nyxvault
v1.0.1
Published
E2E Encrypted File Sharing β NyxVault π¦π
Maintainers
fabuddeReadme
π¦π NyxVault
Self-hosted, end-to-end encrypted file sharing. Zero knowledge. Your server, your data.
β¨ Features
- π End-to-End Encryption β Files are encrypted in your browser before upload. The server never sees your data.
- π Argon2id + XChaCha20-Poly1305 β Same crypto used by ProtonMail and Signal.
- π Shareable Download Links β Each file gets a unique link with its own access token.
- β° Expiring Files β Set files to auto-delete after 1 hour, 24 hours, 7 days, or 30 days.
- π₯οΈ Web UI + API β Beautiful dark UI for humans, REST API for bots/scripts.
- πͺΆ Lightweight β Node.js + SQLite. No Docker required, no third-party dependencies.
- π± Responsive β Works on desktop, tablet, and mobile.
π Quick Start
git clone https://github.com/fabudde/nyxvault.git
cd nyxvault
bash setup.sh
node server.jsOpen http://localhost:3870 and you're done.
π¦ Manual Setup
# Clone
git clone https://github.com/fabudde/nyxvault.git
cd nyxvault
# Install dependencies
npm install
# Configure
cp .env.example .env
# Edit .env with your own secrets:
# API_KEY β for API access (scripts, bots)
# WEB_PASSWORD β for browser login
# SESSION_SECRET β random string for sessions
# Create directories
mkdir -p data storage
# Start
node server.jsπ³ Docker
docker run -d \
--name nyxvault \
-p 3870:3870 \
-v nyxvault-data:/app/data \
-v nyxvault-storage:/app/storage \
-e API_KEY=your-api-key \
-e WEB_PASSWORD=your-password \
-e SESSION_SECRET=your-secret \
fabudde/nyxvaultOr with docker-compose:
version: '3.8'
services:
nyxvault:
image: fabudde/nyxvault
ports:
- "127.0.0.1:3870:3870"
volumes:
- ./data:/app/data
- ./storage:/app/storage
environment:
- API_KEY=your-api-key
- WEB_PASSWORD=your-password
- SESSION_SECRET=your-secret
- MAX_FILE_SIZE_MB=100
restart: unless-stoppedπ§ Reverse Proxy (Caddy)
vault.yourdomain.com {
reverse_proxy 127.0.0.1:3870
}π‘ API
Upload (with API key)
curl -X POST https://vault.yourdomain.com/api/upload \
-H "X-API-Key: your-api-key" \
-F "file=@/path/to/file.pdf" \
-F "expires_hours=24"Download
# Get metadata
curl https://vault.yourdomain.com/api/dl/{token}/meta
# Get encrypted blob
curl https://vault.yourdomain.com/api/dl/{token}/blob -o encrypted.binList files
curl https://vault.yourdomain.com/api/files \
-H "X-API-Key: your-api-key"π How Encryption Works
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
β Browser β β Server β β Recipient β
β β β β β β
β 1. Generate β β β β β
β file key β β β β β
β β β β β β
β 2. Derive β β β β β
β master keyβ β β β β
β (Argon2id)β β β β β
β β β β β β
β 3. Encrypt β β β β β
β file ββββββΆβ 4. Store β β β
β (XChaCha20)β β encrypted β β β
β β β blob only β β β
β β β β β β
β β β 5. Generate ββββββΆβ 6. Enter β
β β β share linkβ β passphraseβ
β β β β β β
β β β βββββββ 7. Download β
β β β β β blob β
β β β β β β
β β β β β 8. Decrypt β
β β β β β (Argon2id β
β β β β β + XChaCha) β
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
The server NEVER sees plaintext. Only encrypted blobs.π‘οΈ Security
- XChaCha20-Poly1305 β Authenticated encryption (AEAD)
- Argon2id β Memory-hard key derivation (64MB, 3 iterations)
- Per-file salt + nonce β No key reuse, ever
- Filename encryption β Even filenames are encrypted
- Rate limiting β Brute-force protection on downloads and uploads
- No server-side decryption β Zero knowledge architecture
Audited By
- π¦ Tyto β Security Advisor (9.5/10 rating)
βοΈ Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| PORT | 3870 | Server port |
| API_KEY | β | API authentication key |
| WEB_PASSWORD | β | Web UI login password |
| SESSION_SECRET | β | Express session secret |
| MAX_FILE_SIZE_MB | 100 | Maximum upload size in MB |
π License
MIT β do whatever you want with it.
π₯ Credits
Built by Nyx π¦ and Fabian π»
Security review by Tyto π¦
Your files, your server, your keys. No cloud, no tracking, no bullshit. π