croc — Send Files and Folders Securely Between Any Two Computers

Introduction

croc, by Zack Scholl, solves a surprisingly common problem: how do two people who can't share a LAN send a file without ending up in an email/Dropbox/WeTransfer dance? croc generates a random short code (like "quiet-hidden-raven-beam"), both sides type it, and the file flies through — end-to-end encrypted with PAKE (password-authenticated key exchange).

With over 34,000 GitHub stars, croc is a staple among sysadmins, researchers, and data scientists who frequently move multi-GB files. It works cross-platform, supports resumable transfers, and can be self-hosted for enterprise isolation.

What croc Does

croc uses a relay server (by default, the public croc.schollz.com) to rendezvous two peers by their shared short code. Peers derive a shared key via PAKE and encrypt data with AEAD (ChaCha20-Poly1305). The relay only sees ciphertext; neither the relay nor an eavesdropper can read file contents.

Architecture Overview

Sender                     Relay                     Receiver
   |                         |                          |
   |-- "code" + encrypted -->|                          |
   |                         |<----- "code" ------------|
   |                      [match]                       |
   |<---- PAKE handshake ----|----- PAKE handshake ---->|
   |                      [derive shared key]           |
   |                         |                          |
   |==== AEAD-encrypted file payload ================== |
   |                                                    |
                            (relay cannot decrypt)

Protocol: TCP or WebSocket fallback
Tries direct P2P (hole-punched) if possible, else relay-through

Self-Hosting & Configuration

# Self-host your own relay (for enterprise or privacy)
croc relay --ports 9009,9010,9011,9012,9013

# Point clients at your relay
croc --relay "yourserver.com:9009" send file.zip
croc --relay "yourserver.com:9009" your-code-here

# Transfer a folder
croc send ./project-directory/

# Custom code (instead of auto-generated)
croc send --code my-custom-code dataset.tar.gz

# Send stdin (pipeable)
echo "secret note" | croc send --code note

# Resumable transfer — interrupted? re-run with same code, resumes
croc send --code resume-me large.iso
# ... on receiver: croc resume-me  (pick up where it left off)

Key Features

• End-to-end encrypted — PAKE + AEAD, relay sees only ciphertext
• Short code rendezvous — four human-words, easy to share over a phone call
• Cross-platform — macOS, Linux, Windows, FreeBSD, ARM
• Resume — interrupted transfers resume automatically
• Direct P2P when possible — falls back to relay only if hole-punching fails
• Self-hostable relay — run your own for enterprise isolation
• Pipeable — send stdin, receive to stdout
• No account needed — just install and run

Comparison with Similar Tools

FAQ

Q: Is using the public relay safe? A: Yes — data is encrypted before it reaches the relay. The relay only forwards bytes. For highly sensitive use, self-host a relay on your own VPS.

Q: How is the short code generated? A: Random 4-word phrase from a curated word list. It's unique for each transfer session; old codes expire quickly.

Q: What's the max file size? A: No hard limit — transfers up to 100+ GB work fine. Resume lets you survive network drops.

Q: croc vs magic-wormhole? A: Same core idea. croc is Go (single binary, fast), magic-wormhole is Python (pip install, slightly slower but larger Python ecosystem). Both are excellent.

Sources

• GitHub: https://github.com/schollz/croc
• Author: Zack Scholl
• License: MIT