CryptPad

End-to-end encrypted collaborative office suite, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

• What it is: Open-source (AGPL-3.0) collaborative office suite — think Google Workspace, but every document is encrypted in your browser before it ever touches the server [1][3].
• Who it’s for: Privacy-conscious founders, NGOs, cooperatives, journalists, and anyone handling sensitive documents who wants real-time collaboration without putting their content in Google’s hands [1][3].
• Cost savings: Google Workspace Business Starter runs $6/user/month (minimum). For a 10-person team that’s $720/year. CryptPad self-hosted runs on a $5–10/mo VPS for unlimited users [3].
• Key strength: True zero-knowledge architecture — the server operators literally cannot read your documents. No other mainstream collaborative suite offers this [1][3].
• Key weakness: Not a full Microsoft Office replacement. Spreadsheet handling inflates file sizes aggressively, mobile experience is mediocre, and complex Excel files with macros don’t survive import [3][4].

---

What is CryptPad

CryptPad is a collaborative office suite built around one non-negotiable principle: the server should never be able to read your documents. Every file you create — text documents, spreadsheets, presentations, kanban boards, forms, whiteboards — is encrypted client-side in your browser using keys derived from your credentials before it leaves your machine [1][3].

The project was started in 2017 by XWiki SAS, a French company that has been building open-source software since 2004. The team is small — a handful of core developers — but the project is actively maintained and sits at 7,439 GitHub stars [merged profile]. The AGPL-3.0 license means you can self-host it freely, but if you modify the code and run it as a service, you must open-source your changes [merged profile].

The flagship public instance lives at cryptpad.fr. The software itself lives at cryptpad.org. This distinction matters: when you self-host CryptPad, you become the administrator of your own zero-knowledge instance — meaning not even you can read your users’ documents if the encryption is properly implemented [1].

What separates CryptPad from OnlyOffice, Nextcloud Office, or Collabora Online isn’t the feature list — it’s the architecture. Those tools encrypt data in transit. CryptPad encrypts data at rest in a way that makes the server blind to the content. If your self-hosted instance is compromised, attackers get a database of ciphertext that’s worthless without the keys [1][3].

---

Why people choose it over Google Docs, Notion, and Nextcloud

The reviews converge on a clear picture: CryptPad wins on privacy architecture and collaboration without accounts, and loses on polish and power-user features.

Versus Google Docs. This is the primary comparison Privacy Guides makes in their February 2025 review [1], and it’s the strongest case. Google’s privacy policy explicitly states they collect the content you create, upload, or receive — documents, spreadsheets, emails. Privacy Guides notes: “We cannot trust Google with any sensitive or personal information.” CryptPad’s zero-knowledge model means that even if CryptPad’s servers were breached, the encrypted content is useless to attackers [1]. One testimonial from a broadcast television correspondent captures the real-world use case: “We love CryptPad’s ability to simply and securely collaborate on documents with sources, external vendors, and even friends and family” [2] — that “sources” framing is a journalist saying they use it for confidential source communication.

The no-account collaboration angle. Several reviewers highlight this as a key differentiator that’s underappreciated. You can share a CryptPad document link with someone who has zero CryptPad account, and they can edit in real time. Privacy Guides’ community thread [4] explicitly contrasts this with Proton Docs: “CryptPad allows to share links for collaborative editing with people who don’t have an account, which Proton Docs does not offer.” For NGOs, activist groups, and anyone collaborating with external parties who won’t create accounts, this matters more than it sounds.

Versus Microsoft 365 / Google Workspace. Blue Fox Consultant’s analysis [3] positions CryptPad specifically for teams handling sensitive data — HR, legal, client strategy — where putting documents on Google’s servers is a compliance or risk problem. The math is compelling: “the software is free; the costs mainly come from hosting and maintenance (often more predictable than per-user licences)” [3]. A 20-person organization on Google Workspace Business Standard pays $240/month. CryptPad self-hosted on a reasonable VPS costs $15–30/month with no per-user ceiling.

Versus Nextcloud with OnlyOffice. Blue Fox [3] notes this is the closest self-hosted comparison. Nextcloud gives you file storage plus office editing. CryptPad gives you less storage flexibility but meaningful zero-knowledge encryption that Nextcloud’s architecture doesn’t provide. If privacy is the reason you’re self-hosting in the first place, Nextcloud doesn’t fully solve the problem — an administrator can still read your files.

The community that uses it. The testimonials page [2] is unusually revealing. You see: schools, NGOs, activist groups, cooperatives, human rights organizations, feminist movements, climate activists. These are people for whom “your documents are safe from surveillance” isn’t a nice-to-have — it’s a requirement. That community self-selected tells you exactly what problem CryptPad solves well.

---

Features: what it actually does

Core applications (all end-to-end encrypted):

• Rich text editor (word processing equivalent) [1][3]
• Spreadsheet (OnlyOffice-based rendering, but encrypted) [3]
• Presentation slides [3]
• Forms / surveys (Google Forms equivalent) [3]
• Kanban board [1]
• Code editor with syntax highlighting [1]
• Whiteboard [1]
• CryptDrive — shared storage space for all your documents [1][3]

Collaboration features:

• Real-time multi-user editing with presence indicators [1][3]
• Link-based sharing without requiring collaborator accounts [1][4]
• Teams with shared drives and permissions [3]
• Access controls: view-only, edit, owned documents [1]
• Document destruction — you can delete a document and it’s gone from the server [1]

Privacy-specific features:

• Accounts based on username+password derived cryptographic keys — the server never sees your password [1]
• No email required for account creation [4]
• Zero-knowledge architecture: server stores only encrypted blobs [1][3]
• Public instance directory so you can pick a trustworthy operator [1]
• Tor-compatible — the team explicitly recommends Tor Browser for maximum anonymity [1]

What’s missing:

• No desktop app — browser only [3]
• No offline mode [3]
• No mobile-native app — mobile works via browser but is reported as mediocre [3][4]
• No complex macro or scripting support in spreadsheets [3]
• Import/export fidelity for complex Office documents is imperfect [3]

---

Pricing: SaaS vs self-hosted math

CryptPad.fr (their flagship SaaS instance):

• Free: 1GB storage, 5 drive items, unlimited usage without account [website scrape]
• Subscription tiers exist but specific pricing was not available in the scraped data at time of writing — check cryptpad.fr/accounts directly

Self-hosted (Community Edition):

• Software license: $0 (AGPL-3.0)
• VPS to run it: $5–15/month depending on storage needs
• Unlimited users, unlimited documents

Google Workspace for comparison:

• Business Starter: $6/user/month ($720/year for 10 users)
• Business Standard: $12/user/month ($1,440/year for 10 users)
• Business Plus: $18/user/month ($2,160/year for 10 users)

Microsoft 365 for comparison:

• Business Basic: $6/user/month (same ballpark as Google)
• Business Standard: $12.50/user/month

Concrete savings math for a 10-person team:

A cooperative or NGO with 10 people on Google Workspace Business Starter pays $720/year. Self-hosting CryptPad on a Hetzner VPS (2 vCPU, 4GB RAM, 40GB SSD) costs roughly $6–8/month — call it $90/year. That’s $630/year saved, with the added benefit that no one at Google can read your documents [3].

For a 25-person organization, Google Workspace at $6/user is $1,800/year. CryptPad self-hosted remains the same $90/year. $1,710/year saved. The VPS cost doesn’t scale with headcount.

Caveat from Blue Fox [3]: budget for maintenance. Someone needs to update the instance, handle backups, manage SSL certificates. If you outsource this, factor in a few hours of technical help per month.

---

Deployment reality check

CryptPad is one of the more complex self-hosted applications to set up correctly. The README distinguishes between development setup and production setup for good reason — production requires HTTPS, specific Node.js configuration, and several security headers to work properly [README].

What you need:

• A Linux VPS with at least 2GB RAM (4GB recommended for active teams)
• Node.js (version-specific — check the docs, they’re particular about this)
• npm
• A web server (nginx is documented; Caddy works with config)
• A domain with HTTPS — CryptPad requires HTTPS in production, the encryption model doesn’t work over plain HTTP
• Docker and docker-compose if you use the official images (AMD64 and ARM64 supported as of v5.4.0 in July 2023) [README]

What can go sideways:

• The production admin guide is thorough but long. This is not a docker run -d cryptpad situation. There are multiple configuration files, sandbox subdomain requirements for security headers, and HTTPS is non-optional [README].
• File size inflation in spreadsheets is a documented user complaint — Privacy Guides community user TinFoilHat reports: “I got a spreadsheet file sized 100MB, but if you export it and save it using MS Excel, it’s only around 2MB” [4]. The encryption overhead and versioning architecture cause this. It’s a real issue if you work with large spreadsheets.
• Loading times are reported as slower than Google Docs by multiple users [4]: “It never became part of my toolkit because it does feel a bit clunky design wise and the loading times are rather slow.” This is a structural consequence of client-side decryption — the browser has to decrypt content on load.
• Mobile experience is consistently described as below par [3][4]. It works but feels like a compromised experience.
• The sandbox security model requires a separate subdomain configured correctly. Skip this and you weaken the security guarantees that are the whole point of the tool [README].

Realistic time estimate: 2–4 hours for a technical user following the admin guide on a fresh VPS. For a non-technical founder: either pair with someone who runs Linux servers, or find a managed CryptPad host, or use the cryptpad.fr public instance.

---

Pros and cons

Pros

• Genuine zero-knowledge encryption. Not marketing copy — the server operators cannot read your documents. Verified architecture, 10+ years of active development, open-source code that can be audited [1][3].
• No account required for collaboration. Share a link, collaborator edits in real time. No sign-up friction [1][4]. This is a meaningful differentiator versus every major alternative.
• Full office suite in one tool. Text, spreadsheets, slides, forms, kanban, whiteboard, code editor — all encrypted, all in one place [1][3].
• Backed by XWiki SAS, a company with 20+ years of open-source development. Not a hobby project [1][3].
• European hosting on flagship instance. cryptpad.fr data hosted in France, subject to GDPR [1].
• Docker support with official images since v5.4.0 — AMD64 and ARM64 [README].
• Active development — Privacy Guides noted the product improved noticeably between two review sessions in 2025 [4].
• Free tier is genuinely useful. 1GB storage and no account required for basic use [website scrape].

Cons

• Not a Microsoft Office replacement for power users. Complex Excel files, macros, advanced formatting — expect degraded import/export fidelity [3].
• Spreadsheet file size inflation is a real problem. A 2MB Excel file can balloon to 100MB inside CryptPad [4]. For heavy spreadsheet users, this alone may be a dealbreaker.
• Slow load times. Client-side decryption takes time. If you’re used to Google Docs’ near-instant load, the difference is noticeable [4].
• Mobile experience is second-class. No native app, browser-based mobile is functional but uncomfortable for extended use [3][4].
• AGPL-3.0, not MIT. If you want to embed CryptPad in a commercial product without open-sourcing your modifications, you need a commercial agreement with XWiki [merged profile].
• Production setup is non-trivial. HTTPS is mandatory, sandbox subdomain required, Node.js version-sensitive configuration [README].
• Small team behind it. XWiki SAS is a real company, but CryptPad is a small team. Less community ecosystem than something like Nextcloud [3].

---

Who should use this / who shouldn’t

Use CryptPad if:

• You handle sensitive documents — client data, HR records, legal strategy, journalistic sources — where the zero-knowledge model isn’t paranoia, it’s due diligence.
• You’re an NGO, cooperative, activist organization, or educational institution that needs collaboration tools without vendor surveillance [1][2][3].
• You need to collaborate with external parties who won’t create accounts — the link-based sharing model removes onboarding friction entirely [1][4].
• You want to escape Google Workspace or Microsoft 365 pricing and your team primarily does text documents and lightweight spreadsheets.
• You’re comfortable with (or can afford) basic Docker deployment, or you’ll use the flagship cryptpad.fr instance.

Skip it (use Nextcloud + OnlyOffice) if:

• You need full Microsoft Office compatibility — complex spreadsheets, macros, advanced slide formatting.
• File storage, calendar, contacts, and office editing all in one self-hosted platform is the requirement.
• Your team is already invested in the Nextcloud ecosystem.

Skip it (stay on Google Workspace) if:

• Your compliance requirements actually require SOC 2 / ISO 27001 certification and you can’t self-host.
• Your team lives in spreadsheets with complex formulas and pivot tables — the file size issue and fidelity gaps will cause daily friction.
• Nobody on your team can handle a VPS and you don’t want to pay for help.

Skip it (consider Proton Docs) if:

• You’re already a Proton subscriber and your use case is primarily text documents.
• You don’t need real-time collaboration with external non-account users, and you want a more polished mobile experience.

---

Alternatives worth considering

• Nextcloud + OnlyOffice / Collabora — The more capable self-hosted option if you need full Office compatibility, file storage, calendar, and contacts. Encryption in transit, not zero-knowledge. More complex to run [3].
• Proton Docs — Growing privacy-focused document suite from Proton. Polished, end-to-end encrypted, but no account-free collaboration and still limited to documents (no spreadsheets as of this writing) [4].
• Standard Notes — If your use case is notes rather than collaborative office documents. More polished mobile experience, zero-knowledge architecture, limited to text [4].
• OnlyOffice Community Server — Full Office-compatible self-hosted suite, better spreadsheet fidelity, but no zero-knowledge encryption.
• Etherpad — Simpler, older collaborative text editor. Zero-knowledge is not the goal; simplicity is. Still useful for quick team text collaboration without setup overhead.
• Cryptee — Zero-knowledge document and photo storage, simpler scope than CryptPad, no real-time collaboration.

For a non-technical founder choosing between privacy-focused collaboration tools, the realistic shortlist is CryptPad vs Proton Docs: pick CryptPad if zero-knowledge self-hosting and no-account collaboration matter, pick Proton Docs if you want a more polished experience and are already in the Proton ecosystem.

---

Bottom line

CryptPad is the only serious answer to “I need Google Docs-style collaboration, I need it encrypted such that even the server can’t read it, and I don’t want to pay per user.” That’s a narrow and real problem, and CryptPad solves it genuinely. The trade-offs are honest: it’s not a Microsoft Office replacement, heavy spreadsheet users will hit the file inflation issue, and load times are slower than what Google trains you to expect. But for NGOs, cooperatives, journalists, activists, and founders who handle genuinely sensitive documents — where the threat model is not hypothetical — nothing else in the self-hosted space has the same architecture at this maturity level. Self-hosting it correctly requires a technical setup session, not an afternoon of clicking. If that’s the blocker, upready.dev deploys it for you once, and you own the infrastructure from there.

---

Sources

1. Privacy Guides — “CryptPad Review: Replacing Google Docs” (Feb 7, 2025). https://www.privacyguides.org/articles/2025/02/07/cryptpad-review/
2. CryptPad.org — “Testimonials” (497 user testimonials). https://cryptpad.org/testimonials/
3. Blue Fox Consultant — “CryptPad self-hosted: a collaborative suite for privacy and data sovereignty”. https://www.bluefoxconsultant.com/en/blog/blue-fox-articles-2/cryptpad-self-hosted-a-collaborative-suite-for-privacy-and-data-sovereignty-223
4. Privacy Guides Community — “CryptPad Review: Replacing Google Docs — Announcements / Articles” (Feb 8, 2025). https://discuss.privacyguides.net/t/cryptpad-review-replacing-google-docs/24772

Primary sources:

• GitHub repository: https://github.com/cryptpad/cryptpad (7,439 stars, AGPL-3.0)
• Official website: https://cryptpad.org
• Admin installation guide: https://docs.cryptpad.org/en/admin_guide/installation.html
• Docker Hub: https://hub.docker.com/r/cryptpad/cryptpad