Deploying a CryptPad App

Introduction

CryptPad is a privacy-focused, zero-knowledge collaborative office suite that encrypts all your data end-to-end. Unlike traditional cloud office tools where providers can access your documents, CryptPad ensures that only you and your collaborators can read what you create. Everything happens in your browser using client-side encryption, meaning the server never sees your unencrypted data.

What makes CryptPad special is its commitment to privacy without sacrificing functionality. You get rich text documents, spreadsheets, presentations, code editors, kanban boards, whiteboards, and forms—all with real-time collaboration and zero-knowledge encryption. Share documents securely, collaborate with teams, and maintain complete control over your data without trusting a third party to keep your information private.

Whether you’re a privacy-conscious individual, an organization handling sensitive information, or a team that values data sovereignty, CryptPad provides the tools you need. Deploying CryptPad on Klutch.sh gives you a self-hosted collaborative platform with persistent storage for encrypted documents, reliable infrastructure for team collaboration, and the peace of mind that comes from controlling your own data.

This comprehensive guide walks you through deploying CryptPad on Klutch.sh, configuring persistent storage for encrypted documents and user data, setting up authentication and admin controls, customizing your instance for your organization, and implementing best practices for running a production collaborative office suite.

Why Deploy CryptPad on Klutch.sh?

Automated Docker Detection: Klutch.sh automatically detects your Dockerfile in the repository root and builds your container without manual configuration
Zero-Knowledge Privacy: Host your own CryptPad instance where data is encrypted before it reaches the server
Persistent Storage: Built-in support for persistent volumes ensures your encrypted documents and user data survive deployments
Secure Infrastructure: Environment variables for admin credentials and encryption keys are stored securely
Production-Ready: Deploy a collaborative office suite with confidence using containerized infrastructure
Team Collaboration: Real-time document editing with multiple users without compromising privacy
Data Sovereignty: Complete control over where your data lives and who has access

Prerequisites

Before you begin deploying CryptPad on Klutch.sh, ensure you have:

A Klutch.sh account with dashboard access
A GitHub account for repository hosting
Docker installed locally for testing (optional but recommended)
Basic understanding of collaborative office suites and document management
Familiarity with web applications and user authentication
Knowledge of Docker containers and deployment concepts
A domain name for your CryptPad instance (recommended for production use)
Understanding of encryption concepts and data privacy principles

Understanding CryptPad Architecture

Technology Stack

CryptPad is built on modern web technologies with a focus on client-side encryption and privacy:

Core Platform:

Node.js for the server-side application with excellent real-time capabilities
Express.js web framework for routing and middleware
WebSocket (socket.io) for real-time collaboration and synchronization
ChainPad for operational transformation and conflict resolution
CKEditor for rich text editing
OnlyOffice integration for advanced document formats

Key Components:

Document Server: Manages document storage, retrieval, and real-time synchronization
Encryption Layer: Client-side encryption using NaCl (libsodium) for zero-knowledge security
Collaboration Engine: Real-time operational transformation for simultaneous editing
Authentication System: User accounts with password-based and public key authentication
Storage Manager: Manages encrypted blobs, documents, and user data on disk
WebSocket Server: Handles real-time communication between collaborators
Application Suite: Rich text, spreadsheets, presentations, code, kanban, whiteboard, polls, forms
Access Control: Document ownership, sharing, and permission management
Admin Panel: Instance management, user administration, and configuration
OnlyOffice Integration: Enhanced document, spreadsheet, and presentation editing

Features:

End-to-end encryption for all documents and data
Real-time collaborative editing with operational transformation
Rich text editor with formatting, tables, images, and embedded media
Spreadsheet editor with formulas, charts, and cell formatting
Presentation editor with slides, layouts, and animations
Code editor with syntax highlighting and collaborative coding
Kanban board for task and project management
Whiteboard for brainstorming and visual collaboration
Forms and polls for data collection
Secure file storage and sharing
Password-protected documents
Expiring links for temporary document access
Document history and version control
Team drives for shared workspaces
Two-factor authentication support
Custom branding and theming
Registration control and user management
Storage quotas and admin controls

Installation and Setup

Step 1: Create Your Project Directory

Start by creating a new directory for your CryptPad deployment project and initialize a Git repository:

mkdir cryptpad-klutch
cd cryptpad-klutch
git init

This directory will contain your Dockerfile, configuration files, and customization scripts for your collaborative office suite.

Step 2: Create the Dockerfile

Create a Dockerfile in your project root directory. Klutch.sh will automatically detect this file and use it to build your container. Here’s a production-ready Dockerfile for CryptPad:

FROM node:20-bookworm-slim

# Set environment variables
ENV CRYPTPAD_VERSION=5.7.0 \
    CRYPTPAD_HOME=/cryptpad \
    DEBIAN_FRONTEND=noninteractive

# Install system dependencies
RUN apt-get update && apt-get install -y \
    git \
    curl \
    gnupg \
    ca-certificates \
    fonts-liberation \
    libasound2 \
    libatk-bridge2.0-0 \
    libatk1.0-0 \
    libcups2 \
    libdbus-1-3 \
    libgdk-pixbuf2.0-0 \
    libgtk-3-0 \
    libnspr4 \
    libnss3 \
    libx11-xcb1 \
    libxcomposite1 \
    libxdamage1 \
    libxrandr2 \
    xdg-utils \
    && rm -rf /var/lib/apt/lists/*

# Create cryptpad user
RUN useradd -m -d /cryptpad -s /bin/bash cryptpad

# Clone CryptPad repository
WORKDIR /cryptpad
RUN git clone --branch ${CRYPTPAD_VERSION} --depth 1 https://github.com/cryptpad/cryptpad.git . \
    && chown -R cryptpad:cryptpad /cryptpad

# Switch to cryptpad user
USER cryptpad

# Install dependencies
RUN npm install --omit=dev --ignore-scripts

# Copy configuration files
COPY --chown=cryptpad:cryptpad config/config.js /cryptpad/config/config.js
COPY --chown=cryptpad:cryptpad customize/ /cryptpad/customize/

# Create necessary directories
RUN mkdir -p /cryptpad/data \
    /cryptpad/datastore \
    /cryptpad/block \
    /cryptpad/blob \
    /cryptpad/blobstage

# Expose CryptPad port
EXPOSE 3000

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=90s --retries=3 \
  CMD curl -f http://localhost:3000/api/config || exit 1

# Start CryptPad
CMD ["node", "server.js"]

Key Features of This Dockerfile:

Based on Node.js 20 on Debian Bookworm for stability
Installs system dependencies required for document rendering
Creates dedicated cryptpad user for security
Clones CryptPad from official GitHub repository
Installs Node.js dependencies
Creates directories for encrypted data storage
Exposes port 3000 for web interface
Includes health check for monitoring
Runs as non-root user

Step 3: Create Configuration File

Create a config/config.js file for CryptPad settings:

/*
 * CryptPad Configuration File
 *
 * This file configures your CryptPad instance
 */

module.exports = {
    // HTTP server configuration
    httpUnsafeOrigin: process.env.CRYPTPAD_HTTP_UNSAFE_ORIGIN || 'http://localhost:3000',
    httpSafeOrigin: process.env.CRYPTPAD_HTTP_SAFE_ORIGIN || 'http://localhost:3001',

    // HTTP server address and port
    httpAddress: process.env.CRYPTPAD_HTTP_ADDRESS || '0.0.0.0',
    httpPort: parseInt(process.env.CRYPTPAD_HTTP_PORT || '3000'),

    // WebSocket server configuration
    websocketPort: parseInt(process.env.CRYPTPAD_WS_PORT || '3000'),

    // Admin account (set password via environment variable)
    adminKeys: process.env.CRYPTPAD_ADMIN_KEYS ?
        JSON.parse(process.env.CRYPTPAD_ADMIN_KEYS) : [],

    // Data storage paths
    filePath: './datastore/',
    archivePath: './data/archive',
    pinPath: './data/pins',
    taskPath: './data/tasks',
    blockPath: './block',
    blobPath: './blob',
    blobStagingPath: './blobstage',
    decreePath: './data/decrees',
    logPath: './data/logs',

    // Database backend
    channelExpirationMs: 30000,

    // Account management
    inactiveTime: 90, // days before accounts are considered inactive
    archiveRetentionTime: 15, // days to retain deleted documents
    accountRetentionTime: 365, // days to retain inactive accounts

    // Storage limits (in MB)
    maxUploadSize: parseInt(process.env.CRYPTPAD_MAX_UPLOAD_SIZE || '20'),
    premiumUploadSize: parseInt(process.env.CRYPTPAD_PREMIUM_UPLOAD_SIZE || '100'),

    // Default storage quota per user (in MB)
    defaultStorageLimit: parseInt(process.env.CRYPTPAD_DEFAULT_STORAGE_LIMIT || '50'),

    // Registration
    restrictRegistration: process.env.CRYPTPAD_RESTRICT_REGISTRATION === 'true',

    // Allow subscriptions
    allowSubscriptions: process.env.CRYPTPAD_ALLOW_SUBSCRIPTIONS === 'true',

    // Contact and support
    adminEmail: process.env.CRYPTPAD_ADMIN_EMAIL || 'admin@example.com',
    supportMailbox: process.env.CRYPTPAD_SUPPORT_MAILBOX || '',

    // Privacy and terms
    privacyURL: process.env.CRYPTPAD_PRIVACY_URL || '',
    termsURL: process.env.CRYPTPAD_TERMS_URL || '',

    // Logging
    logLevel: process.env.CRYPTPAD_LOG_LEVEL || 'info',
    logToStdout: true,
    logFeedback: false,

    // Disable telemetry
    blockDailyCheck: true,

    // Performance tuning
    disableIntegratedEviction: false,
    disableIntegratedTasks: false,

    // Enable OnlyOffice integration
    enableEmbedding: true,

    // Sandbox domains (for enhanced security)
    httpSafePort: parseInt(process.env.CRYPTPAD_HTTP_SAFE_PORT || '3001'),

    // File upload settings
    fileSizeLimit: parseInt(process.env.CRYPTPAD_FILE_SIZE_LIMIT || '5'),

    // Instance information
    instanceName: process.env.CRYPTPAD_INSTANCE_NAME || 'CryptPad',
    instanceDescription: process.env.CRYPTPAD_INSTANCE_DESC || 'Zero Knowledge Cloud',

    // Support configuration
    removeDonateButton: process.env.CRYPTPAD_REMOVE_DONATE === 'true',

    // Maintenance mode
    maintenanceMode: process.env.CRYPTPAD_MAINTENANCE === 'true',
};

Step 4: Create Customization Directory

Create a customize/ directory for branding and custom content:

mkdir -p customize/pages
mkdir -p customize/translations
mkdir -p customize/images

Create customize/application_config.js for client-side configuration:

// Custom application configuration
define(function() {
    var AppConfig = {};

    // Instance branding
    AppConfig.name = 'CryptPad';
    AppConfig.logo = '/customize/images/logo.png';

    // Default language
    AppConfig.defaultLanguage = 'en';

    // Available applications
    AppConfig.availablePadTypes = [
        'drive',
        'pad',
        'sheet',
        'code',
        'slide',
        'poll',
        'kanban',
        'whiteboard',
        'file',
        'todo',
        'contacts'
    ];

    // Registration and authentication
    AppConfig.disableAnonymousPadCreation = false;
    AppConfig.registeredOnlyTypes = [];

    // File upload
    AppConfig.maxUploadSize = 20 * 1024 * 1024; // 20MB

    // Collaboration
    AppConfig.enableSnapshots = true;
    AppConfig.maxUsersPerPad = 50;

    // Privacy settings
    AppConfig.privacy = {
        hide: false
    };

    return AppConfig;
});

Step 5: Create Initialization Script

Create an init-cryptpad.sh script for first-time setup:

#!/bin/bash

# init-cryptpad.sh - Initialize CryptPad instance

set -e

echo "Initializing CryptPad..."

# Create necessary directories if they don't exist
mkdir -p /cryptpad/data/archive
mkdir -p /cryptpad/data/pins
mkdir -p /cryptpad/data/tasks
mkdir -p /cryptpad/data/decrees
mkdir -p /cryptpad/data/logs
mkdir -p /cryptpad/datastore
mkdir -p /cryptpad/block
mkdir -p /cryptpad/blob
mkdir -p /cryptpad/blobstage

# Set proper permissions
chmod -R 755 /cryptpad/data
chmod -R 755 /cryptpad/datastore
chmod -R 755 /cryptpad/block
chmod -R 755 /cryptpad/blob
chmod -R 755 /cryptpad/blobstage

echo "CryptPad initialization complete"

Step 6: Test Locally with Docker (Optional)

Before deploying to Klutch.sh, you can test your CryptPad setup locally:

# Build the Docker image
docker build -t my-cryptpad .

# Create volumes for persistent data
docker volume create cryptpad-data
docker volume create cryptpad-datastore
docker volume create cryptpad-blob

# Run the container
docker run -d \
  --name cryptpad \
  -p 3000:3000 \
  -e CRYPTPAD_HTTP_UNSAFE_ORIGIN=http://localhost:3000 \
  -e CRYPTPAD_ADMIN_EMAIL=admin@example.com \
  -e CRYPTPAD_INSTANCE_NAME="My CryptPad" \
  -v cryptpad-data:/cryptpad/data \
  -v cryptpad-datastore:/cryptpad/datastore \
  -v cryptpad-blob:/cryptpad/blob \
  my-cryptpad

# Check logs
docker logs -f cryptpad

# Access CryptPad at http://localhost:3000

When you’re done testing:

# Stop and remove containers
docker stop cryptpad
docker rm cryptpad
docker volume rm cryptpad-data cryptpad-datastore cryptpad-blob

Step 7: Prepare Your Repository for Deployment

Commit your configuration files to your GitHub repository:

git add Dockerfile config/ customize/ init-cryptpad.sh
git commit -m "Add CryptPad Docker configuration and customization"
git remote add origin https://github.com/yourusername/cryptpad-klutch.git
git branch -M main
git push -u origin main

Environment Variables Configuration

CryptPad requires several environment variables for proper configuration. These should be configured in the Klutch.sh dashboard under your app’s environment variables section.

Essential Environment Variables

Server Configuration:

CRYPTPAD_HTTP_UNSAFE_ORIGIN=https://example-app.klutch.sh
CRYPTPAD_HTTP_SAFE_ORIGIN=https://sandbox-example-app.klutch.sh
CRYPTPAD_HTTP_ADDRESS=0.0.0.0
CRYPTPAD_HTTP_PORT=3000
CRYPTPAD_WS_PORT=3000

Instance Configuration:

CRYPTPAD_INSTANCE_NAME=My CryptPad Instance
CRYPTPAD_INSTANCE_DESC=Privacy-focused collaborative office suite
CRYPTPAD_ADMIN_EMAIL=admin@example.com

Admin Account:

CRYPTPAD_ADMIN_KEYS=["[user@domain.com/public-signing-key-XXXXXXXXX]"]

Storage Configuration:

CRYPTPAD_DEFAULT_STORAGE_LIMIT=50
CRYPTPAD_MAX_UPLOAD_SIZE=20
CRYPTPAD_PREMIUM_UPLOAD_SIZE=100
CRYPTPAD_FILE_SIZE_LIMIT=5

Optional Environment Variables

Registration Control:

CRYPTPAD_RESTRICT_REGISTRATION=false
CRYPTPAD_ALLOW_SUBSCRIPTIONS=false

Privacy and Legal:

CRYPTPAD_PRIVACY_URL=https://example.com/privacy
CRYPTPAD_TERMS_URL=https://example.com/terms
CRYPTPAD_SUPPORT_MAILBOX=support@example.com

Customization:

CRYPTPAD_REMOVE_DONATE=false

Maintenance:

CRYPTPAD_MAINTENANCE=false

Logging:

CRYPTPAD_LOG_LEVEL=info

Important Security Notes:

The CRYPTPAD_HTTP_UNSAFE_ORIGIN and CRYPTPAD_HTTP_SAFE_ORIGIN must match your actual domains
Admin keys are generated when you register as admin in CryptPad
Never commit sensitive configuration to your Git repository
Use Klutch.sh’s environment variable management for all configuration
Consider restricting registration for private instances
Enable HTTPS for production deployments (Klutch.sh provides this)

Persistent Storage Configuration

CryptPad stores encrypted documents, user data, and application state that must persist across container restarts and deployments. You need to configure persistent volumes for critical directories.

Critical Directories for Persistence

Data Directory (/cryptpad/data) - User accounts, pins, tasks, and metadata
Datastore Directory (/cryptpad/datastore) - Encrypted document content and channel data
Block Directory (/cryptpad/block) - User encrypted login blocks
Blob Directory (/cryptpad/blob) - Uploaded files and media
Blob Staging (/cryptpad/blobstage) - Temporary upload staging area

Recommended Volume Configuration

When creating your CryptPad app on Klutch.sh, attach persistent volumes with the following mount paths:

Primary Data Volume:

Mount Path: /cryptpad/data
Size: 10GB minimum (grows with users and metadata)
Purpose: Store user accounts, permissions, and application metadata

Datastore Volume:

Mount Path: /cryptpad/datastore
Size: 50GB minimum (adjust based on expected document volume)
Purpose: Store encrypted document content and collaboration data

Block Volume:

Mount Path: /cryptpad/block
Size: 5GB (for user authentication blocks)
Purpose: Store encrypted user login credentials

Blob Volume:

Mount Path: /cryptpad/blob
Size: 30GB minimum (adjust based on file uploads)
Purpose: Store uploaded files, images, and media

Volume Size Recommendations

Personal Use (1-10 users): 10GB data, 50GB datastore, 5GB block, 30GB blob
Small Team (10-50 users): 20GB data, 100GB datastore, 10GB block, 50GB blob
Organization (50-200 users): 50GB data, 200GB datastore, 20GB block, 100GB blob
Large Organization (200+ users): 100GB+ data, 500GB+ datastore, 50GB block, 200GB+ blob

Storage requirements vary significantly based on document creation rate, file uploads, and data retention policies. Monitor usage and expand as needed.

Deploying to Klutch.sh

Now that your CryptPad project is ready and pushed to GitHub, follow these steps to deploy it on Klutch.sh with persistent storage and proper configuration.

Deployment Steps

Log in to Klutch.sh

Navigate to klutch.sh/app and sign in to your account.
Create a New Project

From your dashboard, create a new project. Give it a meaningful name like “Collaborative Office Suite” to organize your deployments.
Create a New App

Within your project, create a new app for your CryptPad instance.
Select Your Repository
- Choose GitHub as your Git source
- Select the repository containing your CryptPad Dockerfile
- Choose the branch you want to deploy (typically main or master)
Configure Traffic Type
- Traffic Type: Select HTTP (CryptPad serves a web interface)
- Internal Port: Set to 3000 (CryptPad’s default HTTP port)
Set Environment Variables

In the environment variables section, add all the CryptPad configuration variables listed in the “Environment Variables Configuration” section above. Ensure sensitive values are marked as secrets.

Critical Variables (minimum required):
- CRYPTPAD_HTTP_UNSAFE_ORIGIN - Set to https://example-app.klutch.sh
- CRYPTPAD_HTTP_ADDRESS - Set to 0.0.0.0
- CRYPTPAD_HTTP_PORT - Set to 3000
- CRYPTPAD_ADMIN_EMAIL - Your admin email address
- CRYPTPAD_INSTANCE_NAME - Your instance name
Attach Persistent Volumes

This is critical for preserving your documents and user data. Add volumes for:

Data Volume:
- Mount Path: /cryptpad/data
- Size: 10GB (or larger based on your needs)
Datastore Volume:
- Mount Path: /cryptpad/datastore
- Size: 50GB (or larger for extensive document creation)
Block Volume:
- Mount Path: /cryptpad/block
- Size: 5GB
Blob Volume:
- Mount Path: /cryptpad/blob
- Size: 30GB (or larger for file uploads)
Configure Compute Resources

Select appropriate compute resources based on your usage:
- Personal/Testing: 1 CPU, 2GB RAM (for small-scale testing)
- Small Team: 2 CPU, 4GB RAM (for 10-50 users)
- Organization: 4 CPU, 8GB RAM (for 50-200 users)
- Large Organization: 8+ CPU, 16GB+ RAM (for 200+ users with heavy usage)
Deploy Your Application

Click “Create” to start the deployment. Klutch.sh will:
- Automatically detect your Dockerfile in the repository root
- Build the Docker image with your configuration
- Attach the persistent volumes you specified
- Deploy the container with your environment variables
- Assign a URL for accessing your CryptPad instance
Access Your CryptPad Instance

Once deployment is complete, you’ll receive a URL like example-app.klutch.sh. Navigate to this URL in your browser to access your CryptPad interface.
Complete Initial Setup

On first access:
- Create your admin account
- Register with the email you specified in CRYPTPAD_ADMIN_EMAIL
- Copy your admin public key from Account Settings
- Add the admin key to CRYPTPAD_ADMIN_KEYS environment variable
- Redeploy to activate admin privileges

Getting Started with CryptPad

After deployment, follow these steps to start using your collaborative office suite.

Initial Setup and Configuration

Access Your CryptPad Instance

Navigate to your Klutch.sh app URL (e.g., https://example-app.klutch.sh) to access CryptPad.
Create Your Admin Account
- Click “Register” in the top-right corner
- Enter your username and password
- Use the email address specified in CRYPTPAD_ADMIN_EMAIL
- Complete the registration process
- Verify your account via email if configured
Obtain Your Admin Key
- Log in to your new account
- Go to Settings → Account
- Copy your public signing key (looks like [username@domain/key-XXXXX])
- Add this key to the CRYPTPAD_ADMIN_KEYS environment variable in Klutch.sh
- Format: ["[username@domain/key-XXXXX]"]
- Redeploy the application to activate admin privileges
Access Admin Panel

Once admin key is configured:
- Click the Admin icon in the top menu
- Access instance statistics
- Manage user accounts and quotas
- Configure instance settings
- Monitor storage usage

Creating and Editing Documents

Create a New Document:

Click “New” in the CryptPad menu
Select document type:
- Rich Text: Formatted documents with images and tables
- Spreadsheet: Calculations, formulas, and charts
- Presentation: Slides with layouts and animations
- Code: Collaborative code editing with syntax highlighting
- Kanban: Task boards for project management
- Whiteboard: Visual brainstorming and diagrams
- Poll: Surveys and voting
- Form: Data collection forms
Start editing immediately—all changes are saved automatically
Share with collaborators using the Share button

Rich Text Document Example:

Document Title: Project Proposal

# Introduction
This document outlines our proposal for...

## Budget
| Item | Cost |
|------|------|
| Development | $10,000 |
| Marketing | $5,000 |

## Timeline
- Phase 1: Research (2 weeks)
- Phase 2: Development (4 weeks)
- Phase 3: Launch (1 week)

Spreadsheet Example:

Budget Tracking
A1: Category | B1: Planned | C1: Actual | D1: Variance
A2: Marketing | B2: 5000 | C2: 4800 | D2: =B2-C2
A3: Development | B3: 10000 | C3: 11200 | D3: =B3-C3
A4: Total | B4: =SUM(B2:B3) | C4: =SUM(C2:C3) | D4: =SUM(D2:D3)

Share a Document:

Open the document you want to share
Click the “Share” button in the toolbar
Choose sharing method:
- Edit Link: Collaborators can edit
- View Link: Read-only access
- Embed: Embed in websites
Optional: Add password protection
Optional: Set expiration date
Copy link and send to collaborators

Manage Collaborators:

Access Levels:
- Owners: Full control, can destroy document
- Editors: Can edit and invite others
- Viewers: Read-only access
- Commenters: Can add comments but not edit

Real-Time Collaboration Features:

See active collaborators with colored cursors
View real-time edits as they happen
Integrated chat for communication
Conflict-free operational transformation
Version history and restore points

Using Team Drives

Create a Team Drive:

Go to CryptDrive (your file manager)
Click “Teams” in the sidebar
Click “Create a new team”
Configure team settings:
- Team name and description
- Member permissions
- Storage quota
Invite team members by username

Team Drive Benefits:

Shared storage quota
Team-owned documents
Centralized collaboration
Access control by role
Team chat and announcements

Document Management

Organize Documents:

CryptDrive Structure:
├── Personal/
│   ├── Notes/
│   ├── Projects/
│   └── Archive/
├── Team Workspace/
│   ├── Active Projects/
│   ├── Templates/
│   └── Meeting Notes/
└── Shared with Me/

Document Properties:

Tags for categorization
Custom titles
Color coding
Favorites for quick access
Move to folders
Duplicate documents
Export to various formats

Version History:

Open any document
Click “History” in the toolbar
Navigate through previous versions
Restore to any previous state
Compare versions side by side

Advanced Features

Password-Protected Documents:

// When sharing a document
1. Click "Share"
2. Enable "Password"
3. Set password: "MySecurePassword123"
4. Recipients need password to access

Expiring Links:

// Create temporary access
1. Share document
2. Set expiration: 7 days
3. Link auto-destroys after expiration
4. Perfect for temporary collaboration

Document Templates:

Create reusable templates:

Create a document with your template content
Right-click in CryptDrive
Select “Add to templates”
Use template when creating new documents

Forms and Polls:

Create data collection forms:

Form: Customer Feedback

Questions:
1. How satisfied are you? (1-5 scale)
2. What features would you like? (text)
3. Would you recommend us? (yes/no)

Settings:
- Anonymous responses
- One response per person
- Export results to spreadsheet

API and Integration

CryptPad API Access:

While CryptPad focuses on browser-based encryption, you can interact with certain APIs:

// Example: Embedding CryptPad documents
<iframe
  src="https://example-app.klutch.sh/pad/#/2/pad/view/xxxxx"
  width="100%"
  height="600"
  frameborder="0">
</iframe>

// Read-only embed with custom styling
<iframe
  src="https://example-app.klutch.sh/pad/#/2/pad/view/xxxxx?present=true"
  style="border: none; width: 100%; height: 100vh;">
</iframe>

Automation with Webhooks:

Configure webhook notifications for document events (requires custom development):

// Example webhook payload for document creation
{
  "event": "document.created",
  "document_id": "xxxxx",
  "type": "pad",
  "created_by": "user@domain.com",
  "timestamp": "2025-12-05T10:30:00Z"
}

Production Best Practices

Security Recommendations

Account Security:

Enforce strong passwords for all users
Enable two-factor authentication when available
Regularly review user accounts and permissions
Disable anonymous pad creation for private instances
Use restrictive registration if not public

Instance Security:

Always use HTTPS (Klutch.sh provides this automatically)
Configure CRYPTPAD_HTTP_SAFE_ORIGIN for sandbox domain security
Keep CryptPad updated with latest security patches
Monitor admin panel for suspicious activity
Review shared documents and access logs

Data Protection:

Configure automated backups of persistent volumes
Test backup restoration procedures regularly
Set appropriate storage quotas to prevent abuse
Enable account expiration for inactive users
Archive old documents based on retention policies

Network Security:

Restrict admin panel access by IP if possible
Use strong admin keys and rotate periodically
Monitor failed login attempts
Configure rate limiting for API endpoints
Review CORS settings for embedded documents

Performance Optimization

Server Configuration:

// Optimize for production in config.js
module.exports = {
    // Increase WebSocket limits
    maxWorkers: 4,

    // Enable caching
    enableCache: true,
    cacheMaxAge: 3600,

    // Optimize database
    channelExpirationMs: 30000,

    // Limit concurrent connections
    maxConnections: 1000,

    // Enable compression
    enableCompression: true
};

Resource Allocation:

Allocate at least 4GB RAM for production instances
Monitor memory usage during peak hours
Use SSD storage for database and datastore
Increase CPU cores for collaborative sessions
Monitor WebSocket connection counts

Storage Optimization:

Implement document archival policies
Clean up expired documents automatically
Compress archived data
Monitor storage growth trends
Set realistic quotas per user

Client-Side Performance:

Enable browser caching for static assets
Optimize media uploads (compress images)
Limit document size for better performance
Use pagination for large datasets
Monitor client-side memory usage

Monitoring and Maintenance

Health Monitoring:

Check application health endpoint regularly
Monitor WebSocket connection stability
Track document creation and collaboration metrics
Review error logs for issues
Monitor disk usage on all volumes

Admin Panel Metrics:

Instance Statistics:
- Total Users: 150
- Active Documents: 2,450
- Storage Used: 45.2 GB / 100 GB
- Active Sessions: 23
- Documents Created Today: 15

Regular Maintenance Tasks:

Daily: Review admin panel for alerts
Daily: Check backup completion status
Weekly: Review user registration activity
Weekly: Check for CryptPad updates
Monthly: Archive old documents
Monthly: Review storage quota usage
Quarterly: Audit user accounts and permissions
Quarterly: Update dependencies and security patches

Backup Strategy:

# Automated backup script
#!/bin/bash
BACKUP_DIR="/backups/cryptpad"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

# Backup data volumes
tar -czf "${BACKUP_DIR}/data-${TIMESTAMP}.tar.gz" /cryptpad/data
tar -czf "${BACKUP_DIR}/datastore-${TIMESTAMP}.tar.gz" /cryptpad/datastore
tar -czf "${BACKUP_DIR}/blob-${TIMESTAMP}.tar.gz" /cryptpad/blob
tar -czf "${BACKUP_DIR}/block-${TIMESTAMP}.tar.gz" /cryptpad/block

# Keep backups for 30 days
find "${BACKUP_DIR}" -name "*.tar.gz" -mtime +30 -delete

Scaling Considerations

Single Instance Scaling:

Vertical scaling (more CPU/RAM) sufficient for most deployments
Monitor concurrent user sessions
Optimize based on usage patterns
Plan for peak collaboration times

Storage Growth Planning:

Growth Projections:
- 10 users: ~2-5 GB/month
- 50 users: ~10-20 GB/month
- 200 users: ~50-100 GB/month

Plan expansion when reaching 80% capacity

User Quota Management:

// Set quotas based on user type
Default Users: 50 MB
Premium Users: 500 MB
Team Accounts: 5 GB
Enterprise: Custom quotas

Troubleshooting

Common Issues and Solutions

Issue: Cannot Access CryptPad Web Interface

Check: Verify container is running in Klutch.sh dashboard
Check: Confirm internal port 3000 is correctly configured
Check: Ensure HTTP traffic type is selected
Check: Review container logs for startup errors
Solution: Restart deployment if configuration changed
Solution: Verify CRYPTPAD_HTTP_ADDRESS is set to 0.0.0.0

Issue: Documents Not Loading or Saving

Check: Verify datastore volume is properly mounted
Check: Confirm sufficient storage space available
Check: Review browser console for JavaScript errors
Check: Ensure WebSocket connections are working
Solution: Check persistent volume mount paths
Solution: Clear browser cache and reload
Solution: Verify CRYPTPAD_HTTP_UNSAFE_ORIGIN matches your domain

Issue: Unable to Register New Accounts

Check: Verify CRYPTPAD_RESTRICT_REGISTRATION is set correctly
Check: Confirm registration is enabled in configuration
Check: Review logs for registration errors
Solution: Set CRYPTPAD_RESTRICT_REGISTRATION=false to allow open registration
Solution: Ensure email validation is configured if required

Issue: Admin Panel Not Accessible

Cause: Admin key not configured or incorrect
Check: Verify CRYPTPAD_ADMIN_KEYS environment variable is set
Check: Confirm admin key format is correct: ["[user@domain/key-XXXXX]"]
Solution: Copy exact key from Account Settings
Solution: Redeploy after adding admin key

Issue: Files Upload Failing

Check: Verify blob volume has sufficient space
Check: Confirm CRYPTPAD_MAX_UPLOAD_SIZE is set appropriately
Check: Review file size limits
Solution: Increase blob volume size
Solution: Adjust upload size limits in configuration
Solution: Check blobstage directory permissions

Issue: Slow Document Loading

Cause: Insufficient resources or large documents
Check: Monitor CPU and memory usage
Check: Review document size and complexity
Solution: Increase container RAM allocation
Solution: Optimize documents (reduce size, split content)
Solution: Enable caching in configuration

Issue: Persistent Data Lost After Redeployment

Cause: Persistent volumes not properly attached
Check: Verify volume mount paths match exactly: /cryptpad/data, /cryptpad/datastore, /cryptpad/block, /cryptpad/blob
Check: Confirm volumes have sufficient available space
Solution: Re-attach volumes with correct mount paths before deploying
Solution: Restore from backups if data was lost

Issue: Collaboration Not Working

Cause: WebSocket connection issues
Check: Verify WebSocket port is accessible
Check: Confirm firewall rules allow WebSocket traffic
Solution: Check CRYPTPAD_WS_PORT configuration
Solution: Test WebSocket connectivity from browser console
Solution: Verify proxy configuration if behind reverse proxy

Getting Help

If you encounter issues not covered here:

Review CryptPad official documentation
Check the CryptPad Wiki
Visit CryptPad GitHub issues
Join the CryptPad Matrix community
Contact Klutch.sh support through the dashboard

Advanced Configuration

Custom Domain Configuration

Use your own domain for better branding:

Configure custom domain in Klutch.sh (see custom domains guide)
Update DNS records to point to your Klutch.sh app

Update environment variables:

CRYPTPAD_HTTP_UNSAFE_ORIGIN=https://docs.yourdomain.com
CRYPTPAD_HTTP_SAFE_ORIGIN=https://sandbox.yourdomain.com

Configure separate sandbox subdomain for enhanced security
Redeploy the application

Custom Branding

Customize the appearance for your organization:

Update Logo and Colors:

@cp-brand-color: #0087FF;
@cp-accent-color: #FF006E;
@cp-logo: url('/customize/images/logo.png');

/* customize/src/less2/include/sidebar-layout.less */
.sidebar {
    background-color: @cp-brand-color;
}

Custom Home Page:

Create customize/pages/index.html:

<!DOCTYPE html>
<html>
<head>
    <title>Welcome to Our CryptPad</title>
</head>
<body>
    <h1>Welcome to Our Collaborative Platform</h1>
    <p>Secure, private, zero-knowledge collaboration for our team.</p>
    <a href="/pad/">Create a Document</a>
</body>
</html>

SMTP Email Configuration

Enable email notifications and password resets:

module.exports = {
    // ... other config

    // SMTP configuration
    smtp: {
        host: process.env.SMTP_HOST || 'smtp.gmail.com',
        port: parseInt(process.env.SMTP_PORT || '587'),
        secure: false,
        auth: {
            user: process.env.SMTP_USER,
            pass: process.env.SMTP_PASSWORD
        },
        from: process.env.SMTP_FROM || 'noreply@example.com'
    }
};

Add environment variables:

SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=notifications@yourdomain.com
SMTP_PASSWORD=app_password_here
SMTP_FROM=noreply@yourdomain.com

Advanced User Management

Implement Custom Quotas:

// Custom quota rules in config.js
module.exports = {
    // ... other config

    customLimits: {
        'user1@example.com': 1000 * 1024 * 1024, // 1GB
        'user2@example.com': 5000 * 1024 * 1024, // 5GB
        'premium-team': 10000 * 1024 * 1024 // 10GB for team
    }
};

Automated Account Management:

// Script to manage inactive accounts
const config = require('./config/config.js');
const inactiveThreshold = 90; // days

// Find accounts inactive for more than threshold
// Archive or delete based on policy
// Send notification emails before deletion

OnlyOffice Integration

For enhanced document editing capabilities:

Deploy OnlyOffice Document Server separately
Configure CryptPad to use OnlyOffice:

module.exports = {
    // ... other config

    onlyoffice: {
        enabled: true,
        url: 'https://onlyoffice.example.com',
        jwt_secret: process.env.ONLYOFFICE_JWT_SECRET
    }
};

Add environment variable:

ONLYOFFICE_JWT_SECRET=your_jwt_secret_here

Additional Resources

Conclusion

Deploying CryptPad on Klutch.sh provides a powerful, privacy-focused collaborative office suite where end-to-end encryption ensures your data remains secure. With automated Docker detection, persistent storage for encrypted documents, secure environment variable management, and reliable infrastructure, Klutch.sh makes it easy to host your own zero-knowledge collaboration platform.

By following this comprehensive guide, you’ve learned how to:

Create a production-ready Dockerfile for CryptPad with Node.js and dependencies
Configure persistent volumes for documents, user data, and file storage
Set up environment variables securely for instance configuration
Create and collaborate on documents, spreadsheets, presentations, and more
Manage users, permissions, and team drives
Share documents securely with password protection and expiration
Implement security best practices and data protection measures
Monitor performance and optimize for your user base
Troubleshoot common deployment and operational issues
Customize branding and integrate with external services

Your CryptPad instance is now ready to provide secure, private collaboration for your team or organization. As your user base grows, you can easily scale your Klutch.sh deployment by allocating additional compute resources and expanding persistent storage for documents and files. Enjoy the privacy and control that comes with self-hosting your own zero-knowledge collaborative office suite.