Hidden

A self-hosted, security-focused file storage powered by gocryptfs. Fully encrypted. File versioning. Multi-user access. REST API.

Delivered as two separate Docker containers. The core service provides encrypted storage and a REST API. The web interface is optional and can be replaced or omitted.

Core service

Public repository. Available for code review, security audits, verification.

Web interface

Ready-to-use Docker image. Optional web interface for the core service.

Subscribe to our Telegram for updates, release announcements, security advisories, and upcoming events: t.me/hiddenupdates

What is Hidden?

It's a secure box for your private data.
Only you can get the files you put in.

The primary directive of the app is to protect data at rest at any cost. Built as the opposite of cloud storage services, it keeps all data local.

Built on an encrypted filesystem, the internal storage is designed to withstand full host compromise, including unauthorized filesystem access and physical device loss. Even if encrypted data is obtained from disk, the original contents cannot be recovered without the secret key and master password.

Open only when needed

Data remain encrypted at rest and are accessible only while the storage is unlocked. Once work is complete, it is closed again.

Secret
key

The secret key is used to unlock the encrypted storage. It is stored only in encrypted form and can be decrypted only with the master password.

Master
password

The master password protects the secret key and is never stored by the application. Its validity is verified by attempting to decrypt the key.

Auto
close

The storage can be closed manually at any time. It is also closed automatically when the key becomes unavailable or the application is restarted.

How internal storage works

Files are encrypted, filenames are obfuscated, and metadata is hidden by-design. The same protection applies to revisions, thumbnails, and application metadata.

Upload
gateway

Uploaded files are routed to storage that is protected by gocryptfs.

Automated
encryption

The gocryptfs cipher enforces encryption for all data written inside.

Masked
filenames

File and folder names are transparently obfuscated and unreadable.

Shielded
metadata

Database, revisions, and thumbnails persist entirely in the storage.

Secret-key
protection

Encrypted data cannot be decrypted without the key and master password.

Data remains portable

Internal data is stored in two volumes. They can be used to restore the application or mount the encrypted storage directly with gocryptfs.

Secrets
volume

The secrets volume contains the encrypted secret key and other security-related data. It cannot be used without the master password, but should still be stored separately from the encrypted data.

Cipherdir
volume

The cipherdir volume contains the encrypted storage itself. Without the secrets volume and the master password, its contents remain inaccessible. The volume can be backed up safely because it contains only encrypted data.

Beyond filesystem encryption

The application extends the encrypted filesystem with authentication, role-based access control, versioning, and other safeguards.

Local
operation

No internet required. There is no implicit data traffic, analytics collection, cloud services, or AI.

Restricted
access

Role-based access minimizes accidental or malicious data modification and loss.

Multi-factor
authentication

Multi-factor authentication with one-time codes is used as an additional line of defense.

Version
history

With head-based versioning, the latest file state is the head; earlier revisions are retrievable.

Write
protection

When folder is write protected, files or other folders within it cannot be modified.

Audit
log

Records security-relevant events, user actions, authentication attempts, and other operations.

Clean web interface

A lightweight web interface focused on the essentials. No clutter, no distractions, no unnecessary complexity.

Rich REST API

A feature-complete REST API for automation, integrations, and custom clients. Fully functional out of the box and open to external tools and integrations.

Encrypted storage keeps all files and metadata inside a gocryptfs-protected filesystem. Data remains unreadable at rest and becomes accessible only while the storage is mounted.

Two-step authentication with full support for MFA one-time passwords using standard authenticator apps.

Users can be registered, activated, updated, and assigned roles through a set of user management features.

Folders allow organizing files into a clear, hierarchical structure for easier navigation and management.

Files can include an additional summary, comments, and custom tags for faster search and filtering. When a file with the same name is uploaded again, it is not simply overwritten — a new revision is created and the full history of changes is preserved.

Typical deployment scenarios

Suitable for personal, professional, and self-hosted environments where data remains under local control.

Personal
archives

Financial documents, photos, media collections, notes, scans, personal backups, credentials, and private records.

Team
collaboration

Contracts, production assets, internal documentation, and shared project materials for teams and studios.

Self-hosted
cloud

A private alternative to consumer cloud storage services for households, homelabs, and personal infrastructure.

Document
repositories

Legal, accounting, research, administrative, and compliance-related documents requiring controlled access.

Storage
integrations

Encrypted storage exposed through a REST API for integrations, automation, custom applications, and archival workloads.

Quick links

Core service
Web interface

Get in touch

mail@joinhidden.com
t.me/hiddenupdates