At a Glance:
Hoodik is a lightweight, self-hosted, end-to-end encrypted cloud storage server where all encryption and decryption happens in the browser, supporting chunked file transfers, a hybrid RSA + AEGIS-128L scheme, encrypted notes, and deployability via a single Docker container.
Overview:
Hoodik is a self-hosted cloud storage server designed to provide end-to-end encrypted file storage. Its core principle is that the server never has access to plaintext data; all encryption and decryption are performed client-side in the user’s browser. Built with a Rust and Actix-web backend paired with a Vue 3 frontend, it also includes an encrypted notes feature and supports file sharing via secure public links. Hoodik is packaged for Docker-first deployment, making it suitable for individuals who want to manage their own cloud storage infrastructure with a strong emphasis on data confidentiality through browser-enforced encryption.
Key Decision Points:
Client-side browser-based encryption: The server only handles encrypted data chunks and hashed metadata tokens; plaintext files, notes, and search terms are never exposed to the server.
Docker-first and self-hosted deployment: It is delivered as a single, multi-architecture Docker container, making it suitable for users comfortable with managing their own server infrastructure.
Flexible storage and database options: Supports local disk storage or any S3-compatible service, and can run with either a built-in SQLite database or an external PostgreSQL instance to suit different scaling and durability needs.
Key management responsibility: Account recovery is tied directly to a user’s RSA private key, which the server does not store, placing the responsibility for key backup squarely on the user.
Secure public sharing mechanism: File-sharing links include an encrypted key fragment that the recipient’s browser uses to decrypt the file locally, ensuring the file key is never exposed to the server or the link itself.
Core Features:
End-to-end encryption: Files are encrypted in the browser using a hybrid RSA-2048 and AEGIS-128L system before being uploaded in chunks, and are only decrypted after download.
Chunked file transfers: Files are split into encrypted chunks for concurrent upload and download, with an option to use a single tar archive request to reduce HTTP round trips.
Encrypted notes: A WYSIWYG editor allows for the creation of rich markdown notes that are encrypted, auto-saved, and searchable, with content processed just like uploaded files.
Secure public sharing links: Files can be shared via a link where the decryption key is appended as a URL fragment, ensuring the server and the link itself cannot access the file key.
S3-compatible storage support: In addition to local disk storage, encrypted file chunks can be stored on any S3-compatible service, such as MinIO or Backblaze B2.
Two-factor authentication: Optional TOTP-based two-factor authentication can be enabled per user for an additional layer of account security.
Use Cases:
Self-hosted private cloud storage for individuals: A user can deploy Hoodik on a personal VPS to store and synchronize sensitive documents and notes without relying on a third-party cloud provider.
Secure file sharing with encrypted links: A user can share files with others through a link that enables decryption directly in the recipient's browser, without the file key being logged or accessible on the server.
S3-compatible hybrid storage setups: A system administrator can configure Hoodik to store encrypted data chunks on a self-hosted MinIO cluster or a cloud S3 service, while keeping the database and other local state on the application server.
Open-Source Alternative Value:
Hoodik’s value as an open-source project is rooted in its transparent, browser-enforced encryption model combined with a self-hosted delivery. Users can deploy the single Docker container on their own infrastructure and inspect the implementation of its hybrid RSA + AEGIS-128L encryption and chunked transfer system. Its support for both local and S3-compatible storage, along with interchangeable SQLite and PostgreSQL databases, provides practical deployment flexibility. The decoupled architecture ensures that instance operators never have access to unencrypted user data, making it a relevant option for those prioritizing server-side data opacity in a self-managed storage system.
