This project contains scripts for securely storing and retrieving public IP addresses (IPv4 and/or IPv6) using Cloudflare DNS TXT records with PGP encryption. Both Windows PowerShell and native Linux versions are provided.
cloudflare-ip-share/
├── README.md # This comprehensive guide
├── .gitignore # Protects keys and sensitive files
├──
├── Windows Scripts (PowerShell):
├── ├── get.ps1 # Store encrypted IP addresses
├── ├── push.ps1 # Retrieve and decrypt IP addresses
├── ├── run.bat # Interactive Windows runner
├── ├── ispwsh7installed.ps1 # PowerShell 7 checker/installer
├── ├── CloudflareHelpers.ps1 # Cloudflare API library (with quiet mode support)
├── ├── curl/curl.exe # Bundled curl for Windows
├── └── PSPGP/ # PowerShell PGP module
├──
├── Linux Scripts (Native):
├── ├── get.sh # Store encrypted IP addresses
├── ├── push.sh # Retrieve and decrypt IP addresses
├── ├── run.sh # Interactive Linux runner
├── ├── cloudflare_helpers.sh # Cloudflare API library
├── ├── check_requirements.sh # System requirements checker
├──
└── Auto-generated:
├── keys/ # PGP keys (auto-created, git-ignored)
│ ├── private.asc # Private key for decryption
│ ├── public.asc # Public key for encryption
│ └── password.txt # Secure password file
└── logs/ # Operation logs (auto-created, quiet mode)
├── get_YYYYMMDD_HHMMSS.log # IP storage operation logs
└── push_YYYYMMDD_HHMMSS.log # IP retrieval operation logs
# Run the interactive menu
.\run.bat# Check requirements first
./check_requirements.sh --install-commands --check-network
# Run the interactive menu
./run.shGets your public IP address(es), encrypts them with PGP, and stores them in Cloudflare DNS TXT records.
Retrieves the encrypted IP(s) from the DNS TXT record(s) and decrypts them.
Provides comprehensive Cloudflare API validation, token verification, permission checking, and advanced issue handling for both scripts. Now includes full quiet mode support for automation-friendly operations.
- Cloudflare API Token with DNS:Write permissions
- PowerShell 5.1+ (Windows) or PowerShell Core (Cross-platform)
- .NET Framework 4.7.2+ (for Windows PowerShell 5.1)
- Ensure you have a domain managed by Cloudflare
- Create a Cloudflare API Token with Zone:DNS:Write permissions
- Edit
run.batand update configuration values - Run
run.bat- it will auto-install PowerShell 7 if needed - The scripts will automatically create PGP keys on first run
# IPv4 only
.\get.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip"
# IPv6 only
.\get.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip" -IPVersion "v6"
# Both IPv4 and IPv6
.\get.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip" -IPVersion "both"
# Quiet mode (only returns SUCCESS/FAILURE, logs to file)
.\get.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip" -Quiet# IPv4 only
.\push.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip"
# IPv6 only
.\push.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip" -IPVersion "v6"
# Both IPv4 and IPv6
.\push.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip" -IPVersion "both"
# Quiet mode (only returns IP address(es), logs to file)
.\push.ps1 -CloudflareApiToken "your_token" -Domain "example.com" -Subdomain "myip" -Quietbash(≥ 4.0) - Shell interpretercurl- HTTP client for API calls and IP retrievaljq- JSON processor for API responsesgpg(GnuPG) - PGP encryption/decryptionbase64- Base64 encoding/decodingcoreutils- Basic utilities (grep, sed, awk, cut, etc.)
procps- Process management tools (ps, pgrep)- IPv6 support - For IPv6 functionality
/dev/urandom- Secure random number generation
chmod +x check_requirements.sh
./check_requirements.sh --install-commands --check-networkDebian/Ubuntu:
sudo apt update
sudo apt install curl jq gnupg coreutils bashRHEL/CentOS/Fedora:
# RHEL/CentOS:
sudo yum install curl jq gnupg2 coreutils bash
# Fedora:
sudo dnf install curl jq gnupg2 coreutils bashArch Linux:
sudo pacman -S curl jq gnupg coreutils bashopenSUSE:
sudo zypper install curl jq gpg2 coreutils bashAlpine Linux:
sudo apk add curl jq gnupg coreutils bashmacOS (Homebrew):
brew install curl jq gnupg coreutils bashchmod +x *.sh# Edit run.sh and update configuration
nano run.shUpdate these variables:
CLOUDFLARE_TOKEN="your_actual_api_token"
DOMAIN="your_domain.com"
SUBDOMAIN="your_subdomain_prefix"# IPv4 only
./get.sh -t "your_token" -d "domain.com" -s "subdomain"
# IPv6 only
./get.sh -t "your_token" -d "domain.com" -s "subdomain" -v "v6"
# Both IPv4 and IPv6
./get.sh -t "your_token" -d "domain.com" -s "subdomain" -v "both"
# Quiet mode (only returns SUCCESS/FAILURE, logs to file)
./get.sh -t "your_token" -d "domain.com" -s "subdomain" -q# IPv4 only
./push.sh -t "your_token" -d "domain.com" -s "subdomain"
# IPv6 only
./push.sh -t "your_token" -d "domain.com" -s "subdomain" -v "v6"
# Both IPv4 and IPv6
./push.sh -t "your_token" -d "domain.com" -s "subdomain" -v "both"
# Quiet mode (only returns IP address(es), logs to file)
./push.sh -t "your_token" -d "domain.com" -s "subdomain" -qBoth platforms now support quiet mode for automation and scripting purposes.
- Output: Only returns
SUCCESSorFAILURE - Logging: All detailed output goes to
logs/get_YYYYMMDD_HHMMSS.log - Use case: Perfect for automation where you only need to know if the operation succeeded
- Output: Only returns the IP address(es) themselves
- Logging: All detailed output goes to
logs/push_YYYYMMDD_HHMMSS.log - Use case: Perfect for scripts that need to use the retrieved IP address
# Get script in quiet mode
result=$(./get.sh -t "token" -d "domain.com" -s "myip" -q)
if [[ "$result" == "SUCCESS" ]]; then
echo "IP stored successfully"
fi
# Push script in quiet mode
ip_address=$(./push.sh -t "token" -d "domain.com" -s "myip" -q)
echo "Current IP: $ip_address"# Get script in quiet mode
$result = .\get.ps1 -CloudflareApiToken "token" -Domain "domain.com" -Subdomain "myip" -Quiet
if ($result -eq "SUCCESS") {
Write-Host "IP stored successfully"
}
# Push script in quiet mode
$ipAddress = .\push.ps1 -CloudflareApiToken "token" -Domain "domain.com" -Subdomain "myip" -Quiet
Write-Host "Current IP: $ipAddress"- Log Directory:
logs/(created automatically) - Log Files:
get_YYYYMMDD_HHMMSS.logfor IP storage operationspush_YYYYMMDD_HHMMSS.logfor IP retrieval operations
- Log Rotation: Automatically maintains maximum of 30 logs per script type
- Log Cleanup: Oldest logs are automatically deleted when limit is reached
- Log Content: Complete detailed output including all status messages, errors, and debug information
- Automation-Friendly: Clean output suitable for scripts and CI/CD pipelines
- Debugging: Full logs retained for troubleshooting while keeping output minimal
- Storage Efficient: Automatic log rotation prevents disk space issues
- Audit Trail: Timestamped logs provide complete operation history
- Complete Quiet Support: All helper functions now respect quiet mode, including Cloudflare API operations
- Consistent Behavior: Identical quiet mode functionality across Windows PowerShell and Linux platforms
Both platforms support three modes:
v4(default): IPv4 onlyv6: IPv6 onlyboth: Both IPv4 and IPv6
When using both mode:
- IPv4 data is stored in
subdomain4.domain.com - IPv6 data is stored in
subdomain6.domain.com - Both use the same PGP keys for encryption/decryption
- Validation: Comprehensive Cloudflare API token verification and permission checking
- IP Retrieval:
- IPv4 Services:
api.ipify.org,api4.my-ip.io/ip,ipv4.icanhazip.com,v4.ident.me - IPv6 Services:
api6.ipify.org,api6.my-ip.io/ip,ipv6.icanhazip.com,v6.ident.me
- IPv4 Services:
- Encryption: Creates PGP key pair on first run, encrypts IP(s) with public key
- Storage: Converts encrypted data to Base64 and stores in DNS TXT record(s)
- Retrieval: Downloads TXT record(s), decodes Base64, and decrypts with private key
- Military-Grade PGP Encryption: Uses 4096-bit RSA keys with SHA-256 hashing
- Advanced Cryptographic Parameters:
- RSA 4096-bit public key algorithm (fallback to 2048-bit)
- AES256 symmetric encryption for actual data
- SHA-256 digest algorithm
- Compression level 6 (optimal balance)
- Certainty level 20 (highest security)
- Secure Key Storage: Private keys stored locally with restrictive file permissions
- Cryptographically Secure Passwords: 64-character passwords using full ASCII range
- Key Strength Validation: Automatic validation of key security parameters
- Git Protection: Keys directory is automatically ignored by Git
- Multiple fallback IP services for reliability
- DNS Security: Uses Cloudflare's secure DNS infrastructure
- HTTPS-only communications for all API calls
- Certificate validation performed by curl
- Timeout handling prevents hanging connections
- Pre-flight Cloudflare validation: Token verification, permission checking, zone access validation
- Comprehensive error categorization: Detailed error codes with explanations
- Network connectivity testing: IPv4/IPv6 and Cloudflare API connectivity tests
- Enhanced issue diagnosis: Detailed troubleshooting information
- Multiple IP detection services with automatic failover
- Robust DNS record management: Automatic creation/updating of DNS records
- Cross-platform compatibility: Identical functionality on Windows and Linux
- Graceful degradation: Fallback mechanisms for various failure scenarios
- Interactive menus: Easy-to-use runners for both platforms
- Color-coded output: Clear visual feedback for operations
- Progress indicators: Real-time status updates during operations
- Comprehensive logging: Detailed operation logs for troubleshooting
- Complete quiet mode: All functions now support automation-friendly silent operation
- Consistent behavior: Unified quiet mode experience across all script components
Both versions support multiple IP detection services. You can modify the service lists in the scripts:
PowerShell (get.ps1):
$ipv4Services = @(
@{ url = "https://api.ipify.org"; name = "ipify"; format = "text" },
@{ url = "https://api4.my-ip.io/ip"; name = "my-ip.io"; format = "text" },
# Add more services here
)Linux (get.sh):
local ipv4_services=(
"https://api.ipify.org"
"https://api4.my-ip.io/ip"
# Add more services here
)Default TTL is 300 seconds (5 minutes). You can modify this in the DNS record creation functions.
The scripts attempt 4096-bit RSA keys first, with automatic fallback to 2048-bit if generation fails.
Problem: CloudflareHelpers.ps1 functions were not respecting the quiet mode setting, causing verbose output even when scripts were run with -Quiet parameter.
Root Cause: The CloudflareHelpers.ps1 file contained direct Write-Host, Write-Warning, and Write-Error calls that bypassed the quiet mode system implemented in get.ps1 and push.ps1.
Solution Applied:
- Added
-Quietparameter to all main Cloudflare helper functions - Wrapped all output statements in conditional logic that checks
if (-not $Quiet) - Updated all function calls in get.ps1 and push.ps1 to pass
-Quiet:$Global:QuietMode - Enhanced
Invoke-CloudflareApiCallandShow-CloudflareErrorfunctions to support quiet mode
Status: ✅ RESOLVED - Quiet mode now works correctly across all Cloudflare helper functions, providing clean automation-friendly output while maintaining full functionality.
Problem: Scripts were failing with "Network error during [operation] (curl exit code: 3)"
Root Cause: Output redirection issues in helper functions where status messages were being captured as part of variable assignments, corrupting URLs and JSON data.
Solution Applied:
- Fixed all helper functions to redirect status output to stderr (>&2)
- Fixed subdomain generation to always append IPv4/IPv6 suffixes
- Fixed variable contamination in
test_cloudflare_setup(),get_dns_record_id(), etc.
Status: ✅ RESOLVED - Scripts now work correctly for both storing and retrieving IP addresses.
- PowerShell Execution Policy: Run
Set-ExecutionPolicy RemoteSignedas Administrator - PowerShell 7 Not Found: The scripts will auto-install PowerShell 7
- PSPGP Module Issues: Ensure .NET Framework 4.7.2+ is installed
- Permission Denied: Run
chmod +x *.sh - Command Not Found: Install missing packages using the requirements checker
- GPG Issues: Ensure GnuPG is properly installed and configured
This error typically occurs due to insufficient entropy (randomness) on your system. GPG requires good quality random data to generate secure keys.
-
Run the entropy fix script:
chmod +x fix_gpg_entropy.sh ./fix_gpg_entropy.sh --auto
-
Or install entropy daemon manually:
# On Debian/Ubuntu: sudo apt-get update sudo apt-get install haveged sudo systemctl start haveged sudo systemctl enable haveged # On CentOS/RHEL: sudo yum install epel-release sudo yum install haveged sudo systemctl start haveged sudo systemctl enable haveged # On Fedora: sudo dnf install haveged sudo systemctl start haveged sudo systemctl enable haveged
-
Check entropy level:
cat /proc/sys/kernel/random/entropy_avail
- Good: > 1000 bits
- OK: > 200 bits
- Low: < 200 bits (will cause issues)
If you can't install haveged, generate entropy manually:
# Generate some entropy (run in background)
find /var /usr /etc -type f 2>/dev/null | head -1000 | xargs cat > /dev/null 2>&1 &
# Or use the dedicated entropy script
./fix_gpg_entropy.sh-
Use lighter key parameters:
- The script will automatically fallback to 2048-bit keys if 4096-bit fails
-
Check disk space:
df -h /tmp
-
Verify GPG installation:
gpg --version
-
Check permissions:
ls -la keys/ # Should show restrictive permissions (700 for directory, 600 for private keys)
The scripts require:
gpg(gnupg package)curljqbase64- Sufficient entropy for key generation
Run the requirements checker:
./check_requirements.sh-
Check system logs:
sudo journalctl -u haveged dmesg | grep -i random -
Test GPG manually:
./fix_gpg_entropy.sh # This includes a GPG test -
Use existing keys: If you have existing GPG keys, you can manually copy them to the
keys/directory:mkdir -p keys cp your_existing_public.asc keys/public.asc cp your_existing_private.asc keys/private.asc echo "your_password" > keys/password.txt chmod 600 keys/private.asc keys/password.txt chmod 644 keys/public.asc
After fixing entropy issues:
# Interactive menu
./run.sh
# Or run directly
./get.sh -t "your_token" -d "your_domain" -s "your_subdomain" -v "both"Use the connectivity test features:
- Windows: Select option 7 in
run.bat - Linux: Run
./check_requirements.sh --check-network
Both platforms provide detailed error analysis:
- Token issues: Verify token permissions and expiration
- Zone access: Ensure domain is in your Cloudflare account
- DNS record issues: Check for existing conflicting records
For comprehensive troubleshooting support:
- Windows: Run
.\run.batand use the interactive menu options - Linux: Run
./run.shand use menu option 9 for automated diagnostics - Requirements Check: Run
./check_requirements.shto verify all dependencies - Entropy Issues: Run
./fix_gpg_entropy.sh --helpfor detailed entropy help
For detailed debugging:
PowerShell:
$VerbosePreference = "Continue"
.\get.ps1 -Verbose -CloudflareApiToken "token" -Domain "domain" -Subdomain "subdomain"Linux:
bash -x ./get.sh -t "token" -d "domain" -s "subdomain"| Feature | Windows (PowerShell) | Linux (Bash) |
|---|---|---|
| Requirements | PowerShell 5.1+, .NET 4.7.2+ | bash 4.0+, curl, jq, gpg |
| Installation | Auto-install PowerShell 7 | Manual package installation |
| PGP Library | PSPGP module (.NET) | Native GPG |
| JSON Processing | Built-in ConvertFrom-Json | jq command |
| Permissions | Windows ACLs | Unix permissions (chmod) |
| Package Management | Bundled dependencies | Native package managers |
| Performance | .NET runtime overhead | Native tools, faster |
| Compatibility | Windows, PowerShell Core | Any Unix-like system |
The scripts have been thoroughly tested on the following platforms:
- ✅ Windows 10 21H2 - Fully tested and working
- ✅ Windows 10 22H2 - Fully tested and working
- 🔄 Windows 11 - Expected to work (compatible with Windows 10)
- ✅ Debian 12 - Fully tested and working
- ✅ Debian 13 - Fully tested and working
- 🔄 Any Debian-based system (Ubuntu, Linux Mint, etc.) - Should work without issues
- 🔄 Other Linux distributions (RHEL, CentOS, Fedora, Arch, openSUSE, Alpine) - Should work with proper package installation
- 🔄 macOS - Should work with Homebrew dependencies
The cross-platform design ensures consistent functionality across different operating systems, with automatic dependency management and fallback mechanisms built into the scripts.
When contributing to this project:
- Test both platforms - Ensure changes work on Windows and Linux
- Maintain feature parity - Keep functionality identical across platforms
- Update documentation - Document changes in this README
- Security first - All changes must maintain or improve security
- Error handling - Ensure robust error handling and user feedback
This project is provided as-is for educational and personal use. Please review and comply with the licenses of all included components:
- PSPGP module (see PSPGP folder)
- Bundled curl.exe
- All other dependencies
Important Security Considerations:
- Protect your API tokens - Never commit them to version control
- Secure your keys directory - The .gitignore file helps prevent accidental commits
- Regular key rotation - Consider regenerating PGP keys periodically
- Monitor DNS records - Regularly check your Cloudflare DNS records
- Use strong subdomains - Use complex, unpredictable subdomain names
Warning: While the encryption is military-grade, the security of your setup depends on:
- Proper Cloudflare account security
- Secure storage of the local keys directory
- Protection of your API tokens
- Regular security updates of your system
The keys directory is automatically ignored by Git, but ensure you have secure backups of your keys if needed.