Skip to content

ixchio/tas

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

24 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

TAS β€” Telegram as Storage CLI demo

πŸ“¦ TAS β€” Telegram as Storage

Turn your Telegram bot into unlimited, encrypted cloud storage.
Free forever. Zero-knowledge. No sign-up. No credit card. No limits.

CI Status npm version Monthly Downloads License: MIT GitHub Stars GitHub Forks Node.js >= 18 AES-256-GCM 71 Tests Passing

πŸ“š Quick Start Β β€’Β  FAQ Β β€’Β  Why TAS? Β β€’Β  Features Β β€’Β  Security Β β€’Β  CLI Docs Β β€’Β  Docker / CI Β β€’Β  Changelog


TL;DR β€” One npm install, one tas init, then tas push yourfile.pdf. Your file is now AES-256 encrypted and stored for free on Telegram's infrastructure. No accounts, no fees, no vendor lock-in. Seriously.


The Problem With "Free" Cloud Storage

Every major cloud provider has one of three business models: scanning your data, charging you money, or capping your storage. There is no free lunch.

Provider Free Tier Reads Your Data? CLI-First? Encryption At Rest (by you)?
Google Drive 15 GB βœ… Yes (indexes for ads) ❌ ❌
Dropbox 2 GB βœ… Can access ❌ ❌
iCloud 5 GB βœ… Apple ToS ❌ ❌
Mega 20 GB ❓ Closed-source E2EE ❌ ❓
Backblaze B2 10 GB ❌ βœ… ❌ (you add it)
TAS + Telegram ♾️ Unlimited ❌ Impossible (AES-256) βœ… First-class βœ… Always

Meanwhile, Telegram gives every bot unlimited file storage via its public Bot API β€” and almost nobody is using it.


The Solution

TAS compresses, encrypts (AES-256-GCM), chunks, and uploads your files to your own private Telegram bot chat. Your password never leaves your machine. Telegram only ever sees encrypted noise. You get a fully-featured, CLI-native cloud drive with FUSE mount, Dropbox-style sync, expiring share links, and tagging β€” at $0/month, forever.

  Your Machine                                    Telegram Cloud
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”               β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                             β”‚               β”‚                          β”‚
β”‚  tas push secret.tar.gz     │──→ gzip ──→   β”‚   πŸ”’ Encrypted Blob #1   β”‚
β”‚  tas mount ~/cloud          │──→ AES-256 ──→│   πŸ”’ Encrypted Blob #2   β”‚
β”‚  tas sync start             │──→ chunk ──→  β”‚   πŸ”’ Encrypted Blob #3   β”‚
β”‚                             β”‚               β”‚   (Private Bot Chat)     β”‚
β”‚  tas pull secret.tar.gz     │←── decrypt ←──│                          β”‚
β”‚  (SHA-256 verified)         │←── decomp  ←──│   ← Stream on demand     β”‚
β”‚                             β”‚               β”‚                          β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜               β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         SQLite Index                              Unlimited & Free

⚑ Quick Start

Three commands. Under two minutes. Zero cost.

# 1. Install globally
npm install -g @nightowne/tas-cli

# 2. Connect your Telegram bot (guided wizard β€” takes ~60 seconds)
tas init

# 3. Start using it
tas push secret.pdf          # Encrypt + compress + upload
tas pull secret.pdf          # Download + decrypt + verify
tas list                     # See everything you've stored

Need a Telegram bot? Open Telegram β†’ search @BotFather β†’ /newbot β†’ copy the token. That's it.


πŸ’‘ Why TAS?

❌ The Alternative

  • Google Drive scans & indexes your files for ads
  • Dropbox costs $12/mo β€” and can read your data
  • iCloud locks you into the Apple ecosystem
  • Self-hosting (Nextcloud, MinIO) costs VPS money + maintenance time
  • S3 / B2 needs encryption wiring and costs per GB transferred
  • rclone + any backend still needs a paid backend

βœ… TAS gives you

  • $0/month β€” forever, no storage caps, no bandwidth fees
  • Zero-knowledge β€” only you hold the decryption key
  • AES-256-GCM β€” same cipher used by banks and governments
  • FUSE mount β€” Telegram storage appears as a real folder
  • Auto-sync β€” Dropbox-style folder watcher built-in
  • Expiring share links β€” send files without sharing your password
  • CLI-first β€” pipe to jq, run in cron, automate everything
  • Open source β€” audit every single line of crypto code

πŸ”₯ Features

πŸ—‚οΈ Mount as a Local Folder (FUSE)

Use Telegram storage exactly like a USB drive β€” drag and drop, open in any app.

tas mount ~/cloud            # Mount your Telegram storage as ~/cloud
ls ~/cloud                   # Browse your encrypted files normally
cp report.pdf ~/cloud/       # Drop files in β€” auto-encrypted and uploaded
tas unmount ~/cloud          # Clean unmount when done

Requirements: apt install fuse libfuse-dev (Linux) Β· brew install macfuse (macOS)


πŸ”„ Auto-Sync Folders (Dropbox-style)

Register a local folder and TAS watches it. Any new or changed file is automatically encrypted and uploaded.

tas sync add ~/Documents        # Register ~/Documents for auto-sync
tas sync start                  # Start the watcher (runs in background)
tas sync pull                   # Pull all synced files back down
tas sync status                 # See what's queued / synced / pending

πŸ”— Expiring Share Links

Generate time-limited, download-limited share links. Recipients get a clean dark-themed download page. Your password is never shared β€” files are decrypted on-the-fly by the local server.

tas share create report.pdf --expire 24h --max-downloads 5
# β†’ http://localhost:3000/d/a1b2c3d4e5f6...

tas share create backup.tar.gz --expire 1h --max-downloads 1  # Burn-after-read
tas share list                  # See active links with expiry info
tas share revoke a1b2c3d4       # Revoke instantly, anytime

🏷️ Tags & Full-Text Search

tas tag add report.pdf work Q4 finance
tas tag add keys.env secrets production
tas search "report"             # Search by filename pattern
tas search -t work              # All files tagged "work"
tas search -t secrets           # Quickly find your credentials

🩺 Self-Diagnostics

tas doctor
# βœ“ Node.js 20.11.0
# βœ“ Config v2 (encrypted bot token β€” AES-256-GCM at rest)
# βœ“ Database: 42 files, 1.3 GB total across 28 chunks
# βœ“ Disk space: 50 GB free (32% used)
# βœ“ Encryption: AES-256-GCM Β· PBKDF2-SHA512 Β· 600,000 iterations (OWASP 2025)
# βœ“ Telegram connectivity: OK
# ✨ All systems go!

πŸ€– Built for Automation β€” CI/CD, Docker, Cron

TAS is fully scriptable. No interactive prompts needed when TAS_PASSWORD is set.

# Environment-based automation
export TAS_PASSWORD="your-password"
export TAS_DATA_DIR="/custom/path"

# Pipe to jq
tas list --json | jq '.[].filename'
tas list --json | jq '.[] | select(.size > 1000000)'  # Files > 1MB

# GitHub Actions backup step
tas push db-backup-$(date +%Y%m%d).sql.gz

# cron: nightly backup at 2am
0 2 * * * TAS_PASSWORD=$SECRET tas push /var/backups/db.tar.gz

# JSON machine output everywhere
tas status --json
tas list --json

🐳 Docker & CI/CD

FROM node:20-alpine

RUN npm install -g @nightowne/tas-cli

ENV TAS_PASSWORD=""
ENV TAS_DATA_DIR="/data"

VOLUME ["/data"]

CMD ["tas", "status"]
# .github/workflows/backup.yml
name: Nightly Backup

on:
  schedule:
    - cron: '0 2 * * *'

jobs:
  backup:
    runs-on: ubuntu-latest
    steps:
      - name: Install TAS
        run: npm install -g @nightowne/tas-cli

      - name: Push backup
        env:
          TAS_PASSWORD: ${{ secrets.TAS_PASSWORD }}
          TAS_DATA_DIR: ${{ runner.temp }}/tas-data
        run: |
          tas init --token ${{ secrets.TELEGRAM_BOT_TOKEN }} --chat ${{ secrets.TELEGRAM_CHAT_ID }}
          tar czf backup-$(date +%Y%m%d).tar.gz ./important-data/
          tas push backup-$(date +%Y%m%d).tar.gz

πŸ›‘οΈ Security Model

TAS implements zero-knowledge encryption β€” we can't read your data, Telegram can't read your data, and nobody without your password ever can.

Layer Implementation Standard
Cipher AES-256-GCM (authenticated encryption) NIST FIPS 197
Key Derivation PBKDF2-SHA512, 600,000 iterations OWASP 2025
Salt 32 bytes, crypto.randomBytes() β€” unique per file No rainbow tables
IV/Nonce 12 bytes, crypto.randomBytes() β€” unique per file No nonce reuse
Auth Tag 16 bytes GCM tag β€” any tampered bit = instant rejection Tamper detection
Bot Token Encrypted at rest in config.json (AES-256-GCM) Config v2
Password Verification crypto.timingSafeEqual() on both PBKDF2 and legacy paths Timing-safe
Config Permissions chmod 600 config.json on creation No world-readable secrets
Integrity SHA-256 hash verified on every single download Bit-perfect guarantee
Share Server Binds 127.0.0.1 by default, XSS-escaped, RFC 6266 filenames LAN-safe

What Telegram Actually Sees

πŸ“¦  a7f3b2c1e9d4f820.tas  β€”  12.4 MB  β€”  application/octet-stream

An opaque, encrypted blob. No filename. No content type. No metadata. Just noise.

Threat Model

Threat Mitigated? How
Telegram reads your files βœ… Yes AES-256-GCM β€” mathematically impossible without key
Someone steals your config.json βœ… Yes Bot token encrypted at rest; password hash is PBKDF2
Brute-force your password βœ… Yes 600k PBKDF2 iterations β‰ˆ 100ms/attempt minimum
Tampered download βœ… Yes SHA-256 check + GCM auth tag on every download
Timing attack on password βœ… Yes crypto.timingSafeEqual() on all comparisons
Share link exposure βœ… Yes Localhost-only by default; expiry + download limits

πŸ”„ Reliability

Built with the same philosophy as professional backup tools (restic, borg, rclone):

Feature Implementation
Exponential Backoff Auto-retry with jitter on Telegram 429 errors and network timeouts
Rate Limiting Built-in 1 msg/sec β€” never trips Telegram's rate limits
Integrity Verification SHA-256 hash verified after every single download
Resume Uploads tas resume picks up interrupted multi-chunk uploads
Graceful Shutdown SIGINT/SIGTERM handled β€” zero corruption risk on Ctrl-C
Self-Diagnostics tas doctor validates your entire setup end-to-end

πŸ“‹ CLI Reference

Core Commands
tas init                          # πŸš€ Interactive setup wizard (create bot in ~60s)
tas push <file> [file2...]        # ⬆️  Encrypt + compress + upload
tas pull <file|hash>              # ⬇️  Download + decrypt + verify
tas list [-l] [--json]            # πŸ“‹ List all stored files
tas delete <file|hash>            # πŸ—‘οΈ  Remove from index (--hard removes from Telegram)
tas status [--json]               # πŸ“Š Storage stats & database health
tas search <query> [-t tag]       # πŸ” Find by filename or tag
tas resume                        # πŸ”„ Resume interrupted uploads
tas verify                        # βœ… Verify every file still exists and is intact
tas doctor                        # 🩺 Full system health check
Mount & Sync
# FUSE Mount
tas mount <path>                  # Mount Telegram storage as a local folder
tas unmount <path>                # Clean unmount

# Dropbox-style Folder Sync
tas sync add <folder>             # Register folder for auto-sync
tas sync start                    # Start watching for changes
tas sync pull                     # Download all synced files locally
tas sync status                   # Show sync queue and status
Share & Tags
# Expiring Share Links
tas share create <file> [--expire 1h|24h|7d] [--max-downloads N]
tas share list                    # Active links with expiry countdown
tas share revoke <token>          # Instantly revoke a share

# File Tagging
tas tag add <file> <tag> [tag2...]
tas tag remove <file> <tag>
tas tag list [tag]                # List all tags, or files with a specific tag
Environment Variables
TAS_PASSWORD="..."          # Skip password prompts (CI/CD, cron, Docker)
TAS_DATA_DIR="/custom/path" # Override default ~/.tas data directory

πŸ—οΈ Architecture

src/
β”œβ”€β”€ cli.js                    # Commander-based CLI β€” all commands defined here
β”œβ”€β”€ index.js                  # Core streaming upload/download pipeline
β”œβ”€β”€ crypto/
β”‚   └── encryption.js         # AES-256-GCM + PBKDF2-SHA512 (600k iterations)
β”œβ”€β”€ db/
β”‚   └── index.js              # SQLite index: files, chunks, tags, shares, sync
β”œβ”€β”€ telegram/
β”‚   └── client.js             # Bot API wrapper β€” retry, rate-limit, streaming
β”œβ”€β”€ fuse/
β”‚   └── mount.js              # FUSE filesystem β€” mount Telegram as a local folder
β”œβ”€β”€ share/
β”‚   └── server.js             # HTTP server β€” expiring encrypted share links
β”œβ”€β”€ sync/
β”‚   └── sync.js               # fs.watch folder watcher β€” Dropbox-style auto-sync
└── utils/
    β”œβ”€β”€ download-stream.js     # Shared Telegramβ†’Decryptβ†’Decompress pipeline
    β”œβ”€β”€ compression.js         # Smart gzip (skips already-compressed formats)
    β”œβ”€β”€ chunker.js             # 49 MB chunks + WAS1 binary file headers
    β”œβ”€β”€ progress.js            # Terminal progress bars with MB/s + ETA
    β”œβ”€β”€ throttle.js            # Bandwidth limiter (stream transform)
    β”œβ”€β”€ branding.js            # ASCII art + version display
    └── cli-helpers.js         # Password management + config resolution

Tech stack: Node.js 18+ Β· better-sqlite3 Β· node-telegram-bot-api Β· fuse-native Β· Commander Β· Chalk Β· Ora Β· Inquirer


πŸ’‘ Perfect For

Use Case Example
πŸ“„ Personal document vault Taxes, contracts, scans, receipts β€” encrypted
πŸ”‘ Secrets & credentials .env files, SSH private keys, API tokens
πŸ—οΈ Password manager sync KeePass .kdbx, 1Password vaults, Bitwarden exports
πŸ“¦ Code project backups Git bundles, build artifacts, config files
🎬 Private media archive Photos, videos, music β€” encrypted & searchable
πŸ”— Ephemeral file sharing Burn-after-read links with download limits
πŸ’Ύ Offsite backup Nightly database dumps, system configs via cron
πŸ€– CI/CD artifacts Store build outputs, test reports, deployment keys

Not ideal for: Mission-critical business data (use professional backup tools alongside this), team collaboration (no multi-user support yet), or replacing full backup systems β€” Telegram can theoretically delete old messages.


❓ Is This Allowed? (The Legal Question)

Will Telegram ban me?

No. Here's the complete picture:

  • βœ… Bot API is a public, documented feature β€” Telegram designed file uploads into the Bot API intentionally
  • βœ… You're sending to your own private bot chat β€” not a public channel, not spamming
  • βœ… Content is encrypted β€” Telegram cannot detect what you're storing
  • βœ… No published storage limits β€” individual files cap at 2 GB (TAS chunks automatically)
  • βœ… Strong precedent β€” thousands of file-sharing bots, backup tools, and media archives use this API
  • ⚠️ Worst case β€” Telegram might prune old messages to free infrastructure space. They won't ban you for using a documented API

Your responsibility: Don't store illegal content. Telegram's ToS prohibits copyright infringement, malware, CSAM, etc. Use responsibly. See FAQ.md for the full legal breakdown.


⚠️ Good to Know

πŸ“Œ Not a replacement for backups Telegram can purge old messages. Use TAS alongside, not instead of, real backup solutions.
πŸ“Œ 49 MB chunk size Files are split automatically β€” fully transparent to you. Telegram's Bot API limit is 50 MB.
πŸ“Œ Single-user Designed for personal use. No multi-tenant or shared-account support.
πŸ“Œ FUSE = Linux/macOS only Mount requires libfuse. The CLI itself works anywhere Node.js 18+ runs.
πŸ“Œ No versioning (yet) Overwriting a file replaces the previous version.
πŸ“Œ Internet required Telegram-backed β€” offline access requires files pulled locally first.

πŸ› οΈ Development

git clone https://github.com/ixchio/tas
cd tas && npm install

npm test               # Run all 71 tests (encryption, WAS1 headers, tags, sync, shares)
npm test -- --watch    # Watch mode for active development

Test coverage: streaming encrypt/decrypt roundtrips Β· cross-API compat (buffer↔stream) Β· small-chunk stress testing Β· truncation/corruption error paths Β· Unicode filename handling Β· WAS1 binary header parsing Β· timing-safe comparison paths

PRs welcome! See CONTRIBUTING.md for guidelines.


🌟 Contributing

TAS is open source and contributions are genuinely appreciated:

  • πŸ› Found a bug? Open an issue β€” include tas doctor output
  • πŸ’‘ Have a feature idea? Start a discussion
  • πŸ”§ Want to contribute code? Fork β†’ branch β†’ PR β†’ πŸŽ‰
  • ⭐ Just want to help? A GitHub star dramatically increases discoverability

πŸ“„ License

MIT β€” use it, fork it, ship it, sell it. Do whatever you want with it.


Related Projects

If TAS fits your workflow, you might also find these useful:

  • rclone β€” rsync for cloud storage (dozens of backends)
  • restic β€” encrypted, deduplicated backup program
  • age β€” simple, modern file encryption tool
  • magic-wormhole β€” encrypted file transfer between machines

Built with β˜• and stubbornness by @ixchio
If TAS saved you money, a ⭐ on GitHub is the best way to say thanks β€” it helps others find the project.

Star TAS on GitHub

About

Telegram as Storage - free encrypted cloud storage. Mount Telegram as a folder.

Topics

Resources

License

Contributing

Security policy

Stars

25 stars

Watchers

0 watching

Forks

Sponsor this project

Packages

 
 
 

Contributors