Enclosed

Enclosed is a lightweight, end‑to‑end encrypted note and file sharing platform that can be deployed on any infrastructure with minimal footprint. From a developer’s perspective, the application is intentionally simple: all cryptographic work happens in the browser using Web Crypto APIs, while the server exposes a stateless REST API that stores only ciphertext and metadata. This zero‑knowledge design removes the need for server‑side encryption keys, simplifying compliance and reducing attack surface.

Technical Stack

• Frontend – A single‑page application written in TypeScript, compiled with Vite and bundled using esbuild. It relies on React for UI state management and react-i18next for internationalization.
• Backend – A minimal Express/Node.js server written in TypeScript, running on top of a standard Node runtime. The API is RESTful and follows JSON:API conventions, exposing endpoints such as POST /notes, GET /notes/:id, and DELETE /notes/:id.
• Database – Enclosed ships with a pluggable persistence layer. By default it uses SQLite for ease of self‑hosting, but the data access abstraction (db/) can be swapped out for PostgreSQL or MySQL with a small configuration change.
• Storage – File attachments are stored in the same database as BLOBs or, when configured, on a mounted volume via Docker volumes. The storage engine is agnostic to the underlying file system.

Core Capabilities

• Client‑side Encryption – Notes and attachments are encrypted using AES‑GCM 256, with keys derived via PBKDF2 from a user‑supplied password. The ciphertext is sent to the server; the key never leaves the browser.
• TTL & Self‑Destruct – Each note can be assigned a time‑to‑live or marked for single‑read destruction. The server enforces expiration by periodically purging expired entries.
• CLI Tool – @enclosed/cli allows automated note creation from scripts, exposing the same API surface as the web client. It’s useful for CI pipelines or automated incident reporting.
• Authentication – Optional email/password auth via JWT is available for users who want to manage multiple notes. The authentication layer is pluggable and can be replaced with OAuth or SSO if needed.

Deployment & Infrastructure

Enclosed is designed for containerized environments. The official Docker image (corentinth/enclosed) can be run with a single command, exposing port 8787. For persistence, Docker volumes or bind mounts are recommended. The app is lightweight (under 50 MB for the image) and can run on a Raspberry Pi or in a serverless container platform. Rootless mode is supported, allowing non‑privileged users to run the service without elevating privileges.

Integration & Extensibility

While Enclosed’s API is intentionally minimal, it is fully consumable by any HTTP client. Webhooks are not baked in, but the backend exposes hooks for note creation and deletion that can be wired to external services via a simple middleware layer. The plugin system is currently limited, but the codebase follows SOLID principles, making it straightforward to add new authentication providers or storage backends. The public documentation includes a developer guide that covers extending the API, customizing the UI theme, and contributing to the project.

Developer Experience

The source is open‑source under Apache 2.0, with comprehensive docs at docs.enclosed.cc. The repository structure is clean: /src for TypeScript, /db for adapters, and /public for static assets. Tests are written with Jest, and the CI pipeline runs linting, type checks, and unit tests on every PR. Community support is active via GitHub Discussions and a dedicated Discord channel, where contributors can request features or report bugs. The CLI and Docker docs are succinct yet complete, enabling rapid onboarding for new developers.

Use Cases

• Secure Internal Memo Service – Deploy on a company intranet to share confidential notes without storing plaintext.
• Incident Response – Use the CLI to drop encrypted logs into Enclosed and share them with a response team.
• Personal Data Vault – Run locally on a NAS to keep encrypted notes and files accessible only via the browser.
• Education – Provide students with a safe way to submit assignments that are automatically deleted after grading.

Advantages

Enclosed offers developers a zero‑knowledge, client‑side encrypted solution that is trivial to deploy and maintain. Its small footprint, TypeScript codebase, and Docker readiness make it a compelling alternative to heavier self‑hosted tools. The absence of server‑side secrets simplifies security audits, while the optional authentication layer adds flexibility for teams that need user management. Licensing under Apache 2.0 removes any commercial constraints, allowing integration into proprietary products without legal overhead.