unsubbed.co

Hoodik

Hoodik is a self-hosted cloud storage & sync replacement for Box, DocSend, and more.

NOASSERTION Free hudikhq/hoodik · 1K github.com Rust 1 deploy option Mobile App E2E Encryption

Self-hosted cloud storage with client-side encryption, honestly reviewed. No marketing fluff — just what you get when you run it yourself.

TL;DR

  • What it is: Lightweight, self-hosted cloud storage server where all encryption and decryption happens in your browser (or native mobile app) — the server stores only ciphertext and cannot read your files [README][1].
  • Who it’s for: Privacy-conscious individuals and small teams who want a Google Drive or Dropbox replacement that they control, where not even a subpoena to the hosting provider yields readable data.
  • Cost: Software is free to self-host. Run it on a $5–10/month VPS and your storage costs drop to whatever disk space you pay for. No SaaS tier from the developers exists — it’s self-hosted or nothing.
  • Key strength: The encryption architecture is genuinely well-designed — RSA-2048 key pairs per user, AEGIS-128L symmetric cipher, privacy-preserving search via BERT tokenization and SHA-256 hashing, and public share links where the file key never reaches the server [README][1]. Mobile apps (Android, iOS) and a macOS desktop app with MCP server support extend this beyond just a web interface [1].
  • Key weakness: The license is CC BY-NC 4.0 — not OSI-approved open source, which means no commercial use without contacting the developer [README]. The project has 1,018 GitHub stars and a thin review ecosystem, which means you’re betting on a small, relatively untested codebase with limited community visibility [1][4].

What is Hoodik

Hoodik is a self-hosted encrypted file storage server built in Rust (Actix-web backend) and Vue 3 (frontend). The pitch is that your server is technically incapable of reading your files — not because the developer promises not to look, but because the cryptographic architecture makes it structurally impossible [README].

When you register an account, the server generates an RSA-2048 key pair for you. Your private key is stored on the server encrypted with your passphrase — meaning a server compromise leaks only an encrypted blob. When you upload a file, your browser generates a random symmetric key, encrypts the file chunk-by-chunk using AEGIS-128L (a hardware-accelerated AEAD cipher running via WebAssembly SIMD), and only the ciphertext reaches the server. The symmetric key itself is stored encrypted with your RSA public key [README].

The same Rust cryptography engine that runs in the browser via WebAssembly powers the native Android and iOS apps, which means one security audit theoretically covers every client [1]. The macOS desktop app additionally exposes an MCP server — AI agents like Claude can read and write your encrypted files when you explicitly allow it, with decryption handled transparently by the app [1].

The project is developed by Tibor Hudik (hudikhq on GitHub), has 1,018 stars and 47 forks as of this writing, and has been active since 2023 [1][README].

Why people choose it

The third-party review ecosystem for Hoodik is thin. AlternativeTo has 28 likes and no published user reviews as of this writing [1]. Ojambo.com published a setup walkthrough in November 2025 focused on the Podman deployment path [4]. There are no Trustpilot entries, no long-form comparisons against Nextcloud or Seafile from dedicated reviewers. That thinness is itself a signal: this is a small project, and you’re taking on some early-adopter risk.

That said, the reasons people land on Hoodik over the obvious alternatives are readable from the AlternativeTo feature tags and listing context [1]:

Privacy as architecture, not a promise. The common complaint about Nextcloud, the dominant self-hosted storage tool, is that the server still has access to your plaintext files by default. Client-side encryption plugins exist (Cryptomator is the standard workaround), but they’re bolted on. Hoodik’s client-side encryption is the default, foundational behavior — you can’t accidentally upload an unencrypted file [README][1].

Encrypted search without plaintext exposure. This is the technically interesting differentiator. Hoodik tokenizes file metadata using a BERT language model, hashes the tokens with SHA-256, and stores only the hashes. When you search, your browser runs the same tokenization and hash operation locally, then sends hashes to the server for matching. The server matches queries without ever seeing plaintext names [README][1]. This is nontrivial engineering that Nextcloud and most alternatives simply don’t attempt.

Share links that don’t expose the key to the server. Public sharing in most storage tools means you’re trusting the server to serve the file to the link holder. Hoodik puts the file’s decryption key in the URL fragment (#link-key) — the fragment is never sent to the server by the browser, so the server genuinely cannot see what key the recipient is using [README]. This is a clean design.

Multi-platform native apps, not just a web UI. AlternativeTo’s feature list for Hoodik includes Android and iOS mobile apps with local encrypted cache for offline access [1]. Losing a device doesn’t expose cached files because the local cache is encrypted with the same standard as server-side storage.

Small footprint. This isn’t Nextcloud with its plugin ecosystem, CalDAV/CardDAV servers, and office document editing suite. It’s a file storage tool and nothing more. If you want to stop thinking about your self-hosted setup and just upload files securely, the reduced surface area is a feature.

Features

Based on the README and AlternativeTo’s feature listing [README][1]:

Encryption and security:

  • Client-side encryption via WebAssembly — server sees only ciphertext [README]
  • RSA-2048 per-user key pairs; private key stored encrypted with user passphrase [README]
  • AEGIS-128L as the default symmetric cipher; Ascon-128a and ChaCha20-Poly1305 also supported [README]
  • Per-file cipher stored in the database, so old files decrypt correctly as the default changes [README]
  • Privacy-preserving search: file names tokenized with BERT, hashed with SHA-256, matched server-side without plaintext exposure [README][1]
  • Public share links with decryption key in URL fragment, never transmitted to server [README]
  • Optional TOTP-based two-factor authentication per user [README]
  • Encrypted local cache on mobile and desktop apps [1]

Storage and transfers:

  • Chunked concurrent uploads and downloads for large files [README]
  • SQLite out of the box; PostgreSQL via a single environment variable for production scale [README]
  • Docker-first with multi-arch images: amd64, armv6, armv7, arm64 [README]
  • Built-in TLS with auto-generated self-signed certificate, or bring your own cert [README]

Applications:

  • Web UI (Vue 3 frontend) [README]
  • Native Android and iOS apps with offline access [1]
  • macOS desktop app with built-in MCP server for AI agent integration [1]

Productivity:

  • WYSIWYG markdown editor for encrypted notes — the AlternativeTo description calls it “an encrypted, self-hosted alternative to Obsidian for everyday note-taking” [1]
  • Syntax highlighting, tables, auto-save in the editor [1]

Administration:

  • Admin dashboard for user management, sessions, invitations, app settings [README]
  • Invitation-based user registration (implied by the admin dashboard feature) [README]
  • JWT secret configuration for persistent sessions across container restarts [README]

What’s not here: No WebDAV, no CalDAV/CardDAV, no document co-editing, no photo management, no version history mentioned in the README, no external storage backends (no S3 mode). Hoodik is a focused tool, not a Nextcloud competitor in terms of breadth.

Pricing: SaaS vs self-hosted math

There is no SaaS offering from the Hoodik developers. You self-host it or you don’t use it.

What you’re replacing when you self-host Hoodik:

Google Drive: 15 GB free, then 100 GB at approximately $2.99/month, 2 TB at approximately $9.99/month. Fully visible to Google.

Dropbox: 2 TB plan runs approximately $9.99/month on annual billing. Files stored on Dropbox servers, accessible to Dropbox under their terms.

ProtonDrive: Free 1 GB, paid plans from approximately $4/month for 200 GB — the closest privacy-equivalent to Hoodik’s promise in the managed-cloud category.

Hoodik self-hosted on a VPS:

  • Hetzner CX22 (2 vCPU, 4 GB RAM, 40 GB SSD): €3.79/month (~$4/month)
  • Add a data volume for file storage: €0.054/GB/month on Hetzner
  • 200 GB storage = approximately $4 (VPS) + $10.80 (volume) = ~$15/month
  • 1 TB storage = approximately $4 (VPS) + $54 (volume) = ~$58/month

The VPS math doesn’t always beat ProtonDrive for small storage needs. Where it wins is at scale — 5 TB of self-hosted storage costs roughly $4 (compute) + $270 (Hetzner block storage), but you’d typically use a separate NAS or large-disk server at that point, bringing the effective per-GB cost down dramatically.

The more honest framing: you’re not primarily self-hosting Hoodik to save money versus Dropbox. You’re doing it because the architecture guarantees the operator cannot read your files — which no managed service can offer, regardless of their privacy marketing.

Deployment reality check

The Ojambo.com guide [4] walks through a Podman (rootless Docker-equivalent) deployment and treats it as approachable for beginners. The README’s quickstart is a single docker run command [README]. Neither source describes major gotchas beyond standard container deployment friction.

What you actually need:

  • A Linux server with Docker installed (VPS, home server, or Raspberry Pi — multi-arch images cover armv6/v7/arm64) [README]
  • A domain name if you want HTTPS via your own certificate (reverse proxy like Nginx Proxy Manager works) [README][4]
  • An SMTP provider if you want email-based registration and notifications [README]
  • Disk space for file storage, mounted as a Docker volume

The realistic setup path:

docker run --name hoodik -d \
  -e DATA_DIR='/data' \
  -e APP_URL='https://your-domain.com' \
  --volume "$(pwd)/data:/data" \
  -p 5443:5443 \
  hudik/hoodik:latest

This gives you a running instance with an auto-generated self-signed TLS certificate in under five minutes if you have Docker already installed [README].

For production with a proper cert and SMTP, the README’s second example adds six environment variables — still a single docker run command [README][4].

What can go sideways:

  • The self-signed certificate triggers browser warnings out of the box — you need to either provide your own cert or add Hoodik behind a reverse proxy with a Let’s Encrypt cert. Not hard, but it’s a step.
  • Port 5443 by default, not 443. The Ojambo guide remaps to 8443 on the host [4]. Plan your port mapping before you start.
  • JWT_SECRET should be set to a stable random string, or sessions don’t survive container restarts [README]. Easy to miss on first deploy.
  • SQLite default is fine for personal use. For a team or high-concurrency usage, switching to PostgreSQL via the DATABASE_URL environment variable is necessary [README].
  • The mobile apps are separate downloads — not bundled with the server. AlternativeTo’s description confirms Android and iOS apps exist [1], but the README doesn’t link them, which suggests they may be in separate repositories or distributed via app stores independently.

Realistic time estimate: 30–45 minutes to a working instance for someone comfortable with Docker and a domain name. 2–4 hours for someone new to containers following a guide. The Ojambo walkthrough [4] provides screenshots through the initial setup screens (user creation, private key generation, 2FA setup, login) which suggests the onboarding flow requires a few deliberate steps.

Pros and cons

Pros

  • Client-side encryption is the architecture, not an add-on. The server is structurally incapable of reading your files. This isn’t a privacy marketing promise — it’s a cryptographic guarantee [README][1].
  • Privacy-preserving search actually works. BERT tokenization + SHA-256 hashing means you can find files by name without the server learning your query. Most encrypted storage solutions sacrifice search entirely [README][1].
  • Secure public share links by design. The decryption key lives in the URL fragment, never sent to the server. Recipients get file access; the server doesn’t know what they’re decrypting [README].
  • Native mobile apps with offline access. Android and iOS apps cache files locally in encrypted form — device loss doesn’t leak data [1]. This puts Hoodik ahead of many self-hosted storage tools that are web-only.
  • macOS MCP server integration. The desktop app exposes an MCP endpoint for AI agents — a niche but forward-looking feature for teams using Claude or Cursor [1].
  • Markdown editor built in. Encrypted notes with WYSIWYG editing, syntax highlighting, and auto-save — a lightweight Obsidian alternative that’s end-to-end encrypted [1].
  • Single-container deployment. No separate database container required for SQLite mode, no external dependencies by default. Clean Docker footprint [README].
  • Multi-arch support. Runs on Raspberry Pi (armv6, armv7, arm64) as well as standard x86 servers [README].
  • Modern cryptographic primitives. AEGIS-128L with hardware acceleration, Ascon-128a, ChaCha20-Poly1305 — not just AES-256-CBC wrapped in old patterns [README].

Cons

  • CC BY-NC 4.0 license — not open source. This is the most important thing to understand before you build anything on Hoodik. The license prohibits commercial use. If you’re a business, a managed service provider, or plan to use this in any commercial context, you need to contact the developer first. This is categorically different from MIT or Apache 2.0 [README].
  • 1,018 GitHub stars and almost no public reviews. AlternativeTo has 28 likes and zero published user reviews [1]. There are no Trustpilot entries, no detailed comparisons, no long-running community threads. You’re an early adopter.
  • Single developer project. The GitHub shows Tibor Hudik as the primary author [README]. Bus factor of one is a real risk for a tool you’re betting your data on.
  • No WebDAV. You cannot mount Hoodik as a network drive on your desktop OS. If you want to sync folders rather than manually upload through a web UI, you need the dedicated native apps — which may or may not exist for your platform [README].
  • No version history mentioned. The README doesn’t describe file versioning. If you overwrite a file, there’s no documented rollback mechanism [README].
  • No S3 or external storage backend. Files go to the local filesystem (DATA_DIR). Scaling storage means either a large attached volume or running your own NAS — there’s no S3-compatible backend option documented [README].
  • Limited admin controls. The admin dashboard covers users, sessions, and invitations [README]. There’s no granular quota management, no folder-level access controls, and no audit log described in available documentation.
  • Thin documentation. The README is the primary documentation. There’s no dedicated docs site, no API reference, and the configuration reference points to .env.example in the repository [README].

Who should use this / who shouldn’t

Use Hoodik if:

  • You want encrypted personal cloud storage and are comfortable with Docker deployment.
  • Privacy-by-architecture matters more to you than ecosystem breadth — you want a tool where “trust us, we don’t look at your files” is impossible rather than promised.
  • You’re an individual or very small team (2–5 people) who just needs secure file storage and sharing without Nextcloud’s complexity.
  • You’re already buying a Raspberry Pi or home server and want encrypted storage without paying monthly for ProtonDrive.
  • The markdown editor would replace a separate encrypted notes tool (Standard Notes, Obsidian + Cryptomator) in your stack.

Think hard before using Hoodik if:

  • You’re deploying this for a business. The CC BY-NC 4.0 license means commercial use requires explicit permission from the developer [README]. Get that in writing first.
  • You’re replacing Nextcloud for a team larger than a handful of people — no per-user quotas, no folder permissions, no audit trail.
  • You need WebDAV mounting or folder sync on desktop — the native app situation beyond macOS is unclear.
  • You’re not comfortable as an early adopter. With under 1,100 GitHub stars and no substantial public review history, you’re relying on source code review rather than community battle-testing [1].

Skip it (use Nextcloud instead) if:

  • You need file sync across many devices, CalDAV/CardDAV, document editing, photo albums, or any of the 200+ Nextcloud apps.
  • Your team needs granular permissions and audit logging.
  • You need WebDAV for desktop integration.

Skip it (use Cryptomator + Rclone instead) if:

  • You want encrypted cloud storage layered on top of your existing Backblaze B2, S3, or Dropbox — Hoodik requires its own hosting.

Skip it (use Ente instead) if:

  • You specifically want encrypted photo and file backup with managed hosting already handled for you and don’t want to run your own server.

Alternatives worth considering

  • Nextcloud — the dominant self-hosted storage platform. Vastly more features, plugins, and community support. Client-side encryption is an optional plugin (Nextcloud End-to-End Encryption), not the default. Much heavier to self-host.
  • Seafile — faster sync than Nextcloud, cleaner interface, decent team features. The community edition is open source; client-side encryption mode exists. More established than Hoodik.
  • Syncthing — not a cloud storage tool but a peer-to-peer sync daemon. No server to hack; files sync directly between your devices. No sharing links, no web UI for external access.
  • ProtonDrive — managed cloud storage with client-side encryption from a company with a credible privacy track record. You pay monthly, they handle the server — no deployment. The right answer if self-hosting isn’t your goal.
  • Ente — open source (AGPL) photos + files storage with client-side encryption. Both managed and self-hosted options. More established than Hoodik for mobile-first use cases.
  • Cryptomator — client-side encryption layer that works on top of any storage (Dropbox, S3, local disk). Pairs with Rclone for self-hosted encrypted storage without running your own server application.
  • PicoDAV — single-file PHP WebDAV server for simple file hosting [2]. No encryption, much simpler scope.

For privacy-focused non-technical founders, the practical shortlist is Hoodik vs Nextcloud with E2EE vs ProtonDrive. Pick Hoodik if you want the cleanest encrypted-by-default architecture and minimal server footprint. Pick Nextcloud if you need ecosystem breadth. Pick ProtonDrive if you want managed hosting with a similar privacy promise and no deployment overhead.

Bottom line

Hoodik is doing something technically honest that most storage tools don’t bother with: it designed client-side encryption as the foundational constraint, not an afterthought. The encrypted search, the fragment-based share links, the BERT tokenization — these aren’t marketing bullet points, they’re specific engineering choices that close real attack vectors. For someone who wants a personal, encrypted, self-hosted alternative to Google Drive and is comfortable with a Docker deployment, it’s worth serious consideration.

The caveats are real: the CC BY-NC 4.0 license blocks commercial use, the project is small and lightly reviewed, there’s no WebDAV, and single-developer projects carry bus-factor risk. This isn’t a drop-in Nextcloud replacement for a 20-person team. It’s a personal or small-team tool for people who have looked at “we take your privacy seriously” cloud storage marketing and decided to remove the vendor from the trust equation entirely.

If the Docker deployment is the blocker, that’s exactly what upready.dev handles for clients — one-time setup, you own the infrastructure.

Sources

  1. AlternativeTo — Hoodik: Encrypted self-hosted cloud storage with link sharing, Docker setup, and fast (28 likes, full feature listing and description). https://alternativeto.net/software/hoodik/about/
  2. AlternativeTo — PicoDAV: Single-file WebDAV server (context on lightweight self-hosted file tool alternatives). https://alternativeto.net/software/picodav/about/
  3. AlternativeTo — Plik: Temporary file upload system in Go (context on self-hosted file sharing alternatives). https://alternativeto.net/software/plik/about/
  4. Edward, Ojambo.com“How to Self-Host Hoodik: An Open-Source Cloud Storage” (Nov 28, 2025). https://www.ojambo.com/how-to-self-host-hoodik-an-open-source-cloud-storage

Primary sources:

Features

Security & Privacy

  • Encryption
  • SSL / TLS / HTTPS

Mobile & Desktop

  • Mobile App

Category

File Management & Sharing (133) Cloud Storage & Sync (28) File Sharing & Upload (36)

Replaces

Box
14 tools
docsend
DocSend
36 tools
Dropbox
23 tools
Google Drive
25 tools
Mega
20 tools
microsoft-onedrive
Microsoft OneDrive
22 tools
Tresorit
12 tools
WeTransfer
4 tools
iCloud
46 tools
ownCloud
12 tools

Related File Management & Sharing Tools

View all 133 →

Syncthing

81K

Open-source continuous file synchronization — peer-to-peer, encrypted, no central server, no cloud account required.

file management MPL-2.0

LocalSend

77K

An open-source, cross-platform alternative to AirDrop — share files between nearby devices over your local network without the cloud.

file management Apache-2.0

MinIO

61K

High-performance, S3-compatible object storage for AI, analytics, and cloud-native workloads. Deploy on-premises or in any cloud with a single binary.

file management AGPL-3.0

Rclone

56K

Command-line tool that syncs, copies, and manages files across 70+ cloud storage providers. The rsync for cloud storage.

file management MIT

AList

49K

File list program that aggregates multiple storage backends into a single web interface with WebDAV support. Mount cloud drives, local storage, and S3 in one place.

file management AGPL-3.0

copyparty

44K

Copyparty is a portable, single-file Python file server with resumable uploads, deduplication, WebDAV, SFTP, FTP, media indexing, and audio transcoding — no dependencies required.

file management MIT