A client-side, browser-only tool that generates a FLO blockchain
keypair and deterministically converts it into a Tor v3 (.onion)
hidden-service address — plus the actual key files Tor needs to run that
service. No server, no backend, no data ever leaves your browser.
Because the onion address is derived directly from your FLO private key,
the same WIF key always reproduces the same onion address. That means your
FLO private key doubles as a portable backup for your hidden service: lose
your server, recover your .onion identity anywhere just by re-entering
the key.
- Generate — creates a brand-new FLO private key (WIF) and address in
the browser using
floCrypto.js. - Convert — deterministically derives a Tor v3 Ed25519 keypair from
that FLO key, and computes the matching
.onionaddress, following the Tor hidden-service key/address spec. - Recover — already have a FLO WIF key? Paste it in and the same
.onionaddress and key files are regenerated instantly — no need to store the Tor keys separately. - Deploy — download an OS-specific setup script (Linux, macOS,
Windows) that installs Tor, writes the generated keys into the correct
Tor data directory, updates
torrcwith theHiddenServiceDir/HiddenServicePortconfig, and starts the hidden service — all in one run. Or skip the automation and just download the rawhs_ed25519_secret_key/hs_ed25519_public_key/hostnamefiles to configure Tor yourself.
- The FLO WIF key is Base58-decoded to recover the raw 32-byte private key seed.
- That seed is expanded with SHA-512 following the standard Ed25519 key-derivation process, and the resulting scalar is clamped per the Ed25519 spec.
tweetnacl'snacl.sign.keyPair.fromSeedderives the Ed25519 public key from the same seed.- The public key is checksummed with SHA3-256 (
.onion checksum+ pubkey- version byte, per the Tor spec) and Base32-encoded into the final
xxxxxxxx....onionaddress.
- version byte, per the Tor spec) and Base32-encoded into the final
- The secret and public keys are written out in Tor's actual on-disk
hs_ed25519_secret_key/hs_ed25519_public_keyfile format (with Tor's expected header bytes), so they can be dropped straight into a Tor data directory.
All of this happens client-side with tweetnacl
(Ed25519) and js-sha3 (SHA3-256) —
see the <script> includes in index.html.
.
├── index.html # UI: Generate / Recover tabs, key display, script downloads
├── assets/ # Icons, illustrations
├── css/ # Stylesheet
└── scripts/
├── floCrypto.js # FLO keypair generation, WIF handling, address validation
├── lib.min.js # FLO/Bitcoin-style base58 + key utilities (minified)
└── components.min.js # UI web components (sm-input, sm-copy, sm-form, sm-notifications)
External dependencies (loaded via CDN in index.html):
This is a static site — no build step, no server required.
git clone <this-repo>
cd tor-keys-generatorThen just open index.html in a browser, or serve the folder with any
static file server, e.g.:
python3 -m http.server 8000- Open the Generate tab.
- Click Generate New Keys — a FLO address and WIF private key are created in your browser.
- Save the private key somewhere safe. It's the only way to recover both your FLO identity and your Tor hidden service — it is never sent anywhere and can't be recovered if lost.
- Click Generate Tor Configuration to derive the onion address and unlock the setup-script downloads.
- Open the Recover tab.
- Paste your existing FLO WIF private key.
- Click Recover & Download Keys — the same onion address and key files are deterministically regenerated.
Deploy the hidden service
From the results section, either:
- Download the setup script for your OS (Linux
.sh, macOS.sh, or Windows.bat) and run it. It will:- Install Tor (via
apt, Homebrew, or the Tor Expert Bundle on Windows) - Create the hidden-service directory with the correct permissions
- Write in your deterministic
hs_ed25519_secret_key,hs_ed25519_public_key, andhostname - Add the
HiddenServiceDir/HiddenServicePortblock totorrc - Restart/launch Tor so the service goes live immediately
- Install Tor (via
- Or click Download Backup Keys to get the raw
hs_ed25519_secret_key,hs_ed25519_public_key, andhostnamefiles and wire them into your own Tor configuration manually.
By default the generated scripts point
HiddenServicePort 80at127.0.0.1:8765. Edit the downloaded script before running it if your service listens on a different local port.
- Everything — key generation, Ed25519 derivation, and file creation — happens entirely client-side in the browser. Nothing is transmitted to any server.
- Your FLO private key is your Tor hidden-service identity. Anyone
with it can reproduce your
.onionaddress and impersonate your service. Treat it like any other private key: never share it, and store it offline if possible. - The setup scripts write your Tor secret key to disk with restrictive
permissions (
chmod 600), but you're still responsible for the security of the machine running the hidden service.
Built on RanchiMall's floCrypto / FLO blockchain tooling, with Tor v3
onion address derivation implemented per the
Tor Rendezvous Specification (rend-spec-v3).