Hoodik is a self-hosted cloud storage solution designed for users who demand end-to-end encryption and full control over their data. It’s ideal for individuals, privacy-conscious teams, and small organizations seeking to replace commercial cloud drives without compromising security. The server handles only encrypted blobs, while all encryption, decryption, and search operations occur in the browser using cryptographic primitives like RSA-2048 and AEGIS-128L.
Built with Rust (Actix-web) for the backend and Vue 3 for the frontend, Hoodik supports both SQLite and PostgreSQL databases and deploys via a single Docker container with multi-architecture support. It includes optional TOTP-based two-factor authentication, public sharing links with encrypted file keys, and an admin dashboard for user and session management — all designed for easy deployment and secure operation behind reverse proxies like Nginx Proxy Manager.
What You Get
- End-to-end encryption - Files are encrypted in the browser using RSA-2048 and AEGIS-128L before upload; the server never sees plaintext data, and decryption occurs only in the user’s browser.
- Secure search - File metadata (names, etc.) is tokenized and hashed server-side, enabling search functionality without exposing plaintext filenames to the server.
- Public sharing links - Share files via URLs where the file key is encrypted with the recipient’s RSA public key and appended as a URL fragment, ensuring the server never transmits the decryption key.
- Two-factor authentication (TOTP) - Optional TOTP-based 2FA for user accounts, adding an extra layer of access control beyond passwords.
- Chunked file transfers - Large files are split into encrypted chunks for concurrent upload and download, improving performance and reliability on unstable connections.
- SQLite and PostgreSQL support - Out-of-the-box SQLite storage with PostgreSQL support via a single environment variable (DATABASE_URL), allowing scalable deployment without data format changes.
Common Use Cases
- Running a private photo archive - A photographer uses Hoodik to store high-resolution images with end-to-end encryption, ensuring no third party can access their personal collection even if the server is compromised.
- Secure team file sharing - A small design agency shares client assets via encrypted links, keeping sensitive files protected without relying on Dropbox or Google Drive.
- Self-hosted backup for sensitive documents - A lawyer stores confidential client files on a local server with encrypted backups, complying with data privacy regulations while avoiding cloud vendors.
- Privacy-focused personal cloud - A tech-savvy individual replaces iCloud or OneDrive with Hoodik to maintain full control over encryption keys and server location, using Docker on a Raspberry Pi.
Under The Hood
Architecture
- Monolithic Rust workspace with clear separation of concerns across modules like auth, entity, storage, and error handling, enforcing strict layering between API, service, and data layers
- Dependency injection is explicitly managed through struct initialization, avoiding runtime containers and promoting testability and transparent contracts
- Cargo workspaces isolate domain concerns with minimal cross-dependencies, while frontend concerns are decoupled into separate workspaces using Vue/Next.js and server-side Handlebars for email rendering
- Unified error handling via custom error structs with consistent HTTP serialization, and Docker/Tini-based deployment enforces stateless, 12-factor compliant service modeling
Tech Stack
- Rust backend powered by Actix-web, SeaORM, and SQLx with PostgreSQL and SQLite support, leveraging async runtimes for high-concurrency operations
- Comprehensive authentication and cryptography stack including bcrypt, JWT, rustls, and Google Authenticator, with Handlebars for server-side email templates
- Frontend built with Vue 3, Pinia, and Vite, utilizing TypeScript and Tailwind CSS for component-driven, type-safe UI development
- Dockerized deployment on Alpine Linux with Tini for process management, exposing a self-contained binary service on a dedicated port
- Multi-package workspace managed via Cargo and Yarn, enabling modular development of domain logic, storage, and utility crates
- PostgreSQL configured with logical WAL replication to ensure robust data persistence and replication readiness
Code Quality
- Extensive test coverage across API, storage, and frontend layers with well-structured unit, integration, and end-to-end tests
- Robust test helpers and mocks for database entities, HTTP responses, and cryptographic functions, enabling isolated and repeatable test scenarios
- Strong type safety and consistent error propagation through custom result types, though diagnostic richness is limited by absence of granular error types
- Consistent naming, modular organization, and domain-focused test modules ensure maintainability and clarity across the codebase
- Comprehensive frontend E2E testing with Playwright covering user flows, paired with cryptographic unit tests validating key generation and signing
What Makes It Unique
- File integrity verification system that computes and stores multiple cryptographic hashes at upload time, enabling client-side validation without external dependencies
- Decoupled storage layer with HTTP-route-level transfer claim validation to prevent privilege escalation through path manipulation
- Asynchronous chunked upload tracking with real-time UI progress visualization tied directly to backend hash computation
- Custom loader component with branded animated effects that enhance user experience during file operations
- Integrated authentication claims system enforcing fine-grained access control at the operation level, avoiding middleware bloat
- Unified metadata display that dynamically adapts to file type and upload state, eliminating the need for separate upload and metadata views