CryptPad

CryptPad is a self‑hosted, end‑to‑end encrypted office suite that delivers real‑time collaboration across a set of web applications (documents, spreadsheets, slides, chat, etc.). From a developer standpoint it functions as a single‑page web application backed by a REST/WS API that exposes the same features as the browser UI. All data stored on disk is already encrypted, so the server never sees plaintext content – a crucial advantage for compliance‑heavy deployments.

• Front‑end: Pure JavaScript (ES6+) with a custom component system. The UI is rendered client‑side; the code bundle is ~200 KB and relies on WebRTC for peer‑to‑peer editing. No heavy frameworks are used, which keeps the bundle lightweight and highly portable.
• Back‑end: Node.js (v18+) powered by the cryptpad core library. The server is a single‑process HTTP/WS listener that delegates all storage to an SQLite or PostgreSQL database (the choice is configurable). The core library handles encryption, access control, and operational transformation for real‑time editing.
• Storage: Files are stored in a simple directory hierarchy; metadata lives in the database. The encryption keys are derived from user passwords using Argon2id, ensuring that even a compromised server cannot read data.
• Optional services: The system can be extended with Redis for session caching and a message queue (RabbitMQ or Kafka) for background tasks such as export jobs.

• Real‑time editing: Operational transformation (OT) and WebSocket based sync.
• Access control: Fine‑grained ACLs per document, with support for public read/write links.
• Export/Import: REST endpoints for exporting documents to Office/OpenDocument formats and importing external files.
• Plugin hooks: A simple hook system allows developers to inject custom logic (e.g., logging, analytics) into lifecycle events (onDocumentCreate, onShare).
• Webhooks: Outbound HTTP callbacks can be configured for events like document creation or deletion, enabling integration with CI/CD pipelines or external monitoring tools.
• API authentication: OAuth2‑like token system for programmatic access, facilitating automation scripts or external dashboards.

CryptPad is designed for containerized deployment. A Docker image (cryptpad/cryptpad) contains all runtime dependencies and can be orchestrated with Kubernetes, Docker Compose, or a simple docker run. The application scales horizontally by running multiple instances behind a load balancer; the shared database and file storage (e.g., NFS, S3‑compatible) ensure consistency. For high availability, the recommendation is to use a replicated PostgreSQL cluster and a shared file system.

• Custom authentication: Replace the default session store with LDAP, OAuth, or SAML providers via a middleware hook.
• File storage adapters: Swap the local file system for cloud backends (S3, GCS) using pluggable adapters.
• UI theming: CSS variables and a theme loader let developers create brand‑specific interfaces without touching core code.
• External services: The API can be consumed by other applications (e.g., a learning management system) to embed collaborative documents directly into their UI.

• Documentation: The official docs cover setup, API reference, and plugin development. Community contributions are encouraged through GitHub issues and a dedicated Discord channel.
• Configuration: A single JSON/YAML file (config.json) controls all aspects (database, storage path, TLS settings). Environment variables can override defaults for CI/CD pipelines.
• Testing: The project ships with unit tests and integration scripts, facilitating continuous delivery for custom builds.

1. Secure collaboration in regulated industries (healthcare, finance) where data must remain encrypted at rest and only authorized users can access it.
2. Educational platforms that need a lightweight, privacy‑first alternative to Google Workspace for student projects and group notes.
3. Open‑source project documentation where contributors can edit Markdown or LaTeX documents in real time without exposing source code to third‑party services.
4. Internal knowledge bases that require a self‑hosted, searchable repository of documents, spreadsheets, and slides with fine‑grained permissions.

• End‑to‑end encryption eliminates the risk of server‑side data breaches.
• Lightweight stack (no heavy frameworks) leads to fast startup times and low memory footprint.
• Open source licensing (AGPL‑3.0) allows full modification and redistribution, which is critical for organizations with strict compliance or custom integration needs.
• Active community ensures timely security patches and feature updates, reducing maintenance overhead compared to proprietary SaaS solutions.

CryptPad’s blend of strong security guarantees, developer‑friendly APIs, and minimalistic architecture makes it an attractive choice for teams that need a self‑hosted, privacy‑centric office suite without sacrificing collaboration or extensibility.