A small, fast, async, self-hosted, security-focused file storage powered by gocryptfs. Fully encrypted. Versioned files. Irreversible deletion. Multi-user access. REST API.
Delivered as a Docker container. Works anywhere out of the box.
Explore docs Get started
Quick start
Clone the repo:
git clone https://github.com/artabramov/hidden.git
Install and run:
cd hidden && make install
Open in browser:
http://localhost
Ready to use.
Social Media
Subscribe on Telegram
for real-time updates:
telegram
t.me/hiddenupdates
First privacy, then everything else
Installed on any preferred hardware and works locally with role-based access. Stored files remain secure and fully protected from external interference.
Isolated
workspace
No internet required. There is no implicit data traffic, analytics collection, cloud services, or AI.
Protected
storage
Stored data is fully encrypted and managed only through the REST API with authentication.
Restricted
access
Role-based access minimizes accidental or malicious data modification and loss.
Multi-factor
authentication
Multi-factor authentication with one-time codes is used as an additional line of defense.
Not just storage — a fortress within
Files are encrypted, filenames are obfuscated, and metadata is hidden by-design. Even if storage is stolen or exposed, without the key data remains unreadable.
Upload
gateway
Uploaded files are routed to storage that is protected by gocryptfs.
Automated
encryption
The gocryptfs cipher enforces encryption for all data written inside.
Masked
filenames
File and folder names are transparently obfuscated and unreadable.
Shielded
metadata
Database, revisions, and thumbnails persist entirely in the storage.
Secret-key
protection
Encrypted data is exposed but cannot be decrypted without the secret key.
Careful with every file
Built-in mechanisms preserve data consistency and prevent accidental corruption within storage.
Version
history
With head-based versioning, the latest file state is the head; earlier revisions are retrievable.
Per-file
metadata
Includes file metadata, descriptions, automatic thumbnails, cross-field search.
Smart
locks
Flexible locking protects files from accidental corruption under multi-user access.
Read-only
mode
When read-only mode is enabled for a collection, files within it cannot be modified.
To protect at any cost or destroy forever
All operations rely on a secret key. If it's extracted, access is instantly disabled. Deleting files irreversibly removes their metadata, revisions, and thumbnails.
Secret key
protection
A single secret key governs access. If extracted, it instantly locks all data, making it inaccessible. It can be hot-removed without restarting the app.
Irreversible
deletion
Deletions irreversibly wipe files, revisions, and thumbnails, preventing post-deletion recovery (may not apply to SSDs or CoW filesystems).
Open API, open internals
A well-documented public API and full backend reference allow external software and developers to integrate, extend, and understand the app with ease.
A complete, OpenAPI/Swagger-powered public API makes the app fully programmable. Can be integrated, customized, or paired with a custom frontend.
Detailed developer documentation is generated with Sphinx, covering architecture, internals, and extension points.
Simple roles, clear permissions
Predefined roles control who can view, add, or edit content. This protects sensitive data while enabling collaboration.
Reader
Can only view existing data. Cannot create, change, or delete anything.
Author
Can view and create data, but cannot change or delete anything.
Editor
Can view, create and change data, but cannot delete anything.
Admin
Any operations on data and service functions are available.
One app that adapts to you
Run it solo, share with a team, or integrate as a secure data node. Or combine these modes seamlessly to match your workflow.
Standalone
The app can be installed on a personal computer or laptop and used by a single user.
Teamwork
Multiple approved users can access the app when it is installed on a device used within a local network.
Repository
Custom client programs or services can utilize the app's API to save data from multiple sources.
What's under the hood
The project is based on stable and widely adopted technologies, making it easy to maintain, extend, and customize when needed.
Fully async
framework
Powered by FastAPI to deliver fully asynchronous performance.
Reliable
encryption
gocryptfs keeps data encrypted and unreadable without the secret key.
Lightweight
database
Backed by SQLite for lightweight, file-based storage — no external DB.
Rapid
cache
Redis in-memory cache boosts speed and reduces database load.
FastAPI, gocryptfs, SQLite, and Redis are trademarks of their respective owners. Use is for identification only and does not imply endorsement.
Questions and answers
How to change the location of the secret key?
The secret key can be stored at any path accessible to the app — for example, a network folder, USB drive, or any local directory. To change the default location, update the SECRET_KEY_PATH variable in the .env file, move the secret key to the new path and restart the app.
How to restore the secret key?
It cannot be restored if lost. Make sure you have a copy of the secret key stored in a safe place — losing it means losing access to all data.
How to migrate data between apps?
To migrate data, you'll need two things: the encrypted data (volume hidden-data), and the secret key (volume hidden-secret). Copy the contents of both volumes to a new place and restart the app.
How to integrate the app in existing workflow?
The app provides a public HTTP API and complete documentation. You can use the API to create, read, update, and delete data, manage files, or trigger specific operations from external systems. Integration can be performed using any language or tool that supports HTTP requests.
Quick links
GitHub
Documentation
Contact us
Social media
t.me/hiddenupdates
mastodon.social/@artabramov
© 2025 All rights reserved. See the License.