From NixNet
CryptPad logo color.svg
Screenshot of CryptPad's rich text editor
Screenshot of CryptPad's rich text editor
Developer(s)XWiki SAS
Written inJavaScript

CryptPad is a Zero Knowledge realtime collaborative editor. All data is encrypted in the browser so neither the backend server, the administrators, nor any third party can read it without the user's decryption key. Regarding its privacy and security, refer to this snippet from their repository:

CryptPad is private, not anonymous. Privacy protects your data, anonymity protects you. As such, it is possible for a collaborator on the pad to include some silly/ugly/nasty things in a CryptPad such as an image which reveals your IP address when your browser automatically loads it or a script which plays Rick Astleys's greatest hits. It is possible for anyone who does not have the key to be able to change anything in the pad or add anything, even the server, however the clients will notice this because the content hashes in CryptPad will fail to validate.

The server does have a certain power, it can send you evil javascript which does the wrong thing (leaks the key or the data back to the server or to someone else). This is however an active attack which makes it detectable. The NSA really hates doing these because they might get caught and laughed at and humiliated in front of the whole world (again). If you're making the NSA mad enough for them to use an active attack against you, Great Success Highfive, now take the battery out of your computer before it spawns Agent Smith.

Still there are other low-lives in the world so using CryptPad over HTTPS is probably a good idea.

Make sure to read the Terms of Service and Privacy Policy as well.

Things to know

Refer to the FAQ for most questions

  • Users have 1 GB of storage available
  • Pads that have not been added to a registered user's drive expire after 30 days
  • "Deleted" data is archived for 15 days in case of accidental deletion. Following the 15th day, the data is permanently deleted.
  • Inactive accounts are removed after 90 days
  • Upload limit per-file is set to 20MB