This guide is about installing a public CryptPad instance available on the internet. For instructions about installing and running a local development instance please see the Developer Guide.
The development team is available to provide paid support contracts (see our organizational plans for an idea of our pricing), otherwise, requests for assistance can be directed to the community in our Matrix channel.
2 domains or subdomains are needed to take full advantage of CryptPad’s security features. Please see the domains section below for more details.
The development team uses and recommends the following hardware requirements as a minimum on the host machine:
2 x86 CPUs
20GB storage (depending on planned usage)
CryptPad is engineered to maximise privacy, and to minimize the amount of useful information that can be gained even if the host machine is compromised. However it is up to the administrator(s) to ensure that the host machine is secure. The instructions for this are beyond the scope of this guide but best practices include:
Disabling password-based SSH access
Updating the operating system regularly with any security patches
Limiting the number of people who have server access
Avoiding insecure applications running in parallel on the same host
Updating CryptPad itself regularly
the development team recommends creating a dedicated user to install and run CryptPad in production rather than using the root user.
Clone the CryptPad repository
git clone https://github.com/xwiki-labs/cryptpad.git cryptpad
cd cryptpad npm install bower install
Copy the example configuration
cd cryptpad/config cp config.example.js config.js
Please read the configuration file, and modify variables as needed. The domains are particulalry important.
The server can now be started with
cd cryptpad node server
The instance is now ready to run but cannot yet be accessed from the internet.
In production you may want to run CryptPad as a daemon that restarts automatically.
Save the example as
Make necessary adjustments (e.g. user name, path, nodejs version)
Enable the service at startup with
systemctl enable cryptpad.
You need two domains to take full advantage of CryptPad’s security features.
The main domain on which users access your instance
A “sandbox” domain or subdomain to which a set of restrictive Content-Security Policy headers are applied
The intent of this system is to limit the risk of Cross-Site Scripting (XSS) vulnerabilities allowing attackers to leak user data. Sensitive computation (like the processing of cryptographic keys) is handled on the main domain, while the user-interface is implemented on the sandbox domain.
The example Nginx configuration file includes the relevant headers to enable the sandboxing system, however, you must configure your instance correctly for it to be effective. You will need:
two domains or subdomains
to include both domains in
cryptpad/config/config.jsas described in Configure CryptPad
to generate one SSL certificate that covers both domains. The development team uses acme.sh and this is reflected in the example config.
to correctly assign both domains and certificates to the relevant variables in the example Nginx configuration
Using CryptPad in production without the sandboxing system may put users’ information at risk.
The development team is not aware of any third-party configurations (Apache, HAProxy, Lighttpd) that correctly implement the recommended settings. Use them at your own (and your users’) risk!
Install and configure Nginx¶
In a production environment, the development team recommends Nginx for the following reasons:
Protect traffic with SSL (so your users can reach your instance via HTTPS)
Scale to many more users by serving static content with a more scalable web-server instead of the single-threaded NodeJS web-server that is built-in
Allow the application server to focus exclusively on handling websocket connections
CryptPad cannot run in a subfolder. Make sure you configure your server to access it through the root domain or a subdomain.
Note that the version of Nginx distributed by your operating system may
not support websockets. The recommended minimum version to serve
To configure Nginx for CryptPad:
Copy the CryptPad example Nginx config file so that it is used/imported by the main Nginx config, for example by placing it in
Edit the configuration file with the correct domains and paths to certificates.
openssl dhparam -out /etc/nginx/dhparam.pem 4096if you haven’t done so already on the host machine.
Static assets and pages such as
https://cryptpad.yourdomain.com/index.html should now be accessible
at the main domain.
To finalise the installation, ensure
contains at least:
The correct domains:
The main domain in place of:
The Sandbox domain in place of:
An administrator email (appears on the Contact page) in place of:
CryptPad provides a diagnostics page that runs instance configuration
completing all of the steps above to ensure everything is correctly
Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
Copy their public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
Paste this key in
cryptpad/config/config.jsin the following array (uncomment and replace the placeholder):
adminKeys: [ "[firstname.lastname@example.org/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", ],
Configure support mailbox¶
Version 4.6.0 and later¶
Since version 4.6 the support mailbox can be configured from the Administration panel.
With an instance administrator account, visit the
Click Generate Support Keys
The support mailbox is now active
Flush the cache to access the mailbox: General tab > Flush HTTP Cache
To allow other administrators to access the support mailbox:
Copy the key at the bottom of the support page
Send it to another administrator account
They can use the Add private key field on the support page to gain access to the support mailbox
If the support mailbox is configured through the admin panel, any configuration using the old method detailed below is ignored.
Versions older than 4.6.0¶
To enable the encrypted support ticket system, use the
Add the public key into the
supportMailboxPublicKeyfield of the configuration file
Copy the private key in the support section of the control panel (after setting up an administrator account). This private key is the same for all administrator accounts that want to access support.
Once the steps above are complete, many day-to-day administration tasks such as support and monitoring can be done in the administration panel.