 1Password vaults, Bitwarden exports |
| π¦ Code project backups | Git bundles, build artifacts, config files |
| π¬ Private media archive | Photos, videos, music β encrypted & searchable |
| π Ephemeral file sharing | Burn-after-read links with download limits |
| πΎ Offsite backup | Nightly database dumps, system configs via cron |
| π€ CI/CD artifacts | Store build outputs, test reports, deployment keys |
Not ideal for: Mission-critical business data (use professional backup tools alongside this), team collaboration (no multi-user support yet), or replacing full backup systems β Telegram can theoretically delete old messages.
No. Here's the complete picture:
- β Bot API is a public, documented feature β Telegram designed file uploads into the Bot API intentionally
- β You're sending to your own private bot chat β not a public channel, not spamming
- β Content is encrypted β Telegram cannot detect what you're storing
- β No published storage limits β individual files cap at 2 GB (TAS chunks automatically)
- β Strong precedent β thousands of file-sharing bots, backup tools, and media archives use this API
β οΈ Worst case β Telegram might prune old messages to free infrastructure space. They won't ban you for using a documented API
Your responsibility: Don't store illegal content. Telegram's ToS prohibits copyright infringement, malware, CSAM, etc. Use responsibly. See FAQ.md for the full legal breakdown.
| π Not a replacement for backups | Telegram can purge old messages. Use TAS alongside, not instead of, real backup solutions. |
| π 49 MB chunk size | Files are split automatically β fully transparent to you. Telegram's Bot API limit is 50 MB. |
| π Single-user | Designed for personal use. No multi-tenant or shared-account support. |
| π FUSE = Linux/macOS only | Mount requires libfuse. The CLI itself works anywhere Node.js 18+ runs. |
| π No versioning (yet) | Overwriting a file replaces the previous version. |
| π Internet required | Telegram-backed β offline access requires files pulled locally first. |
git clone https://github.com/ixchio/tas
cd tas && npm install
npm test # Run all 71 tests (encryption, WAS1 headers, tags, sync, shares)
npm test -- --watch # Watch mode for active developmentTest coverage: streaming encrypt/decrypt roundtrips Β· cross-API compat (bufferβstream) Β· small-chunk stress testing Β· truncation/corruption error paths Β· Unicode filename handling Β· WAS1 binary header parsing Β· timing-safe comparison paths
PRs welcome! See CONTRIBUTING.md for guidelines.
TAS is open source and contributions are genuinely appreciated:
- π Found a bug? Open an issue β include
tas doctoroutput - π‘ Have a feature idea? Start a discussion
- π§ Want to contribute code? Fork β branch β PR β π
- β Just want to help? A GitHub star dramatically increases discoverability
MIT β use it, fork it, ship it, sell it. Do whatever you want with it.
If TAS fits your workflow, you might also find these useful:
- rclone β rsync for cloud storage (dozens of backends)
- restic β encrypted, deduplicated backup program
- age β simple, modern file encryption tool
- magic-wormhole β encrypted file transfer between machines
Built with β and stubbornness by @ixchio
If TAS saved you money, a β on GitHub is the best way to say thanks β it helps others find the project.
