unsubbed.co

CryptPad

CryptPad offers end-to-end encryption, open-source, collaborative editing as a self-hosted devops & infrastructure.

AGPL-3.0 Free xwiki-labs/cryptpad · 7.4K cryptpad.fr JavaScript 2 deploy options

End-to-end encrypted collaborative office suite, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

  • What it is: Open-source (AGPL-3.0) collaborative office suite — think Google Docs, but everything you type is encrypted in your browser before it ever reaches the server, making it technically impossible for the host to read your content [1][3].
  • Who it’s for: Organizations handling sensitive documents — nonprofits, cooperatives, HR teams, legal, activists, and founders who want real-time collaboration without feeding their business data to Google [1][2][3].
  • Cost savings: Google Workspace Business Starter runs $6/user/month ($720/year for a 10-person team). CryptPad self-hosted runs on a $5–15/mo VPS with unlimited users [3].
  • Key strength: True zero-knowledge encryption — client-side, cryptographic, not just a privacy policy promise. No account required to collaborate via shared link [1][4].
  • Key weakness: Spreadsheet performance is genuinely bad at scale — one documented case shows a file growing to 100MB in CryptPad that exports to 2MB in Excel — and loading times are noticeably slower than Google Docs [4][3].

What is CryptPad

CryptPad is a collaborative office suite that encrypts everything in your browser before it touches the server. The server stores ciphertext it cannot decrypt. Not “encrypted in transit” — actually encrypted at rest, by you, with keys the server never sees [1][3].

The project started in 2017 inside XWiki SAS, a French open-source software company that has been building collaborative tools since 2004 [3]. Privacy by design is the architecture, not a feature bolted on later. The README states plainly: “if the administrators do not modify the code, they and the service also cannot access any information about the users’ content” [README].

The full suite runs in the browser:

  • Rich text editor (Google Docs equivalent)
  • Spreadsheets
  • Presentations (Google Slides equivalent)
  • Forms and surveys (Google Forms equivalent)
  • Kanban boards
  • Code editor with syntax highlighting
  • Whiteboard
  • CryptDrive — encrypted file and folder storage [README][3]

All of it is real-time collaborative. All of it is E2E encrypted. All of it is available without creating an account [1][4]. That last point matters more than it sounds: you can share an edit link with a collaborator who has no signup, no email address on file, no Google account. They open the link and start editing, and the document remains encrypted end-to-end throughout [1][4].

The repository sits at 7,439 GitHub stars. The project is actively maintained on a three-month release cycle [README][1].

Why people choose it

The reviews and testimonials converge on a single theme: people who choose CryptPad are specifically not willing to trust a third-party service with sensitive content, and they need real-time collaboration anyway [1][2][3].

Privacy Guides [1] frames the comparison with Google directly: Google’s own Privacy Policy states it collects “the content you create, upload, or receive from others when using our services,” including docs and spreadsheets. CryptPad’s counter-argument is not a privacy policy promise — it’s a technical impossibility. The encryption is client-side; the server holds keys to nothing [1].

The testimonials page [2] shows the breadth of who has landed here: a school in Bremen, a Heidelberg university linguistics student group, a human rights sector organization, a feminist movement, a photography business, a local charity. The common thread is organizations handling information they would rather not hand to a major cloud provider [2].

The Blue Fox Consultant review [3] positions it as the answer to a specific combination of requirements: real-time collaboration, data sovereignty, and no per-seat SaaS fees. That combination is not available from Google or Microsoft.

Versus Google Workspace. This is the primary comparison. Google is faster, more polished, and has a larger app ecosystem. CryptPad is meaningfully more private and costs dramatically less at scale. Privacy Guides [1] argues that Google’s advantages are largely habit: once you migrate, CryptPad covers the same core collaboration use cases. The community discussion [4] is more honest about the rough edges — slower loading, weaker mobile, design that some find clunky.

Versus Proton Docs. The Privacy Guides community [4] surfaces the obvious question: why CryptPad over Proton Docs? Two answers. First, CryptPad lets you share an edit link with someone who has no account; Proton Docs does not. Second, Proton’s suite hadn’t shipped spreadsheets or presentations yet as of early 2025 [4]. As one commenter put it: “I think it will take a while before Proton implements a spreadsheet and other office suite applications some people need right now” [4].

Features

Document applications:

  • Rich text editor — collaborative word processing [README][3]
  • Spreadsheets — real-time collaboration, with known performance limits on large files [README][4]
  • Presentations — slide decks, collaborative [README][3]
  • Forms — survey and form builder [README][3]
  • Kanban — lightweight project board [README][3]
  • Code editor — syntax highlighted, collaborative [README]
  • Whiteboard — collaborative drawing canvas [README]
  • CryptDrive — encrypted file storage with folder organization and team drives [README][3]

Collaboration features:

  • Real-time multi-user editing across all applications [1][3]
  • Share-by-link without requiring the recipient to have an account [1][4]
  • Owner, edit, and view-only permission levels [1]
  • No email required to create an account [1][4]

Privacy/security architecture:

  • End-to-end encryption executed client-side — server never holds decryption keys [1][3]
  • User registration based on cryptographic key derivation from username and password — server never sees credentials [README]
  • Zero-knowledge design: admin cannot read content on their own instance unless they modify the code [README][3]
  • Flagship instance hosted in France under GDPR [1]
  • Tor Browser compatibility recommended for users who also need to hide access patterns [README]

Self-hosting:

  • Official Docker and Docker Compose support since v5.4.0 (July 2023) [README]
  • AMD64 and ARM64 official images on Docker Hub [README]
  • Admin installation guide and developer guide in official documentation [README]
  • Three-month release cycle [README][1]

Pricing: SaaS vs self-hosted math

CryptPad Cloud (cryptpad.fr):

Our website scrape returned limited data. Specific current pricing tiers for the flagship instance aren’t confirmed from our sources — check https://cryptpad.fr/accounts/ directly for current plans.

Self-hosted:

  • Software license: $0 (AGPL-3.0)
  • VPS: $5–15/month on Hetzner, Contabo, or DigitalOcean
  • Users: unlimited, no per-seat fees
  • Storage: your disk, your limit

Google Workspace for comparison:

  • Business Starter: $6/user/month — $720/year for a 10-person team
  • Business Standard: $12/user/month — $1,440/year for 10 people
  • These fees scale forever as headcount grows

Self-hosted CryptPad at 10 people:

  • $8/month VPS: $96/year
  • Rough annual savings vs Google Business Starter: ~$624/year [3]

Blue Fox [3] summarizes the cost structure clearly: for organizations prioritizing data sovereignty, CryptPad’s hosting cost “is often more predictable than per-user licences.” The math improves with every additional seat.

Deployment reality check

CryptPad’s production setup is more involved than most single-service Docker containers. The admin guide describes a configuration that requires:

  • Node.js (runs the CryptPad application server)
  • Nginx or another reverse proxy with specific headers and routing configuration
  • A domain with valid SSL/TLS certificates
  • Docker and Docker Compose for the containerized path [README][3]

The official Docker images are relatively new — they’ve only been officially maintained since v5.4.0 in July 2023. Before that, Docker images were community-maintained in a separate repository [README]. If you’re following older deployment tutorials, verify they reference the current official setup.

What can go sideways:

The spreadsheet bloat issue is the most operationally significant limitation. One Privacy Guides community member [4] documented a spreadsheet that grew to 100MB in CryptPad but exported to 2MB in Excel. This is an artifact of how CRDT-based sync interacts with the encryption layer. For light spreadsheet work — meeting notes, simple trackers — it’s manageable. For serious data work, it’s a hard limit [4].

Loading times are slower than Google Docs. The client-side decryption step adds latency users will notice in daily use. One reviewer describes the design as feeling “a bit clunky” and loading times as “rather slow” [4]. This isn’t a showstopper, but it’s a daily-use friction point that doesn’t exist with Google.

Mobile experience is consistently flagged as weak across sources. Blue Fox [3] notes it’s a “slightly less comfortable mobile experience,” and a Privacy Guides community member calls it “quite bad” — though adds that most competitors including Google are bad on mobile too [4].

The README also notes that IP logging at the server level cannot be cryptographically prevented — only policy-prevented [README]. If that matters for your threat model, Tor Browser is the recommended access method.

Realistic time estimates:

  • Technical user with Docker and Linux experience: 2–4 hours to a working HTTPS instance
  • Non-technical user: not realistic without a guide or a technical person to assist — the admin installation guide is thorough but assumes Linux server familiarity

Pros and Cons

Pros

  • Genuine zero-knowledge encryption. Not a privacy policy promise — server-side access is cryptographically impossible [1][3]. This is the single strongest differentiator from every other collaborative office suite.
  • No account required to collaborate. Share a link, collaborator edits in browser. No signup, no email, no Google account needed [1][4]. Real capability gap vs Proton Docs, Notion, and most alternatives.
  • Complete office suite. Text, spreadsheets, presentations, forms, kanban, whiteboard, code — one tool, all encrypted [README][3].
  • AGPL-3.0 open source. The privacy claims can be audited. Code is publicly inspectable, has been for 10+ years [1].
  • No per-seat pricing when self-hosted. One fixed hosting cost scales to any team size [3].
  • Trusted in high-stakes environments. Human rights organizations, activist groups, legal teams, and academic institutions use it for sensitive work [2]. That’s a meaningful real-world trust signal.
  • European data sovereignty option. Flagship instance in France under GDPR. Self-hosters control their own jurisdiction [1][3].
  • Active maintenance. Three-month release cycle, maintained by XWiki SAS with community contributions since 2017 [README][1].

Cons

  • Spreadsheet performance is a real problem. The 100MB-file-that-exports-to-2MB issue [4] is a documented production experience, not a hypothetical. Heavy spreadsheet users will hit this.
  • Noticeably slower than Google Docs. Client-side decryption adds perceptible latency. Daily use friction is real [4][3].
  • Mobile experience is weak. Consistently flagged across all sources as a rough point [3][4].
  • Design polish lags behind Google. Some reviewers describe it as clunky [4]. Functional, but not the cleanest UI.
  • No macros, no advanced formatting. Not a replacement for power users who depend on complex Excel functions, VBA macros, or advanced Word layouts [3].
  • Import/export fidelity is imperfect. .docx and .xlsx round-trips lose formatting [3]. Constant shuttling between CryptPad and Microsoft Office will frustrate.
  • AGPL license has commercial implications. More restrictive than MIT — derivative works distributed externally must be open-sourced. Relevant if you’re embedding CryptPad in a product.
  • Production setup requires Linux fluency. Not a one-click deploy [README]. Non-technical teams need help.
  • Browser-only. No desktop client, no offline editing.

Who should use this / who shouldn’t

Use CryptPad if:

  • You handle genuinely sensitive documents — HR records, legal work, financial strategy, client confidential data — and can’t accept that server operators can read them.
  • You collaborate with external parties who can’t be expected to create accounts.
  • You’re running a nonprofit, cooperative, activist organization, or academic group where trusting commercial cloud is a non-starter.
  • You can deploy Docker on Linux, or pay someone once to do it for you.
  • Your primary document work is text, drafts, forms, light kanban, or light spreadsheets.
  • You want to stop paying per-seat SaaS fees as the team grows.

Skip it (heavy spreadsheet users) if:

  • Your team relies on large, complex spreadsheets. The file bloat problem [4] is real and ongoing.

Skip it (mobile-first teams) if:

  • Significant work happens on phones or tablets. The mobile experience isn’t there [3][4].

Skip it (stay on Google) if:

  • Loading speed is a daily-use requirement and you can accept Google’s data practices.
  • Your compliance team won’t approve self-hosted infrastructure and you need a managed solution with enterprise SLAs.

Skip it (use Nextcloud + ONLYOFFICE instead) if:

  • You want a broader self-hosted platform — file server, calendar, contacts, office suite — and you’re willing to accept that zero-knowledge encryption isn’t part of the package. Nextcloud covers more ground at the cost of the privacy guarantees CryptPad provides.

Alternatives worth considering

  • Google Workspace — the incumbent. Fastest, most polished, largest ecosystem. The data privacy situation is exactly what CryptPad is built to solve.
  • Microsoft 365 — same trade-off. Familiar, widely used, no meaningful data sovereignty.
  • Proton Docs — end-to-end encrypted from a company with a strong privacy track record. Requires accounts for collaboration, no spreadsheets or presentations yet as of early 2025 [4]. The suite is actively expanding.
  • Nextcloud with Collabora or ONLYOFFICE — broader self-hosted platform, better Microsoft format compatibility, better mobile. The server admin can technically decrypt your data — not zero-knowledge [3].
  • OnlyOffice (self-hosted) — excellent .docx/.xlsx compatibility, strong collaborative editing. No E2E encryption [3].
  • Etherpad — minimal open-source collaborative text editor. Fast, simple, no encryption, no office suite.
  • Standard Notes — zero-knowledge encrypted notes, strong reputation. Not a full document suite, not designed for real-time team collaboration.

For a founder or small team specifically needing privacy-first real-time collaboration, the realistic shortlist is CryptPad vs Proton Docs. CryptPad wins today on suite breadth and account-free collaboration. Proton wins on UI polish. Check Proton’s roadmap before deciding — the gap is closing.

Bottom line

CryptPad solves a specific problem that no other collaborative suite solves at this maturity level: it makes server-side access to your documents technically impossible, not just contractually discouraged. For organizations where that distinction matters — legal, HR, activism, health, financial — it’s the most defensible open-source choice available. The trade-offs are honest and worth knowing: slower than Google Docs, mobile experience that genuinely lags, spreadsheet performance with a documented ceiling, and a production setup that assumes Linux familiarity. If your work is primarily text documents, forms, and collaboration with external parties who can’t be asked to create accounts, CryptPad earns the self-hosting investment. If heavy spreadsheet work or polished mobile is non-negotiable, either complement it or look elsewhere.

If the production setup is the blocker, that’s exactly what unsubbed.co’s parent studio upready.dev deploys for clients. One-time fee, done, you own the infrastructure.

Sources

  1. Privacy Guides“CryptPad Review: Replacing Google Docs” (Feb 7, 2025). https://www.privacyguides.org/articles/2025/02/07/cryptpad-review/
  2. CryptPad.org“Testimonials”. https://cryptpad.org/testimonials/
  3. Blue Fox Consultant“CryptPad self-hosted: a collaborative suite for privacy and data sovereignty”. https://www.bluefoxconsultant.com/en/blog/blue-fox-articles-2/cryptpad-self-hosted-a-collaborative-suite-for-privacy-and-data-sovereignty-223
  4. Privacy Guides Community“CryptPad Review: Replacing Google Docs” discussion thread (Feb 8, 2025). https://discuss.privacyguides.net/t/cryptpad-review-replacing-google-docs/24772

Primary sources:

Category

DevOps & Infrastructure (196)

Replaces

Google Docs
14 tools
office-online
Office Online
7 tools

Related DevOps & Infrastructure Tools

View all 196 →

Coolify

52K

Self-hosting platform that deploys apps, databases, and services to your own server with a single click. Open-source alternative to Heroku, Netlify, and Vercel.

devops Apache-2.0

Portainer

37K

Enterprise container management platform for Kubernetes, Docker and Podman environments. Deploy, troubleshoot, and secure across any infrastructure.

devops Zlib

1Panel

34K

Modern, open-source Linux server management panel. Web-based interface for managing servers, websites, databases, and containers.

devops GPL-3.0

CasaOS

33K

A simple, easy-to-use, elegant open-source personal cloud system.

devops Apache-2.0

Dokku

32K

A docker-powered PaaS that helps you build and manage the lifecycle of applications. The smallest PaaS implementation you've ever seen.

devops MIT

Dokploy

32K

The lightest self-hosted PaaS — one command, 3 minutes, and your apps are deploying with automatic SSL on a $4/month VPS.

devops