The Onion Routed Cloud is a decentralized, anonymous, storage and publishing platform designed to protect investigative journalists and their sources.

Join the discussion in #orc on our Rocket.Chat!

NPM Package | Docker Hub | AGPL-3.0 License


We provide Debian packages for Debian 10 (Buster), Ubuntu 18.04 (Bionic), or equivalent newer releases. Packages can be acquired via our APT repository or by direct download.

Make sure you have the required packages to setup the repository source:

sudo apt install gnupg2 lsb-release software-properties-common

Fetch the release signing key, add the repository, update your package cache and install!

sudo apt-key adv --keyserver --recv-keys 0E91E62407FB53DED129BDCC2794A30CB9212297
sudo add-apt-repository "deb $(lsb_release -cs) main"
sudo apt update
sudo apt install orc

If you are worried that you may be monitored or if the repository is censored by your ISP or government, you can access the repostiory as a Tor hidden service instead:

sudo apt-key adv --keyserver --recv-keys 0E91E62407FB53DED129BDCC2794A30CB9212297
sudo apt install apt-transport-tor tor
sudo add-apt-repository "deb tor://ijxj7jw2czgi4544xmf63arngmiesddlerisu47yswgf3pbsdpw477qd.onion/ $(lsb_release -cs) main"
sudo apt update
sudo apt install orc

Follow the post installation prompts to encrypt your private key. ORC will be installed as a systemd, sysv-init, or upstart service depending on your system.

Now you can access your node by running the ORC program from your applications menu! You may also access it by opening a browser and navigating to, or remotely by using
Tor Browser and navigating to the onion address that is contained in the file /etc/orc/bridge_hs/hidden_service/hostname.

Direct Download

Alternatively you can download a release package from the latest tag. Download links for the package(s) are in the release notes for each tagged release. Once downloaded you can install by running:

sudo dpkg -i orc_x.x.x_all.deb
sudo apt install -f
Process Monitoring

You may discover later that you'd like to tweak some advanced settings. Just update your configuration as desired at /etc/orc/config and restart the service.

sudo systemctl restart orc.service # or...
sudo service orc restart # or...
sudo /etc/init.d/orc restart # ...depending on your system

Depending on the init system you are using, you'll check logs differently.¬

journalctl -u orc # systemd
tail -f /var/log/orc/debug.log # otherwise

Using Docker

If you are on Mac OS or a GNU/Linux distribution that is not based on Debian, just install Docker and run the commands below:

docker pull orcproject/orc
mkdir ~/.config/orc
docker run -it -v ~/.config/orc:/root/.config/orc orcproject/orc --reset-passphrase

This will generate the configuration files and encrypted private keys and exit. Now you can run the ORC daemon, supplying it with these files and publishing the web interface port to the host (if you wish to access it locally):

docker run -it -p -v ~/.config/orc:/root/.config/orc orcproject/orc

You must run the container with the -i or --interactive flag so you can set and/or input your passphrase. There is also a command line option for orc that will non-interactively read the passphrase from a file, --passphrase. If you wish you run the container non-interactively. This is useful for running a node in the cloud remotely and letting it restart automatically if it exits or reboots:

echo 'MySecurePassphrase' > ~/.config/orc/passwd
docker run \
--restart always \
--volume ~/.config/orc:/root/.config/orc \
--publish \
--tty --detach \
orcproject/orc --passphrase /root/.config/orc/passwd

Then you can access your node via it's authenticated onion service using Tor Browser. Note that in order to run the container detached with automatic restarts, you cannot use the --interactive flag and must use the --passphrase method shown above. Consult the Docker documentation for details on different options.


On first run, ORC will generate a fresh configuration and setup the data directory. Modify the created configuration (/etc/orc/config or ~/.config/orc/config) as desired (see the Configuration Guide) and kill the process. Once you are satisfied with your configuration, run ORC again.

Once started, you can setup your node through the Web UI which is accessible via both a local port and onion address printed to the console when running orc and written to $ORC_CONFIG_DIR/bridge_hs/hidden_service/hostname. You can also use the guide for Using the REST API to interact with you node if you are a developer or advanced user!

ORC works on an explicit trust model. By default, ORC will only trust unknown nodes for discovering peers, retreiving public objects, and storing object metadata. If you want to store objects, you must establish trust with other nodes. This is done explicity by all parties who trust each other. Run ORC with your friends, other activists, or complementary organizations.

Each node is identified by the hash of their public key. You'll see this on every log line under the name property. For example, b605647afc146760fc15ef7cd59720f1ee7d82e1. To establish trust with a friend, each of you must provide your identity to each other out of band (we recommend using Ricochet). Once you've exchanged identity keys, add a trust policy to your configuration file (or via the web interface).


For every node you wish to add to your storage grid, each must add a policy like the above which says "allow b605647afc146760fc15ef7cd59720f1ee7d82e1 to store and retrieve shards. You can also add new trusted peers using the web interface. See the Configuration Guide for more information.

If you are a press organization or activist group and would like help getting setup with ORC, please reach out to us by email at counterpoint[at] - we'd love to assist you!

Automatic Security Updates

When running the ORC server installation with Docker, you can configure your node to periodically check for updates and automatically download the latest image and restart your node to make sure you are always running the latest stable release. Since you already have Docker installed, pull the image for Watchtower and run it.

docker pull v2tec/watchtower
docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock v2tec/watchtower

Now, Watchtower will check for the latest stable images for running containers and automatically update them.


To hack on the ORC project, clone this repository and use Docker Compose. See Manual Installation for more detailed instructions about installing prerequisites.

git clone
cd orc
npm install
npm start

This will volume mount the the appropriate directories for development, and then boots up a complete sandboxed ORC network, including a complete sandboxed Tor network and once bootstrapped, binds ports 10089, 11089, 12089, 13089, and 14089 to the host for full end-to-end testing using 5 nodes in a trusted grid. Each of these nodes can be controlled in your web browser by visiting their respective ports. The passphrase for each running node is: Simulation for accessing the web interfaces.

The development container does not persist state between runs. Note that stable releases are tagged and the master branch may contain unstable or bleeding-edge code. Happy hacking!



ORC - Distributed Anonymous Cloud  
Copyright (C) 2017  Counterpoint Hackerspace, Ltd.  
Copyright (C) 2017  Gordon Hall  

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <>.