Is Lightning P2P end-to-end encrypted?

Transfers use encrypted QUIC transport through iroh. The project documents this as encrypted peer transport rather than making broad undefined encryption claims.

Has Lightning P2P been audited?

No third-party security audit has been published yet. Use the public security model, source code, release checksums, and threat model when evaluating sensitive use.

Can someone receive my file without the ticket?

The receive ticket is the capability needed to request the transfer. Protect it like a secret.

Lightning P2P

Secure P2P file transfer means precise claims, not vague promises.

Security model

Secure P2P file transfer means precise claims, not vague promises.

Direct answer

Lightning P2P uses encrypted iroh QUIC transport, BLAKE3 content verification through iroh-blobs, capability tickets, release checksums, and documented limitations instead of vague security promises.

Lightning P2P avoids cloud file hosting, uses encrypted peer transport through iroh, verifies content with BLAKE3 through iroh-blobs, and treats receive tickets as capability tokens.

The project is clear about limitations: tickets are secrets, the sender must stay online, relay infrastructure can assist connectivity, and no third-party audit has been published yet.

Security-sensitive file transfer copy should explain mechanisms. Lightning P2P uses iroh for peer connectivity over QUIC TLS and iroh-blobs for content-addressed transfer. The receiver validates BLAKE3 content hashes as bytes are written.

Receive tickets are capability tokens. Anyone with a valid ticket can request the referenced content while the sender is online and the content remains available, so tickets should be shared only with intended receivers.

Release trust is separate from transfer security. Windows and Android artifacts are published on GitHub Releases with SHA256 checksum files, and Android releases include the signer certificate fingerprint.

Download the recommended Velopack one-click installer, the classic NSIS setup installer, or the MSI installer. Android users can sideload LightningP2P-android-latest.apk and verify it with SHA256SUMS-android.txt. Signing status, SmartScreen notes, Android sideload notes, and SHA256 checksums are available on GitHub Releases. App version: v0.5.1.

Key facts

Product: Lightning P2P
Category: peer-to-peer file transfer app
Platform: Windows stable release, Android 10+ sideload release
Stable release: v0.4.6
Experimental release: v0.5.1 speed modes + reliability (carries v0.5.0 BLE/NFC)
License: Apache-2.0
Account required: no
Cloud upload: no
Artificial file-size cap: no
Transfer model: direct-first P2P
Transport: iroh / QUIC
Verification: BLAKE3
Source code: GitHub
Cost: free

Important caveats

Sender must stay online until the receiver finishes.
Tickets are capability tokens and should be treated as secrets.
Relay fallback helps connectivity, but it is not cloud storage.
Browser website is receive handoff and marketing, not the transfer engine.
Public speed leadership claims require repeatable benchmark results.

Frequently asked questions

Is Lightning P2P end-to-end encrypted?: Transfers use encrypted QUIC transport through iroh. The project documents this as encrypted peer transport rather than making broad undefined encryption claims.
Has Lightning P2P been audited?: No third-party security audit has been published yet. Use the public security model, source code, release checksums, and threat model when evaluating sensitive use.
Can someone receive my file without the ticket?: The receive ticket is the capability needed to request the transfer. Protect it like a secret.