A zero-knowledge encrypted file storage system with end-to-end encryption (E2EE). Built as a TypeScript monorepo using React, Hono, and Tauri.
KryptVault ensures that plaintext data never leaves the client. Files are encrypted locally using individual Data Encryption Keys (DEKs) before upload. The server stores only encrypted files and wrapped keys. Sharing is handled via public-key cryptography, re-wrapping keys for specific recipients without server-side decryption.
- Algorithm: XChaCha20-Poly1305 for file encryption.
- Key Exchange: X25519 key pairs.
- Key Management: Each file has a unique DEK. DEKs are wrapped (encrypted) with the user's public key.
- Sharing: Permissions are cryptographically enforced by re-wrapping the DEK with the recipient's public key.
| Component | Technology |
|---|---|
| Monorepo | Turborepo |
| Frontend | React, TanStack Router, TailwindCSS, shadcn/ui |
| Backend | Hono, Node.js |
| Desktop | Tauri (v2) |
| Database | PostgreSQL, Drizzle ORM |
| Storage | MinIO (S3-compatible) |
| Auth | Better-Auth |
krypt-vault/
├── apps/
│ ├── web/ # Frontend (React + TanStack Router)
│ └── server/ # Backend API (Hono)
├── packages/
│ ├── api/ # Business logic & shared types
│ ├── auth/ # Authentication config (Better-Auth)
│ └── db/ # Database schema & Drizzle config
- Node.js & pnpm
- PostgreSQL instance
- MinIO (or AWS S3 credentials)
- MinIO Client (
mc) (optional, for local setup)
-
Install dependencies:
pnpm install
-
Configure Environment:
Create
apps/server/.env. You must define both S3 endpoints to avoid signature errors.# Database DATABASE_URL="postgresql://user:password@localhost:5432/kryptvault" # Storage (MinIO Example) AWS_ACCESS_KEY_ID="minioadmin" AWS_SECRET_ACCESS_KEY="minioadmin123" AWS_S3_ENDPOINT="http://localhost:9000" # Internal/Docker PUBLIC_S3_ENDPOINT="http://localhost:9000" # Public access AWS_BUCKET="krypt-vault-files"
-
Setup MinIO Bucket (Local Development):
# 1. Configure alias mc alias set local http://localhost:9000 minioadmin minioadmin123 # 2. Create bucket mc mb local/krypt-vault-files # 3. Set download policy (required for presigned URL access) mc anonymous set download local/krypt-vault-files
-
Database Migration:
pnpm run db:push
-
Run Development Server:
pnpm run dev
- Web:
http://localhost:3001 - API:
http://localhost:3000
- Web:
The desktop application is configured with a strict Content Security Policy (CSP) allowing connections only to self, the local API, and the production API.
To run the desktop environment:
cd apps/web
pnpm run desktop:devDefault window size: 1000x800 (Starts maximized).
pnpm run dev- Start the full stack in development mode.pnpm run build- Build all apps and packages.pnpm run db:push- Push schema changes to the DB.pnpm run db:studio- Open Drizzle Studio to view DB data.
