At a Glance:
CryptPad is an end-to-end encrypted, open-source collaboration suite that encrypts user data in the browser before synchronizing document changes in real time, ensuring server operators and potential attackers cannot access content.
Overview:
CryptPad is an open-source collaboration suite that provides real-time document synchronization with a focus on privacy through end-to-end encryption. All user data is encrypted in the browser before transmission, meaning that service administrators cannot access user content and database breaches do not expose readable information. The platform uses cryptographic keys derived from usernames and passwords for account access, eliminating the need for the server to handle credentials. CryptPad is actively developed and maintained by XWiki SAS on a three-month release cycle, and includes safeguards to prevent malicious script injection in collaborative documents and uploads. It is designed for users who need collaborative editing tools with architectural guarantees against server-side content access.
Key Decision Points:
Encryption model: User data is encrypted in the browser before transmission and storage, so neither server operators nor attackers can read content if the server or database is compromised.
Trust requirements: The encryption code is served from the host server on each page load, so users must still trust the administrator not to modify the code to leak encryption keys.
Account model: Registration and access use cryptographic keys derived from username and password, meaning the server never handles or stores plaintext credentials.
Recommended usage: Users should access instances via Tor browser if they want to minimize IP exposure, and should only use instances running the latest version due to active security improvements.
Core Features:
Real-time document synchronization: Changes to documents are synchronized between collaborators as they are made.
Browser-side encryption: All user content is encrypted in the browser before being sent to the server and other collaborators.
Cryptographic account access: User registration and authentication rely on cryptographic keys derived from username and password, avoiding server-side credential handling.
Collaborator script injection safeguards: A correctly configured instance has protections to prevent collaborators from injecting malicious scripts into documents or uploads.
Three-month release cycle: The project is actively maintained with a regular release schedule, and users are advised to use instances running the most recent version.
Use Cases:
Privacy-conscious teams who need real-time document collaboration but want architectural guarantees that server operators cannot access their content.
Users in high-trust environments who still want protection against server breaches, since database contents remain encrypted and unreadable in the event of compromise.
Individuals and groups seeking a collaborative editing platform where account credentials are never transmitted to or stored by the server.
Open-Source Alternative Value:
CryptPad provides a collaboration suite where end-to-end encryption is built into the architecture rather than added as a feature, with encryption performed in the browser before any data leaves the user's machine. The open-source code allows experts to independently verify that the client-side encryption implementation does not leak keys or expose user content. Its cryptographic account model means the server never handles passwords or usernames directly, reducing the amount of data exposed to service operators. The project is actively maintained by a team with a publicly documented release cycle and ongoing security improvements, with plans to develop a public directory of servers meeting strict configuration and safety criteria.