A secure, one-way data streaming solution that implements a software-based data diode for transmitting web content, RTSP streams, VNC sessions and files from a secure network zone (eg. your intranet) to another network (eg. the cloud) without exposing any return path.
Pairs well with its eBPF companion project
This system provides application-level unidirectionality by design - the sender never binds to listening ports. Combined with network-level controls, it creates a one-way data path that prevents lateral movement even if the receiver is compromised.
Key Features:
- Application-Level One-Way Communication: Sender never listens for return traffic
- Opto-Isolation: Web and VNC content transformed into static images
- Multiple Stream Support: Handle multiple independent streams simultaneously
- Secure Encryption: AES-256-GCM with pre-shared keys
- Multiple Data Sources: Web pages, RTSP streams, VNC sessions, and file synchronization
- Image Freshness Monitoring: Visual and programmatic status indicators
For detailed security considerations and deployment scenarios, see the wiki.
On both Sender and Receiver sides:
cd /opt
git clone https://github.com/bmtwl/SoftDataDiode.git
cd SoftDataDiode
python -m venv venv
source venv/bin/activateSender Side:
pip install opencv-python-headless cryptography selenium numpyReceiver Side:
pip install Pillow cryptographyGenerate an encryption key (must be identical on both sides):
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"Web Page Capture:
python sender/ddsender.py \
--mode web \
--source "https://webpage.example.com" \
--cloud-ip YOUR_CLOUD_IP \
--cloud-port 5005 \
--key "your-base64-key-here" \
--interval 5RTSP Stream Capture:
python sender/ddsender.py \
--mode rtsp \
--source "rtsp://camera.example.com/stream" \
--cloud-ip YOUR_CLOUD_IP \
--cloud-port 5006 \
--key "your-base64-key-here" \
--interval 0.1VNC Capture (needs vncsnapshot binary in path):
python sender/ddsender.py \
--mode vnc \
--source "vnc.example.com" \
--cloud-ip YOUR_CLOUD_IP \
--cloud-port 5006 \
--password ~/.vnc/passwd \
--key "your-base64-key-here" \
--interval 10File Sync:
python sender/ddsender.py \
--mode filesync \
--sync-path /home/user/documents \
--cloud-ip YOUR_CLOUD_IP \
--cloud-port 5010 \
--key "your-base64-key-here" \
--sync-interval 60 \
--max-file-age 1 Simple Image Receiver:
# Single image stream receiver usage
python receiver/ddreceiver.py \
-udp-host RECEIVER_LISTEN_IP \
--udp-port 5005 \
--http-host 127.0.0.1 \
--http-port 8000 \
--key "your-base64-key-here"Multi-Receiver, file receiver, etc:
See the Configuration wiki page for detailed configuration options.
graph TD
subgraph "Secure Environment"
SOURCE[[Source System]] --> SENDER([Data Diode Sender])
SENDER --> SENDERPROCESSING[\UDP Packets<br/>Encrypted & Fragmented\]
end
SENDERPROCESSING -.->|Fire-and-Forget<br/>One-Way UDP| CLOUDIP[/Cloud Server<br/>Public IP:Port/]
subgraph "Cloud Environment"
CLOUDIP --> RECEIVER([Data Diode Receiver])
RECEIVER --> RECEIVERPROCESSING[Frame Reassembly<br/>& Decryption]
RECEIVERPROCESSING -->|Files and Images| BUFFER{Data Buffer}
BUFFER -->|Images| HTTPSERVER[HTTP Stream Server]
BUFFER -->|Files| FILESYSTEM[Remote Filesystem]
end
subgraph "Internet"
HTTPSERVER <--> WEBBROWSER[Web Browser]
FILESYSTEM <--> FILECLIENT[SFTP Client]
end
class SOURCE,SENDER,SENDERPROCESSING secure
class CLOUDIP,RECEIVER,RECEIVERPROCESSING,BUFFER,HTTPSERVER,FILESYSTEM cloud
class WEBBROWSER,FILECLIENT client
For detailed architecture information, see the Architecture wiki page.
This system implements a defense-in-depth approach:
- Application-level unidirectionality - sender never binds to listening ports
- Network-level blocking - firewall rules and ACLs prevent return traffic
- Infrastructure-level detection - logging and alerting on suspicious attempts
Important
This is a software-based solution, not a hardware data diode. While it provides strong protections, it requires proper configuration and hardening. See Security Model and Hardening for detailed security considerations.
The built-in HTTP server is designed to run behind a reverse proxy.
caddy hash-password --plaintext "mysecret"yourserverfqdn {
tls internal
basic_auth {
user <hashed-password>
}
handle {
reverse_proxy 127.0.0.1:8000
}
}See the Configuration wiki page for more web server examples.
- Installation Guide - Detailed installation instructions
- Configuration Reference - Complete configuration options
- Security Model and Hardening - Security considerations and hardening procedures
- Deployment Scenarios - Various deployment patterns
- Troubleshooting Guide - Common issues and solutions
- Testing and Verification - Testing your deployment
Caution
This system differs from a pure hardware Data Diode in that all parts of the system are implemented in software. Certified Hardware Data Diodes are expensive for a reason! The tradeoff is that the savings come with a need to vet the configuration in order to guarantee correctness.
If you are looking for an actual hardware data-diode, there are inexpensive ways to get there:
- https://datadiode.net/hardware/
- https://github.com/mitcdh/diode-switch-config
- https://github.com/wavestone-cdt/dyode
Any of these projects can be used in conjunction with the tools in this repo to create a true physical unidirectionality interlock.
For common issues including Selenium setup, performance tuning, and network debugging, see the Troubleshooting Guide.