OpenCloud is a self-hosted file management and collaboration platform built for organizations demanding data sovereignty. It enables teams to securely store, share, and collaborate on files while maintaining complete control over their data—whether deployed on-premise or via trusted SaaS partners. Built with Go and designed for enterprise use, it serves public sector institutions, research organizations, educational institutions, and businesses requiring DSGVO/ GDPR compliance and zero-trust security.
The platform uses a filesystem-based storage model instead of a traditional database, storing all data under $HOME/.opencloud/ by default. It authenticates users via OpenID Connect with support for external identity providers like Keycloak or its embedded LibreGraph Connect IDP. OpenCloud integrates real-time collaboration through an embedded Office suite and supports secure versioning, access controls, and two-factor authentication—all while remaining fully open source under Apache 2.0.
What You Get
- File Management & Sharing - Securely upload, organize, and share files with granular access controls and link-based sharing with expiration and password protection.
- Real-Time Collaboration - Integrated Office suite allows multiple users to edit documents, spreadsheets, and presentations simultaneously within the platform.
- Data Sovereignty - Full control over data location and infrastructure; deploy on-premise or via certified partners to ensure compliance with DSGVO/GDPR and zero-trust principles.
- OpenID Connect Authentication - Supports external identity providers like Keycloak or the embedded LibreGraph Connect IDP for centralized user management and SSO.
- File Versioning & Ransomware Protection - Automatic version history for all files enables recovery from accidental changes or malicious encryption attacks.
- Two-Factor Authentication (2FA) - Enforces additional security layers for user logins to prevent unauthorized access even if credentials are compromised.
Common Use Cases
- Public Sector Data Management - A government agency uses OpenCloud to securely share sensitive citizen documents internally and with other departments while ensuring DSGVO compliance and full data control.
- University Research Collaboration - A research team stores and collaborates on datasets and papers using OpenCloud’s versioning and access controls to maintain data integrity across global contributors.
- Enterprise File Governance - A mid-sized company replaces Dropbox or OneDrive with OpenCloud to eliminate vendor lock-in and enforce strict access policies for confidential business documents.
- Education Sector File Sharing - A school district deploys OpenCloud to let teachers and students securely upload assignments and collaborate on projects from any device, with parental consent controls.
Under The Hood
Architecture
- Modular service-oriented design with domain-isolated Go services, enabling independent development and deployment
- Clear separation of concerns via protocol buffers defining service contracts, with dependency injection and configuration-driven service composition
- Multi-language build pipeline orchestrated by Makefile, ensuring consistent compilation and tooling execution across Go, Node.js, and PHP
- Single-binary deployment model via Docker multi-stage builds, guaranteeing environment-agnostic reproducibility
- Pluggable service interfaces support extensibility for OCM, WebDAV, and SSO without modifying core components
Tech Stack
- Go 1.24 backend with microservices orchestrated into a unified binary, complemented by Node.js for frontend tooling
- PHP 8.3 components managed with Composer and vendor-bin isolation for static analysis tools
- Docker-based multi-stage builds using Alpine and Golang base images for lightweight, production-ready containers
- NATS as the event-driven messaging backbone, integrated via Go micro plugins for distributed service coordination
- Comprehensive tooling including golangci-lint, .editorconfig, Codacy, pnpm, and Rollup for consistent code quality and asset generation
Code Quality
- Extensive acceptance tests using Gherkin to validate API behavior across authentication, sharing, and file operations
- Robust test automation for OAuth2 flows with caching and refresh logic, ensuring state consistency in distributed environments
- Well-organized test helpers and feature files aligned with user roles and API endpoints
- Strong adherence to HTTP semantics and response validation to enforce API contract integrity
- Minimal custom error handling, relying on standardized HTTP responses and simple test utilities
What Makes It Unique
- Native LibreGraph integration as a unified identity layer, enabling seamless interoperability with external IAM systems
- Custom font and semantic CSS system enforcing design consistency and accessibility across all UI services
- Event history service built on protocol buffers to provide distributed audit trails without centralized logging
- Pluggable invitation system decoupling identity provisioning from execution, supporting dynamic provider integration
- Unified user type system (Guest/Primary) consistently enforced across CS3 APIs, GraphQL, and UI layers
- Shared CSS component library enabling brand consistency across polyglot microservices without UI fragmentation