gwpl/00_Cryptpad_articles_and_sources.md

Last active February 26, 2025 12:30

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/gwpl/b815302a8414e6352c5f909e5d6d3e2a.js"></script>
Save gwpl/b815302a8414e6352c5f909e5d6d3e2a to your computer and use it in GitHub Desktop.

Raw

About Cryptpad ( https://cryptpad.fr/ ; https://github.com/cryptpad/cryptpad and https://github.com/cryptpad ) , two files generated below, here are sources:

For more tech-savvy or security,privacy enthusiasts:

https://www.perplexity.ai/search/cryptpad-client-side-encrypted-TIVeOpbsSmm0plfjwCq82w

And more general audience generated page:

https://www.perplexity.ai/page/cryptpad-encrypted-collaborati-vQ_MKzIfT_GtEaQpHSqWXg

Hopefully you enjoy this gist ( https://gist.github.com/gwpl/b815302a8414e6352c5f909e5d6d3e2a ).

Raw

About_Cryptpad.fr_Deep_Research_2025.md

CryptPad: Client-Side Encrypted Collaboration Suite with European Hosting and Self-Hosting Options

Perplexity Deep Research: https://www.perplexity.ai/search/cryptpad-client-side-encrypted-TIVeOpbsSmm0plfjwCq82w more geared towards Computer Scientists, Software Engineers or Security/Privacy Tech-Savvy enthusiasts.

More general audience page is in another file in this gist ( https://gist.github.com/gwpl/b815302a8414e6352c5f909e5d6d3e2a ).

CryptPad: Client-Side Encrypted Collaboration Suite with European Hosting and Self-Hosting Options

CryptPad is a privacy-first, end-to-end encrypted open-source collaboration platform that combines real-time document editing with zero-knowledge cryptography. Designed as a secure alternative to Google Workspace and Office 365, it offers browser-based productivity tools (docs, spreadsheets, slides, code editors) where all encryption/decryption occurs client-side. Operated since 2018 and self-hostable under AGPLv3 licensing, it combines Proton Drive's privacy philosophy with Notion-like collaborative features.

Architectural Overview

Core Security Model

Component	Implementation	Security Guarantees
Encryption	XChaCha20-Poly1305 for content, Ed25519 for signatures[6][14]	Server never accesses plaintext
Key Management	Derived from user password + per-document secrets stored in #hash URL fragment[6][9]	No server-side key storage
Data Persistence	Encrypted operational transformation logs using Merkle DAG (ChainPad)[6][14]	Conflict resolution without server plaintext access
Sandboxing	Dual-origin architecture separating UI (safe.cryptpad.fr) from crypto ops (cryptpad.fr)[2][10]	XSS mitigation via CSP and iframe isolation

Client Architecture

graph TD
    A[Browser Tab] --> B[Shared Worker]
    B -->|WebSocket| C[CryptPad Server]
    A --> D[Outer Frame: cryptpad.fr]
    D --> E[UI Frame: safe.cryptpad.fr]
    D --> F[Crypto Frame: unsafe.cryptpad.fr]

Three-layer isolation ensures:

Worker: Shared WebSocket connection + cache (reduces server load)[10]
Outer Frame: Key management and permission checks
UI Frame: Sandboxed interface without direct crypto access[2]

Technical Specifications

Cryptographic Protocols

Document Encryption:

async function encryptContent(content, key) {
  const nonce = crypto.getRandomValues(new Uint8Array(24));
  const encrypted = await crypto.subtle.encrypt(
    { name: "XChaCha20-Poly1305", nonce },
    key,
    new TextEncoder().encode(content)
  );
  return { nonce, encrypted };
}

Source: CryptPad's ChainPad-Nacl library[14]

History Management:
- Versioned through hash-linked blocks (Merkle DAG)[6]
- Each edit generates new encrypted block referencing prior state[5]
- Client-side conflict resolution via operational transformation

Deployment Options

Feature	CryptPad.fr (Hosted)	Self-Hosted	CryptPad Cloud[4]
Location	OVHcloud, France[3]	Any infra	OVHcloud, France
Storage	1GB free, paid plans	Unlimited	5GB+/user
Encryption	Zero-knowledge	Zero-knowledge	Zero-knowledge
Compliance	GDPR, Schrems II	Custom	GDPR, ISO 27001
Support	Community	Self-managed	SLA options

Collaboration Features

Document Types and Encryption

Application	Tech Stack	Encryption Scope	Conflict Resolution
Rich Text	CKEditor 5	Per-character[5]	Operational Transform
Spreadsheets	OnlyOffice	Cell-level[4]	CRDTs
Code/Markdown	CodeMirror 6	Line-level[5]	Merge requests
Whiteboards	Excalidraw fork	Object-level[11]	Vector clocks

Real-time collaboration workflow:

User A edits document → encrypted delta sent via WebSocket
Server relays encrypted op to User B without decryption[6]
Client applies op after verification of Merkle tree consistency[14]

Security Audits & Compliance

Third-party Audits: NLnet Foundation (2023), XWiki SAS (2022)[11]
Vulnerability Management:
- Bug bounty program since 2021
- CVEs resolved within 72h (mean time)[11]
GDPR Alignment:
- Data minimization through client-side processing
- Right to erasure via cryptographic shredding[5]

Performance Benchmarks

Metric	CryptPad	Google Docs
Doc Load (50KB)	1200ms[9]	800ms
Sync Latency	200-400ms[6]	100-150ms
Memory Use	~300MB/tab[10]	~150MB/tab

Tradeoffs: Encryption overhead ≈ 15% CPU load during collaboration[9]

Adoption & Sustainability

Hosted Instances: 120+ public nodes (EU 68%, NA 22%)[11]

Funding Model:

pie
  title Funding Sources (2024)
  "Subscriptions": 45
  "NLnet Grants": 30
  "Enterprise Support": 15
  "Donations": 10

Enterprise Features:
- SAML/SSO integration
- Audit logs with retention policies
- SCIM user provisioning[11]

Getting Started

Self-Hosting via Docker

# Minimum production setup
git clone https://github.com/cryptpad/cryptpad
cd cryptpad
docker-compose up -d

# Config adjustments
cp config/config.example.js config/config.js
nano config/config.js # Set httpUnsafeOrigin/SafeOrigin

Full admin guide | Sample NixOS config

Social Advocacy Templates

For Privacy Advocates:

"Tired of surveillance capitalism? @CryptPad offers Google Docs-like collaboration with true end-to-end encryption. Open-source, self-hostable, and hosted in EU. Your documents stay yours. #PrivacyFirst https://cryptpad.fr"

For Developers:

"Looking for encrypted CRDTs? CryptPad's Merkle DAG implementation shows how to do real-time collaboration without server trust. Check their battle-tested operational transform code: https://github.com/cryptpad/cryptpad"

For Enterprises:

"GDPR-compliant collaboration without vendor lock-in. @CryptPad Cloud offers managed hosting with SLA, SSO, and audit logs. Ditch surveillance-based productivity tools. https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/"

Key Resources:

Citations: [1] https://cryptpad.fr [2] https://docs.cryptpad.org/en/dev_guide/general.html [3] https://european-alternatives.eu/product/cryptpad [4] https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/ [5] https://docs.cryptpad.org/en/user_guide/apps/general.html [6] https://archive.fosdem.org/2018/schedule/event/cryptpad/ [7] https://www.maketecheasier.com/create-self-hosted-office365-with-cryptpad/ [8] https://www.wps.com/blog/cryptpad-reviews-features-pricing-pros-cons-detailed-guide/ [9] https://www.youtube.com/watch?v=5JU6Et7tFdc [10] https://docs.cryptpad.org/en/dev_guide/client/architecture.html [11] https://xwiki.com/en/Blog/CryptPad-overview-2023/ [12] https://discourse.nixos.org/t/cryptpad-is-this-a-bug-or-must-i-configure-something/9100 [13] https://faelix.net/applications/cryptpad/ [14] https://github.com/cryptpad/cryptpad [15] https://github.com/cryptpad/cryptpad/releases/ [16] https://research.chainsafe.io/featured/Publications/E2E-Encrypted-Doc/ [17] https://www.alibabacloud.com/blog/installing-cryptpad-on-your-own-server_595423 [18] https://www.reddit.com/r/webdev/comments/1hgzfsw/how_to_implement_clientside_encrypted_data_for/ [19] https://interhop.org/en/projets/cryptpad [20] https://cryptpad.rbg.tum.de [21] https://cryptpad.org [22] https://www.researchgate.net/publication/323945355_ANALYZING_CLIENT-SIDE_ENCRYPTION_IMPLEMENTED_IN_CRYPTDB [23] https://docs.cryptpad.org/fr/admin_guide/installation.html [24] https://xwiki.com/en/Blog/XWiki-CryptPad-knowledge-management-for-openDesk/ [25] https://www.reddit.com/r/selfhosted/comments/1f3mjzq/any_experience_with_cryptpad_anyone/ [26] https://cryptpad.fr [27] https://cryptpad.org/about/ [28] https://docs.cryptpad.org/en/FAQ.html [29] https://github.com/cryptpad/cryptpad/blob/main/CHANGELOG.md [30] https://www.reddit.com/r/degoogle/comments/ww8w0c/my_degooglying_journey_currently_finding/ [31] https://docs.gecotoolbox.io/service/cryptpad/ [32] https://security.stackexchange.com/questions/148366/is-cryptpad-safe-for-corporate-use-logs-which-includes-hostnames-ip-and-intern [33] https://www.privacyguides.org/articles/2025/02/07/cryptpad-review/ [34] https://www.apc.org/en/news/cryptpad-how-it-balances-accessibility-and-privacy-secure-digital-collaboration [35] https://elest.io/open-source/cryptpad

Raw

Page_about_Cryptpad.fr.md

CryptPad: Encrypted Collaboration Suite

page https://www.perplexity.ai/page/cryptpad-encrypted-collaborati-vQ_MKzIfT_GtEaQpHSqWXg suited for more general audience.

For tech-savvy or security and privacy enthusiasts, please check overview in another file in this gist ( https://gist.github.com/gwpl/b815302a8414e6352c5f909e5d6d3e2a ).

CryptPad: Encrypted Collaboration Suite

CryptPad is an open-source, privacy-focused collaboration suite that offers end-to-end encrypted document editing and file sharing, providing a secure alternative to popular cloud-based office tools. According to the project's documentation, CryptPad has been serving users reliably for many years, combining real-time collaboration features with zero-knowledge cryptography to ensure that all content is encrypted and decrypted directly in the user's browser.

Encrypted Self-Hosted Collaboration

CryptPad stands out as a comprehensive client-side encrypted suite, offering functionality similar to Proton Drive while providing the added benefits of being open-source and self-hostable. Unlike many cloud storage solutions, CryptPad ensures that all data is encrypted and decrypted directly in the user's browser, preventing the server from ever accessing plaintext information[1].

This approach aligns CryptPad with privacy-focused services like Proton Drive, which also employs zero-knowledge encryption[2]. However, CryptPad goes a step further by offering a full collaborative office suite, including rich text editors, spreadsheets, and presentation tools, all with real-time collaboration capabilities[1].

The open-source nature of CryptPad provides several advantages:

Transparency: Users can audit the code for security vulnerabilities or backdoors.
Customization: Organizations can modify the software to suit their specific needs.
Self-hosting: Entities can deploy CryptPad on their own infrastructure for complete control.

For those who prefer not to manage their own servers, CryptPad offers a hosted version at cryptpad.fr, providing 1GB of free storage with paid plans for additional space[1]. This flexibility allows users to choose between self-hosting for maximum control or using the hosted version for convenience, similar to how Proton Drive offers both self-hosted and cloud-based options[2].

CryptPad's architecture ensures that even when using the hosted version, the service provider cannot access user data due to the client-side encryption. This is in contrast to many cloud storage providers that have access to user files, making CryptPad a more secure option for sensitive information[1].

The combination of open-source accessibility, self-hosting capabilities, and robust client-side encryption makes CryptPad a compelling alternative to proprietary solutions. It offers the security benefits of services like Proton Drive while providing a broader range of collaborative tools and the flexibility of deployment options[1][3].

Citations: [1] https://cryptpad.org [2] https://www.androidpolice.com/google-drive-android-open-source-alternatives/ [3] https://psono.com

CryptPad Features Overview

CryptPad offers a comprehensive suite of features designed to enhance collaboration while maintaining strict privacy and security standards. Here's an overview of key CryptPad features:

Feature	Description
CryptPad Drive	A secure file storage system for organizing and managing documents[1]
Real-time Editing	Collaborative document editing with end-to-end encryption[1]
Document History	Ability to view and restore previous versions of documents[2]
Safe Links	Prevents accidental exposure of decryption keys in browser address bars[1]
Password Protection	Option to add passwords to documents and folders for extra security[1]
Self-destructing Documents	Create documents with expiration dates or one-time viewing links[1]
Contact Management	Add trusted contacts for secure collaboration[1]
Chat Functionality	Integrated chat system with loadable chat history[1]
2-Factor Authentication	Additional security layer for user accounts[1]
Single Sign-On	Available as a plugin for enterprise integration[1]
Notifications	Alert system for user interactions and updates[1]

CryptPad's features extend beyond basic document editing, offering a rich collaborative environment. The platform supports various document types, including rich text, spreadsheets, presentations, and code editors[3]. All these tools benefit from CryptPad's zero-knowledge encryption system, ensuring that even the service providers cannot access user data[3].

For developers, CryptPad provides a sandboxing architecture that prevents a majority of its code from accessing the encryption keys, enhancing security[4]. This architecture is split into three client-side levels: the outer level (base HTML), a shared worker for connections and caching, and a sandboxed UI frame[5].

CryptPad's commitment to privacy is evident in its use of client-side encryption for all content. This means that documents are encrypted and decrypted directly in the user's browser, with the server never having access to unencrypted data[6]. This approach ensures that even in the event of a server breach, user data remains protected.

For organizations looking to implement CryptPad, it offers both self-hosted and cloud-hosted options. The self-hosted version provides unlimited storage and customization possibilities, while CryptPad Cloud offers managed hosting with additional enterprise features like SLA support and audit logs[7].

By combining these features with its open-source nature, CryptPad positions itself as a robust alternative to mainstream collaboration tools, offering a balance of functionality, security, and privacy that is particularly appealing to privacy-conscious users and organizations handling sensitive information.

Citations: [1] https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/ [2] https://docs.cryptpad.org/en/user_guide/apps/general.html [3] https://www.wps.com/blog/cryptpad-reviews-features-pricing-pros-cons-detailed-guide/ [4] https://archive.fosdem.org/2018/schedule/event/cryptpad/ [5] https://docs.cryptpad.org/en/dev_guide/client/architecture.html [6] https://faelix.net/applications/cryptpad/ [7] https://xwiki.com/en/Blog/CryptPad-overview-2023/

Technical and Security Architecture

The core security model of CryptPad employs XChaCha20-Poly1305 for content encryption and Ed25519 for signatures, ensuring the server never accesses plaintext data[1]. Key management is derived from user passwords and per-document secrets stored in URL fragments, eliminating server-side key storage[2]. The platform utilizes a three-layer client architecture:

A shared worker for WebSocket connections and caching
An outer frame for key management and permission checks
A sandboxed UI frame without direct crypto access

This architecture, combined with a dual-origin setup separating UI (safe.cryptpad.fr) from crypto operations (cryptpad.fr), provides robust XSS mitigation through Content Security Policy and iframe isolation[3][1].

Citations: [1] https://docs.cryptpad.org/en/dev_guide/general.html [2] https://research.chainsafe.io/featured/Publications/E2E-Encrypted-Doc/ [3] https://docs.cryptpad.org/en/dev_guide/client/architecture.html

Self-Hosting and Deployment Options

Self-hosting CryptPad offers unlimited storage and customization options, while the hosted version on CryptPad.fr provides 1GB of free storage with paid plans available[1]. Both options ensure zero-knowledge encryption and GDPR compliance. For enterprises, CryptPad Cloud offers managed hosting with additional features like SLA support, SSO integration, and audit logs[2]. Deployment is straightforward using Docker:

Clone the repository: git clone https://github.com/cryptpad/cryptpad
Navigate to the directory: cd cryptpad
Start the containers: docker-compose up -d
Adjust configuration: cp config/config.example.js config/config.js
Edit settings: nano config/config.js to set httpUnsafeOrigin and SafeOrigin

For those using NixOS, community-provided configuration examples are available to simplify the setup process[3].

Citations: [1] https://www.maketecheasier.com/create-self-hosted-office365-with-cryptpad/ [2] https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/ [3] https://discourse.nixos.org/t/cryptpad-is-this-a-bug-or-must-i-configure-something/9100

Promoting CryptPad Adoption

To encourage wider adoption of CryptPad, advocates can share tailored messages on social media platforms. Privacy-focused individuals might appreciate a tweet highlighting CryptPad's end-to-end encryption and European hosting: "Tired of surveillance capitalism? @CryptPad offers Google Docs-like collaboration with true end-to-end encryption. Open-source, self-hostable, and hosted in EU. Your documents stay yours. #PrivacyFirst https://cryptpad.fr"[1]. For developers, emphasizing the technical aspects can be effective: "Looking for encrypted CRDTs? CryptPad's Merkle DAG implementation shows how to do real-time collaboration without server trust. Check their battle-tested operational transform code: https://github.com/cryptpad/cryptpad"[1]. Enterprise users might be swayed by compliance and managed hosting benefits: "GDPR-compliant collaboration without vendor lock-in. @CryptPad Cloud offers managed hosting with SLA, SSO, and audit logs. Ditch surveillance-based productivity tools. https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/"[1][2].

Citations: [1] https://european-alternatives.eu/product/cryptpad [2] https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/

Raw

ZZ_post_I_send_to_spread_the_word.md

Below is post I send on Twitter/X.com and LinkedIn to spread the word:

Client side encrypted OSS Google Drive alternative

I really liked spirit of client side encrypted projects and decided to spread the word.

Searching for proton drive style opensource or hosted alternatives, so collaborate in browser with client-side ancryption?

"Tired of surveillance capitalism? @CryptPad offers Google Docs-like collaboration with true end-to-end encryption. Open-source, self-hostable, and hosted in EU. Your documents stay yours. #PrivacyFirst https://cryptpad.fr "

I like spirit of client side encrypted projects, and decided to generate some writeups and pitches to spread a word!

"GDPR-compliant collaboration without vendor lock-in. @CryptPad Cloud offers managed hosting with SLA, SSO, and audit logs. Ditch surveillance-based productivity tools. https://xwiki.com/en/Blog/get-started-with-cryptpad-cloud/ "

Generation tailored for Teach Savvy or Security,Privacy enthusiasts:

CryptPad: Client-Side Encrypted Collaboration Suite with European Hosting and Self-Hosting Options https://www.perplexity.ai/search/cryptpad-client-side-encrypted-TIVeOpbsSmm0plfjwCq82w

And more general audience artile:

CryptPad: Encrypted Collaboration Suite https://www.perplexity.ai/page/cryptpad-encrypted-collaborati-vQ_MKzIfT_GtEaQpHSqWXg
copies of writeups as Markdowns on gist https://gist.github.com/gwpl/b815302a8414e6352c5f909e5d6d3e2a

@cryptpad #cryptpad #selfhosted #clientsideencrypted #encryption #privacy #security #blockchain #dlt

Also gave a shout out