CryptoCloud
A production-grade encrypted cloud storage platform where the server has zero knowledge of your data. All encryption happens in your browser before files leave your device.
The Problem
Traditional cloud storage providers (Google Drive, Dropbox, OneDrive) have full access to your files. They can:
CryptoCloud solves this by implementing client-side encryption where all cryptographic operations happen in your browser before data leaves your device.
What Makes CryptoCloud Different
Zero-Knowledge Architecture
The server stores only encrypted blobs it cannot read. Your master encryption key never leaves your browser. Even if the database is breached, attackers get only useless ciphertext.
Envelope Encryption
Each file gets a unique AES-256 key. File keys are encrypted with your master key and stored separately. Enables secure sharing without exposing other files.
Secure Sharing via RSA
Share files with other users using RSA-4096 public key cryptography. The server never sees the decrypted file key. File sharing works without trusting the backend.
Production-Ready
Deployed on cryptocloud.dev with real user data. Handles file uploads, downloads, sharing, and 2FA. Built with FastAPI, MongoDB, S3, and Next.js.
How It Works
You Create an Account
Your browser derives a master encryption key from your password using PBKDF2 with 100,000 iterations. This key never leaves your device. The server only receives a bcrypt hash for authentication.
You Upload a File
Your browser generates a random AES-256 key for this file. Encrypts the file with AES-256-GCM. Encrypts the file key with your master key. Uploads encrypted blob to S3. Stores encrypted key in MongoDB.
encrypted_file = AES-GCM(random_key, file_data)You Share a File
Your browser decrypts the file key with your master key. Wraps the file key with the recipient's RSA-4096 public key. Server stores the wrapped key but cannot decrypt it. Recipient unwraps with their RSA private key (also encrypted with their master key).
wrapped_key = RSA-OAEP(recipient_public_key, file_key)Server Has Zero Knowledge
The backend sees: encrypted blobs, encrypted keys, file metadata (name, size), share relationships. It cannot see: file contents, decrypted keys, your password, your master key.
Tech Stack
Frontend
- Next.js 16.1 (React 19)
- TypeScript 5
- Web Crypto API
- Tailwind CSS 4
Backend
- FastAPI (Python 3.13)
- MongoDB 6.0
- AWS S3 / DigitalOcean Spaces
- JWT Authentication
Cryptography
- AES-256-GCM
- RSA-4096-OAEP
- PBKDF2 (100k iterations)
- bcrypt password hashing
Key Features
Deep Dives
Architecture & Infrastructure
Backend design, data flow, upload/download pipelines, MongoDB schemas, S3 integration, and Celery background workers.
Security Model & Threat Analysis
Zero-knowledge guarantees, threat model, what is and isn't protected, database breach scenarios, and known weaknesses.
Cryptography Implementation
AES-GCM encryption, RSA-OAEP key wrapping, PBKDF2 key derivation, envelope encryption, and complete key lifecycle.
Engineering Story
How I built it, design tradeoffs, mistakes I made, what I'd redesign today, and lessons learned from production deployment.
Try CryptoCloud Today
Experience zero-knowledge encryption in production. Upload your files, share them securely, and verify that the server truly cannot access your data.