Enclosed is a secure, open-source platform for sending private notes and files with end-to-end encryption. Designed for users who need to share sensitive data without relying on server-side trust, it ensures that only the intended recipient with the correct link and password can decrypt the content. Perfect for journalists, developers, and privacy-conscious individuals needing ephemeral, secure communication.
Built with SolidJS for the frontend and HonoJS for the backend, Enclosed uses AES-GCM with PBKDF2-derived keys for encryption and stores data via Unstorage on Cloudflare KV. It supports self-hosting via Docker, offers a CLI for terminal-based note creation, and is optimized for low environmental impact with an A+ rating on WebsiteCarbon.
What You Get
- End-to-End Encryption with AES-GCM - Notes and files are encrypted client-side using AES-GCM with a 256-bit key derived via PBKDF2, ensuring the server never accesses plaintext content.
- Zero-Knowledge Architecture - The server stores only encrypted blobs and metadata; no decryption keys or content are ever stored or visible to the server.
- File Attachments Support - Users can securely upload and share files alongside text notes, all encrypted end-to-end before transmission.
- Configurable Expiration & Self-Destruction - Notes can be set to auto-delete after a specified TTL (in seconds) or immediately after being read once.
- Password Protection - Optional password-based encryption adds an additional layer of security; the password is never sent to the server.
- CLI Tool for Terminal Use - The @enclosed/cli allows creating and viewing encrypted notes directly from the command line using stdin or arguments.
- Self-Hosting with Docker - Full Docker and Docker Compose support for deploying Enclosed on private infrastructure with persistent storage options.
- Dark Mode & Responsive UI - A clean, minimalist interface with native dark mode and full mobile responsiveness for use on any device.
- i18n Support - The interface supports multiple languages out of the box for global accessibility.
- Cloudflare KV Integration - The live instance uses Cloudflare KV for scalable, low-latency storage of encrypted notes without requiring a traditional database.
Common Use Cases
- Sending sensitive API keys or credentials - A developer uses Enclosed to share temporary credentials with a teammate, ensuring the key self-destructs after one view and never touches the server in plaintext.
- Journalists sharing confidential documents - A reporter sends an encrypted whistleblower document via Enclosed, ensuring no third party—including the hosting provider—can access its contents.
- Secure internal team communication - A startup team self-hosts Enclosed to share one-time passwords, audit logs, or internal notes without exposing them to cloud-based pastebin services.
- Privacy-focused individuals sharing personal data - A user sends encrypted medical summaries or financial details to a family member using a password-protected link that auto-deletes after reading.
Under The Hood
Architecture
- Monorepo structure cleanly separates frontend (Vue/SolidJS) and backend (Hono-based Node.js) with well-defined API boundaries
- Dependency injection via shared library packages enables reuse of encryption and storage logic without duplication
- Server architecture layers separate HTTP routing from business logic, delegating encryption and file operations to dedicated service layers
- Client-side state management integrates encryption context directly into UI components, preserving security state throughout user interactions
- Dockerized deployment uses multi-stage builds and persistent volumes to isolate build environments and securely store encrypted data
Tech Stack
- Node.js 22 backend powered by Hono for routing and unstorage for data persistence, deployed via lightweight Docker images
- Solid.js frontend with Kobalte and Solid Primitives for reactive UI, bundled with Vite and utility-first styling via unocss
- Monorepo managed with pnpm, organizing code into distinct packages for client, server, and cryptographic utilities
- Testing ecosystem includes Vitest for unit/integration tests and Playwright for end-to-end validation, supported by TypeScript and ESLint
- Automated releases and dependency updates are handled by bumpp and Renovate, ensuring consistent versioning and security hygiene
Code Quality
- Extensive test coverage spans unit, integration, and end-to-end layers with clear separation of client and server concerns
- Robust error handling with custom error classes and structured logging ensures graceful degradation and resilience in critical paths
- Consistent, descriptive naming conventions and modular structure enhance readability and long-term maintainability
- Strong TypeScript typing enforces correctness across encryption schemas, configuration models, and task contexts
- Comprehensive test utilities enable isolated validation of complex behaviors without external dependencies or side effects
What Makes It Unique
- End-to-end client-side encryption ensures plaintext secrets never reach the server, implementing true zero-knowledge security
- Password-derived keys are computed entirely in the browser, eliminating password transmission and server-side decryption
- QR code-based note sharing provides secure, URL-free access without exposing endpoints or tokens
- Encrypted notes are bundled with assets into portable JSZip archives, enabling offline, dependency-free storage and transfer
- Authentication bypass and cross-tab state sync via localStorage reduce attack surface compared to traditional session-based systems
- Documentation includes interactive credential input that mirrors the actual client UX, allowing real-world encryption testing before use