[{"data":1,"prerenderedAt":5486},["ShallowReactive",2],{"blog-raspberry-pi-private-encrypted-cloud":3,"blog-siblings-raspberry-pi-private-encrypted-cloud":1264},{"id":4,"title":5,"author":6,"body":7,"category":1246,"date":1247,"description":1248,"draft":1249,"extension":1250,"image":1251,"meta":1252,"navigation":1253,"path":1254,"seo":1255,"stem":1256,"tags":1257,"__hash__":1263},"blog\u002Fblog\u002Fraspberry-pi-private-encrypted-cloud.md","Turn Your Raspberry Pi Into a Private, Encrypted Cloud Storage Server","Hoodik Team",{"type":8,"value":9,"toc":1221},"minimark",[10,14,19,22,25,28,31,34,37,41,44,73,76,81,84,153,156,160,163,167,170,173,177,180,184,187,190,193,197,200,212,215,219,222,230,234,237,241,244,276,279,309,312,378,381,385,388,393,399,402,407,410,413,419,423,426,429,481,484,488,491,583,590,594,600,711,714,728,741,747,751,754,757,772,779,787,794,797,871,878,882,885,891,894,957,960,979,985,989,998,1071,1078,1085,1089,1092,1170,1173,1177,1180,1188,1191,1194,1197,1201,1204,1207,1217],[11,12,13],"p",{},"You just got a Raspberry Pi. Or maybe you've had one for a while, and it's been sitting in a drawer since that initial burst of enthusiasm wore off. Either way, you're looking at this little single-board computer and thinking: \"What should I actually do with this thing?\"",[15,16,18],"h2",{"id":17},"the-classic-raspberry-pi-projects-and-why-most-gather-dust","The Classic Raspberry Pi Projects (And Why Most Gather Dust)",[11,20,21],{},"The usual suspects all have the same problem: after the initial setup, they fade into the background.",[11,23,24],{},"Pi-hole is genuinely useful — configure your router to use it as DNS and ads disappear across your whole network. But it takes about 20 minutes to set up, then runs silently forever. Your Pi becomes a $50 DNS server touching maybe 1% of its capabilities.",[11,26,27],{},"A media server sounds great until a Pi tries to transcode a video and struggles. You end up needing files pre-encoded in the right format, which defeats half the convenience. Streaming services have also made the local media library workflow less compelling for most people.",[11,29,30],{},"Retro gaming (RetroPi) is a fun weekend project. Then it sits there because SNES games are harder to actually sit down and play than they seem in theory.",[11,32,33],{},"Home automation is useful if you're already deep into smart home hardware, but it's a rabbit hole with no bottom and a lot of frustrating edge cases.",[11,35,36],{},"All of these are fine. The problem is that none of them solve something you run into every day. A private encrypted cloud does.",[15,38,40],{"id":39},"why-a-raspberry-pi-is-perfect-for-cloud-storage","Why a Raspberry Pi Is Perfect for Cloud Storage",[11,42,43],{},"Think about what cloud storage actually needs from hardware:",[45,46,47,55,61,67],"ul",{},[48,49,50,54],"li",{},[51,52,53],"strong",{},"Always on"," — your files should be accessible whenever you need them",[48,56,57,60],{},[51,58,59],{},"Network connected"," — needs to serve files over your local network or the internet",[48,62,63,66],{},[51,64,65],{},"Decent storage I\u002FO"," — needs to read and write files without painful delays",[48,68,69,72],{},[51,70,71],{},"Low power consumption"," — running 24\u002F7 shouldn't cost a fortune in electricity",[11,74,75],{},"A Raspberry Pi checks every box.",[77,78,80],"h3",{"id":79},"its-always-on-for-pennies","It's Always On (For Pennies)",[11,82,83],{},"A Raspberry Pi 4 or 5 consumes about 3-7 watts under typical load. The cost of running it 24\u002F7:",[85,86,87,103],"table",{},[88,89,90],"thead",{},[91,92,93,97,100],"tr",{},[94,95,96],"th",{},"Device",[94,98,99],{},"Typical Power Draw",[94,101,102],{},"Annual Cost (at $0.15\u002FkWh)",[104,105,106,120,131,142],"tbody",{},[91,107,108,112,115],{},[109,110,111],"td",{},"Raspberry Pi 4\u002F5",[109,113,114],{},"5W average",[109,116,117],{},[51,118,119],{},"$6.57\u002Fyear",[91,121,122,125,128],{},[109,123,124],{},"Old laptop as server",[109,126,127],{},"30-50W",[109,129,130],{},"$39-66\u002Fyear",[91,132,133,136,139],{},[109,134,135],{},"Desktop PC as server",[109,137,138],{},"80-150W",[109,140,141],{},"$105-197\u002Fyear",[91,143,144,147,150],{},[109,145,146],{},"NAS device (2-bay)",[109,148,149],{},"15-25W",[109,151,152],{},"$20-33\u002Fyear",[11,154,155],{},"Under $7 per year in electricity for a 24\u002F7 cloud server. Leave a desktop running instead and you'd spend more on electricity than a cloud storage subscription.",[77,157,159],{"id":158},"just-enough-power","Just Enough Power",[11,161,162],{},"A Raspberry Pi 5 has a quad-core ARM Cortex-A76 processor and up to 8GB of RAM — vastly more than a cloud storage server needs. Hoodik uses about 20MB of RAM for its server process. The Pi's gigabit Ethernet and USB 3.0 ports give you plenty of bandwidth; you'll saturate your internet upload speed long before you saturate the Pi's local I\u002FO.",[77,164,166],{"id":165},"what-about-performance","What About Performance?",[11,168,169],{},"The Pi handles documents, photos, and music collections without issue — uploads and downloads are fast, browsing is responsive, and 2-5 simultaneous users is no problem. Large video files work too, just limited by your network speed rather than the Pi.",[11,171,172],{},"Where it gets slow is directory listings with 10,000+ files, and it's not the right tool if you need video transcoding or 50+ simultaneous heavy transfers. For a household or small team storing everyday files, it's more than capable.",[15,174,176],{"id":175},"before-you-start-hardware-setup-tips","Before You Start: Hardware Setup Tips",[11,178,179],{},"A few hardware decisions make a significant difference in reliability and performance for an always-on server.",[77,181,183],{"id":182},"use-a-usb-ssd-not-the-sd-card","Use a USB SSD, Not the SD Card",[11,185,186],{},"This is the single most important hardware decision. SD cards are designed for cameras and phones — they wear out quickly under the constant read\u002Fwrite patterns of a server, and when they fail they often fail corrupted. An SSD connected via USB 3.0 is 10-20x faster for random I\u002FO, far more durable under continuous use, and you won't lose data to a corrupted card.",[11,188,189],{},"A 256GB USB SSD costs about $25-35. A 1TB model is $60-80. This is where your files live, so it's not the place to cut corners.",[11,191,192],{},"You can still boot from the SD card and mount the SSD for data, or (better) configure the Pi to boot directly from the USB SSD. The Raspberry Pi 4 and 5 both support USB boot natively.",[77,194,196],{"id":195},"go-headless","Go Headless",[11,198,199],{},"You don't need a monitor, keyboard, or mouse connected to a server. Set up your Pi headless from the start:",[201,202,203,206,209],"ol",{},[48,204,205],{},"Flash Raspberry Pi OS Lite (no desktop environment — saves resources)",[48,207,208],{},"Enable SSH during the flashing process (Raspberry Pi Imager makes this easy)",[48,210,211],{},"Connect via SSH from your laptop\u002Fdesktop",[11,213,214],{},"This frees up all the Pi's resources for actually serving files instead of rendering a desktop nobody's looking at.",[77,216,218],{"id":217},"set-a-static-ip","Set a Static IP",[11,220,221],{},"Your router assigns dynamic IPs by default, which means your Pi's address might change after a reboot. For a server you want to reliably connect to, assign it a static IP either through your router's DHCP reservation settings or in the Pi's network configuration.",[11,223,224,225,229],{},"Pick something memorable like ",[226,227,228],"code",{},"192.168.1.50"," and you'll always know where your cloud is.",[77,231,233],{"id":232},"consider-a-ups-optional-but-smart","Consider a UPS (Optional But Smart)",[11,235,236],{},"A small USB UPS (like a PiSugar or similar) costs about $30 and gives your Pi a few minutes of battery backup during power outages. This prevents SD card\u002FSSD corruption from sudden power loss — the Pi can shut down gracefully instead of just dying mid-write.",[15,238,240],{"id":239},"what-youre-building","What You're Building",[11,242,243],{},"This is a proper home server setup — the same architecture you'd end up with if you got serious about self-hosting, running on a $60 board. The full stack:",[45,245,246,252,258,264,270],{},[48,247,248,251],{},[51,249,250],{},"Docker + Portainer"," — container management with a nice web UI",[48,253,254,257],{},[51,255,256],{},"Pi-hole"," — network-wide ad blocker + local DNS resolver",[48,259,260,263],{},[51,261,262],{},"Caddy"," — reverse proxy with automatic TLS certificates",[48,265,266,269],{},[51,267,268],{},"Cloudflare Tunnel"," — secure external access without opening ports",[48,271,272,275],{},[51,273,274],{},"Hoodik"," — your private, end-to-end encrypted cloud storage",[11,277,278],{},"When it's all running you get:",[45,280,281,284,287,290,293,296,299,306],{},[48,282,283],{},"A private cloud accessible from any browser, phone, or tablet — at home and away",[48,285,286],{},"End-to-end encryption: files are encrypted on your device before upload, the Pi only stores ciphertext",[48,288,289],{},"Multi-user support with no per-user fees — set up accounts for family members",[48,291,292],{},"Public link sharing with expiration dates and optional password protection",[48,294,295],{},"Built-in rich text editor for encrypted notes with full-text search",[48,297,298],{},"Mobile apps for Android and iOS",[48,300,301,302,305],{},"A clean URL like ",[226,303,304],{},"cloud.yourdomain.com"," that works everywhere",[48,307,308],{},"Network-wide ad blocking thrown in for free",[11,310,311],{},"The total hardware cost:",[85,313,314,324],{},[88,315,316],{},[91,317,318,321],{},[94,319,320],{},"Component",[94,322,323],{},"Cost",[104,325,326,334,342,350,358,366],{},[91,327,328,331],{},[109,329,330],{},"Raspberry Pi 5 (4GB)",[109,332,333],{},"$60",[91,335,336,339],{},[109,337,338],{},"USB-C power supply",[109,340,341],{},"$12",[91,343,344,347],{},[109,345,346],{},"512GB USB SSD",[109,348,349],{},"$40",[91,351,352,355],{},[109,353,354],{},"MicroSD card (for initial setup)",[109,356,357],{},"$8",[91,359,360,363],{},[109,361,362],{},"Case with passive cooling",[109,364,365],{},"$10",[91,367,368,373],{},[109,369,370],{},[51,371,372],{},"Total",[109,374,375],{},[51,376,377],{},"~$130",[11,379,380],{},"That's a one-time cost. You'll need a domain name (around $10\u002Fyear) and a free Cloudflare account for the tunnel. No monthly subscriptions beyond that.",[15,382,384],{"id":383},"the-architecture-how-it-all-fits-together","The Architecture (How It All Fits Together)",[11,386,387],{},"Worth understanding before you start installing things, because the pieces connect in a way that's actually elegant — and it's the same pattern real homelabs use at any scale:",[11,389,390],{},[51,391,392],{},"When you're at home (WiFi or wired):",[11,394,395,396,398],{},"Your device → Pi-hole DNS (resolves ",[226,397,304],{}," to Pi's local IP) → Caddy reverse proxy → Hoodik",[11,400,401],{},"Traffic never leaves your local network. It's fast, direct, and the TLS certificate from Caddy keeps everything encrypted even on your LAN.",[11,403,404],{},[51,405,406],{},"When you're away from home:",[11,408,409],{},"Your device → Cloudflare's network → Cloudflare Tunnel → Caddy reverse proxy → Hoodik",[11,411,412],{},"Cloudflare tunnels the traffic straight into your Pi. No ports opened on your router. No exposing your home IP address. Cloudflare handles TLS on their end, your Caddy handles TLS internally, and Hoodik generates its own self-signed cert for the last hop — but that's fine for local network traffic between the reverse proxy and Hoodik.",[11,414,415,416,418],{},"The result: one URL (",[226,417,304],{},") works whether you're on your couch or across the world. At home it resolves locally and never touches the internet. Away from home it routes through Cloudflare with a bit more latency, but the same interface.",[15,420,422],{"id":421},"step-1-base-setup","Step 1: Base Setup",[11,424,425],{},"Flash Raspberry Pi OS Lite on your Pi, enable SSH, boot it up, and connect via SSH. Use a USB SSD for storage (see the hardware tips above).",[11,427,428],{},"Install Docker:",[430,431,436],"pre",{"className":432,"code":433,"language":434,"meta":435,"style":435},"language-bash shiki shiki-themes github-light github-dark","curl -fsSL https:\u002F\u002Fget.docker.com | sh\nsudo usermod -aG docker $USER\n","bash","",[226,437,438,462],{"__ignoreMap":435},[439,440,443,447,451,455,459],"span",{"class":441,"line":442},"line",1,[439,444,446],{"class":445},"sScJk","curl",[439,448,450],{"class":449},"sj4cs"," -fsSL",[439,452,454],{"class":453},"sZZnC"," https:\u002F\u002Fget.docker.com",[439,456,458],{"class":457},"szBVR"," |",[439,460,461],{"class":445}," sh\n",[439,463,465,468,471,474,477],{"class":441,"line":464},2,[439,466,467],{"class":445},"sudo",[439,469,470],{"class":453}," usermod",[439,472,473],{"class":449}," -aG",[439,475,476],{"class":453}," docker",[439,478,480],{"class":479},"sVt8B"," $USER\n",[11,482,483],{},"Log out and back in so the Docker group takes effect.",[15,485,487],{"id":486},"step-2-portainer-docker-management-ui","Step 2: Portainer (Docker Management UI)",[11,489,490],{},"Portainer gives you a web UI to manage all your containers. You'll thank yourself later when you want to check logs or restart something without SSH-ing in.",[430,492,494],{"className":432,"code":493,"language":434,"meta":435,"style":435},"docker volume create portainer_data\ndocker run -d \\\n --name portainer \\\n --restart unless-stopped \\\n -p 9443:9443 \\\n -v \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock \\\n -v portainer_data:\u002Fdata \\\n portainer\u002Fportainer-ce:latest\n",[226,495,496,510,523,534,545,556,567,577],{"__ignoreMap":435},[439,497,498,501,504,507],{"class":441,"line":442},[439,499,500],{"class":445},"docker",[439,502,503],{"class":453}," volume",[439,505,506],{"class":453}," create",[439,508,509],{"class":453}," portainer_data\n",[439,511,512,514,517,520],{"class":441,"line":464},[439,513,500],{"class":445},[439,515,516],{"class":453}," run",[439,518,519],{"class":449}," -d",[439,521,522],{"class":449}," \\\n",[439,524,526,529,532],{"class":441,"line":525},3,[439,527,528],{"class":449}," --name",[439,530,531],{"class":453}," portainer",[439,533,522],{"class":449},[439,535,537,540,543],{"class":441,"line":536},4,[439,538,539],{"class":449}," --restart",[439,541,542],{"class":453}," unless-stopped",[439,544,522],{"class":449},[439,546,548,551,554],{"class":441,"line":547},5,[439,549,550],{"class":449}," -p",[439,552,553],{"class":453}," 9443:9443",[439,555,522],{"class":449},[439,557,559,562,565],{"class":441,"line":558},6,[439,560,561],{"class":449}," -v",[439,563,564],{"class":453}," \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock",[439,566,522],{"class":449},[439,568,570,572,575],{"class":441,"line":569},7,[439,571,561],{"class":449},[439,573,574],{"class":453}," portainer_data:\u002Fdata",[439,576,522],{"class":449},[439,578,580],{"class":441,"line":579},8,[439,581,582],{"class":453}," portainer\u002Fportainer-ce:latest\n",[11,584,585,586,589],{},"Visit ",[226,587,588],{},"https:\u002F\u002Fyour-pi-ip:9443"," and set up your admin account. From here on, you can manage everything through Portainer's UI if you prefer — but we'll use command line for the initial setup since it's easier to follow.",[15,591,593],{"id":592},"step-3-pi-hole-ad-blocking-local-dns","Step 3: Pi-hole (Ad Blocking + Local DNS)",[11,595,596,597,599],{},"Pi-hole blocks ads across your entire network and — crucially for our setup — will handle local DNS resolution so ",[226,598,304],{}," points to your Pi's local IP when you're at home.",[430,601,603],{"className":432,"code":602,"language":434,"meta":435,"style":435},"docker run -d \\\n --name pihole \\\n --restart unless-stopped \\\n --cap-add NET_ADMIN \\\n -p 53:53\u002Ftcp -p 53:53\u002Fudp \\\n -p 8080:80 \\\n -e TZ='Europe\u002FBerlin' \\\n -e WEBPASSWORD='your-pihole-password' \\\n -v pihole_etc:\u002Fetc\u002Fpihole \\\n -v pihole_dnsmasq:\u002Fetc\u002Fdnsmasq.d \\\n pihole\u002Fpihole:latest\n",[226,604,605,615,624,632,642,657,666,676,685,695,705],{"__ignoreMap":435},[439,606,607,609,611,613],{"class":441,"line":442},[439,608,500],{"class":445},[439,610,516],{"class":453},[439,612,519],{"class":449},[439,614,522],{"class":449},[439,616,617,619,622],{"class":441,"line":464},[439,618,528],{"class":449},[439,620,621],{"class":453}," pihole",[439,623,522],{"class":449},[439,625,626,628,630],{"class":441,"line":525},[439,627,539],{"class":449},[439,629,542],{"class":453},[439,631,522],{"class":449},[439,633,634,637,640],{"class":441,"line":536},[439,635,636],{"class":449}," --cap-add",[439,638,639],{"class":453}," NET_ADMIN",[439,641,522],{"class":449},[439,643,644,646,649,652,655],{"class":441,"line":547},[439,645,550],{"class":449},[439,647,648],{"class":453}," 53:53\u002Ftcp",[439,650,651],{"class":449}," -p",[439,653,654],{"class":453}," 53:53\u002Fudp",[439,656,522],{"class":449},[439,658,659,661,664],{"class":441,"line":558},[439,660,550],{"class":449},[439,662,663],{"class":453}," 8080:80",[439,665,522],{"class":449},[439,667,668,671,674],{"class":441,"line":569},[439,669,670],{"class":449}," -e",[439,672,673],{"class":453}," TZ='Europe\u002FBerlin'",[439,675,522],{"class":449},[439,677,678,680,683],{"class":441,"line":579},[439,679,670],{"class":449},[439,681,682],{"class":453}," WEBPASSWORD='your-pihole-password'",[439,684,522],{"class":449},[439,686,688,690,693],{"class":441,"line":687},9,[439,689,561],{"class":449},[439,691,692],{"class":453}," pihole_etc:\u002Fetc\u002Fpihole",[439,694,522],{"class":449},[439,696,698,700,703],{"class":441,"line":697},10,[439,699,561],{"class":449},[439,701,702],{"class":453}," pihole_dnsmasq:\u002Fetc\u002Fdnsmasq.d",[439,704,522],{"class":449},[439,706,708],{"class":441,"line":707},11,[439,709,710],{"class":453}," pihole\u002Fpihole:latest\n",[11,712,713],{},"After it starts, configure your router to use the Pi's IP as the primary DNS server. This routes all DNS queries through Pi-hole — ads disappear and you get local DNS control.",[11,715,716,719,720,723,724,727],{},[51,717,718],{},"Add local DNS entry:"," Open Pi-hole's admin panel at ",[226,721,722],{},"http:\u002F\u002Fyour-pi-ip:8080\u002Fadmin",", go to ",[51,725,726],{},"Local DNS → DNS Records",", and add:",[45,729,730,735],{},[48,731,732,733],{},"Domain: ",[226,734,304],{},[48,736,737,738,740],{},"IP: your Pi's local IP (e.g., ",[226,739,228],{},")",[11,742,743,744,746],{},"Now every device on your network will resolve ",[226,745,304],{}," to the Pi directly — no internet roundtrip.",[15,748,750],{"id":749},"step-4-caddy-reverse-proxy-with-auto-tls","Step 4: Caddy (Reverse Proxy with Auto-TLS)",[11,752,753],{},"Caddy is a modern reverse proxy that automatically obtains and renews TLS certificates. It's simpler than nginx and handles HTTPS out of the box.",[11,755,756],{},"Create a Caddyfile:",[430,758,760],{"className":432,"code":759,"language":434,"meta":435,"style":435},"mkdir -p \u002Fopt\u002Fcaddy\n",[226,761,762],{"__ignoreMap":435},[439,763,764,767,769],{"class":441,"line":442},[439,765,766],{"class":445},"mkdir",[439,768,651],{"class":449},[439,770,771],{"class":453}," \u002Fopt\u002Fcaddy\n",[11,773,774,775,778],{},"Create the file ",[226,776,777],{},"\u002Fopt\u002Fcaddy\u002FCaddyfile"," with:",[430,780,785],{"className":781,"code":783,"language":784},[782],"language-text","cloud.yourdomain.com {\n reverse_proxy localhost:5443 {\n transport http {\n tls_insecure_skip_verify\n }\n }\n}\n","text",[226,786,783],{"__ignoreMap":435},[11,788,789,790,793],{},"The ",[226,791,792],{},"tls_insecure_skip_verify"," is needed because Hoodik generates a self-signed certificate. Caddy handles the real TLS certificate that your browser sees — the connection between Caddy and Hoodik is on localhost anyway, so the self-signed cert just keeps the internal hop encrypted.",[11,795,796],{},"Run Caddy:",[430,798,800],{"className":432,"code":799,"language":434,"meta":435,"style":435},"docker run -d \\\n --name caddy \\\n --restart unless-stopped \\\n --network host \\\n -v \u002Fopt\u002Fcaddy\u002FCaddyfile:\u002Fetc\u002Fcaddy\u002FCaddyfile \\\n -v caddy_data:\u002Fdata \\\n -v caddy_config:\u002Fconfig \\\n caddy:latest\n",[226,801,802,812,821,829,839,848,857,866],{"__ignoreMap":435},[439,803,804,806,808,810],{"class":441,"line":442},[439,805,500],{"class":445},[439,807,516],{"class":453},[439,809,519],{"class":449},[439,811,522],{"class":449},[439,813,814,816,819],{"class":441,"line":464},[439,815,528],{"class":449},[439,817,818],{"class":453}," caddy",[439,820,522],{"class":449},[439,822,823,825,827],{"class":441,"line":525},[439,824,539],{"class":449},[439,826,542],{"class":453},[439,828,522],{"class":449},[439,830,831,834,837],{"class":441,"line":536},[439,832,833],{"class":449}," --network",[439,835,836],{"class":453}," host",[439,838,522],{"class":449},[439,840,841,843,846],{"class":441,"line":547},[439,842,561],{"class":449},[439,844,845],{"class":453}," \u002Fopt\u002Fcaddy\u002FCaddyfile:\u002Fetc\u002Fcaddy\u002FCaddyfile",[439,847,522],{"class":449},[439,849,850,852,855],{"class":441,"line":558},[439,851,561],{"class":449},[439,853,854],{"class":453}," caddy_data:\u002Fdata",[439,856,522],{"class":449},[439,858,859,861,864],{"class":441,"line":569},[439,860,561],{"class":449},[439,862,863],{"class":453}," caddy_config:\u002Fconfig",[439,865,522],{"class":449},[439,867,868],{"class":441,"line":579},[439,869,870],{"class":453}," caddy:latest\n",[11,872,873,874,877],{},"We use ",[226,875,876],{},"--network host"," so Caddy can reach Hoodik on localhost:5443 and bind to ports 80\u002F443 directly.",[15,879,881],{"id":880},"step-5-cloudflare-tunnel-external-access","Step 5: Cloudflare Tunnel (External Access)",[11,883,884],{},"This is the magic piece. Cloudflare Tunnel creates a secure outbound connection from your Pi to Cloudflare's network — no incoming ports needed, no exposing your home IP.",[11,886,887,890],{},[51,888,889],{},"Prerequisites:"," You need a domain on Cloudflare (free plan works). Go to Cloudflare dashboard → Zero Trust → Networks → Tunnels → Create a tunnel.",[11,892,893],{},"Cloudflare will give you a tunnel token. Run:",[430,895,897],{"className":432,"code":896,"language":434,"meta":435,"style":435},"docker run -d \\\n --name cloudflare-tunnel \\\n --restart unless-stopped \\\n --network host \\\n cloudflare\u002Fcloudflared:latest \\\n tunnel --no-autoupdate run --token YOUR_TUNNEL_TOKEN\n",[226,898,899,909,918,926,934,941],{"__ignoreMap":435},[439,900,901,903,905,907],{"class":441,"line":442},[439,902,500],{"class":445},[439,904,516],{"class":453},[439,906,519],{"class":449},[439,908,522],{"class":449},[439,910,911,913,916],{"class":441,"line":464},[439,912,528],{"class":449},[439,914,915],{"class":453}," cloudflare-tunnel",[439,917,522],{"class":449},[439,919,920,922,924],{"class":441,"line":525},[439,921,539],{"class":449},[439,923,542],{"class":453},[439,925,522],{"class":449},[439,927,928,930,932],{"class":441,"line":536},[439,929,833],{"class":449},[439,931,836],{"class":453},[439,933,522],{"class":449},[439,935,936,939],{"class":441,"line":547},[439,937,938],{"class":453}," cloudflare\u002Fcloudflared:latest",[439,940,522],{"class":449},[439,942,943,946,949,951,954],{"class":441,"line":558},[439,944,945],{"class":453}," tunnel",[439,947,948],{"class":449}," --no-autoupdate",[439,950,516],{"class":453},[439,952,953],{"class":449}," --token",[439,955,956],{"class":453}," YOUR_TUNNEL_TOKEN\n",[11,958,959],{},"In the Cloudflare dashboard, configure the tunnel's public hostname:",[45,961,962,968,973],{},[48,963,964,965],{},"Subdomain: ",[226,966,967],{},"cloud",[48,969,732,970],{},[226,971,972],{},"yourdomain.com",[48,974,975,976],{},"Service: ",[226,977,978],{},"https:\u002F\u002Flocalhost:443",[11,980,981,982,984],{},"Now ",[226,983,304],{}," is accessible from anywhere in the world, tunneled securely through Cloudflare to your Pi's Caddy instance.",[15,986,988],{"id":987},"step-6-hoodik-your-encrypted-cloud","Step 6: Hoodik (Your Encrypted Cloud)",[11,990,991,992,997],{},"The final piece. The full setup details are in our ",[993,994,996],"a",{"href":995},"\u002Fget-started","getting started guide",", but here's the command:",[430,999,1001],{"className":432,"code":1000,"language":434,"meta":435,"style":435},"docker run -d \\\n --name hoodik \\\n --restart unless-stopped \\\n -e DATA_DIR='\u002Fdata' \\\n -e APP_URL='https:\u002F\u002Fcloud.yourdomain.com' \\\n -v \u002Fmnt\u002Fssd\u002Fhoodik:\u002Fdata \\\n -p 5443:5443 \\\n hudik\u002Fhoodik:latest\n",[226,1002,1003,1013,1022,1030,1039,1048,1057,1066],{"__ignoreMap":435},[439,1004,1005,1007,1009,1011],{"class":441,"line":442},[439,1006,500],{"class":445},[439,1008,516],{"class":453},[439,1010,519],{"class":449},[439,1012,522],{"class":449},[439,1014,1015,1017,1020],{"class":441,"line":464},[439,1016,528],{"class":449},[439,1018,1019],{"class":453}," hoodik",[439,1021,522],{"class":449},[439,1023,1024,1026,1028],{"class":441,"line":525},[439,1025,539],{"class":449},[439,1027,542],{"class":453},[439,1029,522],{"class":449},[439,1031,1032,1034,1037],{"class":441,"line":536},[439,1033,670],{"class":449},[439,1035,1036],{"class":453}," DATA_DIR='\u002Fdata'",[439,1038,522],{"class":449},[439,1040,1041,1043,1046],{"class":441,"line":547},[439,1042,670],{"class":449},[439,1044,1045],{"class":453}," APP_URL='https:\u002F\u002Fcloud.yourdomain.com'",[439,1047,522],{"class":449},[439,1049,1050,1052,1055],{"class":441,"line":558},[439,1051,561],{"class":449},[439,1053,1054],{"class":453}," \u002Fmnt\u002Fssd\u002Fhoodik:\u002Fdata",[439,1056,522],{"class":449},[439,1058,1059,1061,1064],{"class":441,"line":569},[439,1060,550],{"class":449},[439,1062,1063],{"class":453}," 5443:5443",[439,1065,522],{"class":449},[439,1067,1068],{"class":441,"line":579},[439,1069,1070],{"class":453}," hudik\u002Fhoodik:latest\n",[11,1072,1073,1074,1077],{},"Point the data volume (",[226,1075,1076],{},"\u002Fmnt\u002Fssd\u002Fhoodik",") at your USB SSD.",[11,1079,1080,1081,1084],{},"Open ",[226,1082,1083],{},"https:\u002F\u002Fcloud.yourdomain.com"," — you should see Hoodik's registration page. The first account becomes admin. Your encryption keys are generated right in your browser — the Pi never sees them.",[15,1086,1088],{"id":1087},"the-finished-setup","The Finished Setup",[11,1090,1091],{},"You now have a full home server running on a $130 Raspberry Pi:",[85,1093,1094,1107],{},[88,1095,1096],{},[91,1097,1098,1101,1104],{},[94,1099,1100],{},"Service",[94,1102,1103],{},"What it does",[94,1105,1106],{},"Port",[104,1108,1109,1122,1134,1146,1158],{},[91,1110,1111,1116,1119],{},[109,1112,1113],{},[51,1114,1115],{},"Portainer",[109,1117,1118],{},"Container management UI",[109,1120,1121],{},"9443",[91,1123,1124,1128,1131],{},[109,1125,1126],{},[51,1127,256],{},[109,1129,1130],{},"Ad blocking + local DNS",[109,1132,1133],{},"53, 8080",[91,1135,1136,1140,1143],{},[109,1137,1138],{},[51,1139,262],{},[109,1141,1142],{},"Reverse proxy, auto-TLS",[109,1144,1145],{},"80, 443",[91,1147,1148,1152,1155],{},[109,1149,1150],{},[51,1151,268],{},[109,1153,1154],{},"External access",[109,1156,1157],{},"outbound only",[91,1159,1160,1164,1167],{},[109,1161,1162],{},[51,1163,274],{},[109,1165,1166],{},"Encrypted cloud storage",[109,1168,1169],{},"5443 (internal)",[11,1171,1172],{},"All of this uses maybe 200-300MB of RAM and barely tickles the Pi's CPU. You have headroom for more services later.",[15,1174,1176],{"id":1175},"growing-beyond-the-pi","Growing Beyond the Pi",[11,1178,1179],{},"This setup is a real homelab foundation. When you outgrow the Pi — if you start adding more services, more users, or more storage — the migration path is natural.",[11,1181,1182,1183,1187],{},"Need more storage? Add an S3 backend like Backblaze B2. Your Pi still runs Hoodik, but the encrypted chunks live in the cloud. There's a ",[993,1184,1186],{"href":1185},"\u002Fblog\u002Fbackblaze-b2-hoodik-unlimited-encrypted-storage","B2 setup guide"," for exactly this.",[11,1189,1190],{},"Need more compute? The Docker containers move to a mini PC, an old laptop, or a NAS like Unraid without any architectural changes.",[11,1192,1193],{},"Going full homelab? Proxmox for VMs, a proper rack, a UniFi router handling DNS instead of Pi-hole — the architecture stays the same. Reverse proxy in front, services behind it, tunnel for external access. Just bigger hardware.",[11,1195,1196],{},"You're not locked into the Pi. It's a starting point that teaches you the patterns used by serious homelabs, and everything you learn here scales up.",[15,1198,1200],{"id":1199},"a-pi-project-that-keeps-giving","A Pi Project That Keeps Giving",[11,1202,1203],{},"Unlike retro gaming (fun for a weekend) or a media server (limited by transcoding), this setup gets daily use. Every photo you take, every document you want to keep private — it all has a home that you control.",[11,1205,1206],{},"The whole stack just sits there, quietly serving your files, blocking ads, and handling TLS. It draws less power than a nightlight and cost less than a nice dinner out.",[11,1208,1209,1210,1212,1213,1216],{},"Check out the ",[993,1211,996],{"href":995}," for more details on Hoodik's configuration, or the ",[993,1214,1215],{"href":1185},"Backblaze B2 guide"," if you want virtually unlimited storage on top of your Pi setup.",[1218,1219,1220],"style",{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":435,"searchDepth":464,"depth":464,"links":1222},[1223,1224,1229,1235,1236,1237,1238,1239,1240,1241,1242,1243,1244,1245],{"id":17,"depth":464,"text":18},{"id":39,"depth":464,"text":40,"children":1225},[1226,1227,1228],{"id":79,"depth":525,"text":80},{"id":158,"depth":525,"text":159},{"id":165,"depth":525,"text":166},{"id":175,"depth":464,"text":176,"children":1230},[1231,1232,1233,1234],{"id":182,"depth":525,"text":183},{"id":195,"depth":525,"text":196},{"id":217,"depth":525,"text":218},{"id":232,"depth":525,"text":233},{"id":239,"depth":464,"text":240},{"id":383,"depth":464,"text":384},{"id":421,"depth":464,"text":422},{"id":486,"depth":464,"text":487},{"id":592,"depth":464,"text":593},{"id":749,"depth":464,"text":750},{"id":880,"depth":464,"text":881},{"id":987,"depth":464,"text":988},{"id":1087,"depth":464,"text":1088},{"id":1175,"depth":464,"text":1176},{"id":1199,"depth":464,"text":1200},"Guides","2026-04-12","Your Raspberry Pi deserves a project that actually solves a problem. Here's how to turn it into a private, end-to-end encrypted cloud storage server.",false,"md","\u002Fimages\u002Fscreenshot.png",{},true,"\u002Fblog\u002Fraspberry-pi-private-encrypted-cloud",{"title":5,"description":1248},"blog\u002Fraspberry-pi-private-encrypted-cloud",[1258,1259,1260,500,1261,1262],"raspberry pi","self-hosted","cloud storage","privacy","NAS","C2ikMhwqrPCe4opByt5bCdXCjnP_UxWVenZVt2ecdVQ",[1265,1580,2426,2794,3433,4339,4534,5262],{"id":1266,"title":1267,"author":6,"body":1268,"category":1566,"date":1247,"description":1567,"draft":1249,"extension":1250,"image":1251,"meta":1568,"navigation":1253,"path":1569,"seo":1570,"stem":1571,"tags":1572,"__hash__":1579},"blog\u002Fblog\u002Faegis-128l-hardware-accelerated-encryption.md","AEGIS-128L: Why Hoodik Uses the Fastest Modern Cipher",{"type":8,"value":1269,"toc":1556},[1270,1274,1277,1280,1284,1287,1290,1301,1304,1307,1311,1318,1324,1330,1336,1339,1346,1350,1353,1364,1367,1370,1373,1434,1437,1441,1444,1450,1456,1462,1468,1471,1475,1478,1483,1488,1494,1498,1501,1504,1507,1511,1514,1540,1543,1547,1550,1553],[1271,1272,1267],"h1",{"id":1273},"aegis-128l-why-hoodik-uses-the-fastest-modern-cipher",[11,1275,1276],{},"When you're encrypting and decrypting every file that passes through your storage system, the speed of your cipher matters. Not in a theoretical \"shave off a few microseconds\" way, but in a practical \"can I upload a 4 GB video without my browser tab freezing\" way.",[11,1278,1279],{},"That's why Hoodik uses AEGIS-128L as its default cipher. It's a modern authenticated encryption algorithm that's 2-4x faster than the industry-standard AES-256-GCM on any CPU made in the last decade -- and it does this while providing equivalent (or stronger) security guarantees. Here's what that means in plain language.",[15,1281,1283],{"id":1282},"the-speed-problem-with-file-encryption","The Speed Problem with File Encryption",[11,1285,1286],{},"End-to-end encryption for cloud storage means every file gets encrypted on your device before upload, and decrypted on your device after download. The server never touches plaintext.",[11,1288,1289],{},"This sounds simple, but consider what happens when you upload a large file:",[201,1291,1292,1295,1298],{},[48,1293,1294],{},"Your browser reads the file from disk",[48,1296,1297],{},"It encrypts every byte of that file",[48,1299,1300],{},"It uploads the encrypted result",[11,1302,1303],{},"Steps 1 and 3 are limited by your disk speed and internet connection. Step 2 is limited by how fast your CPU can run the encryption algorithm. If the cipher is slow, it becomes the bottleneck. Your gigabit internet and NVMe SSD sit idle while your CPU churns through encryption.",[11,1305,1306],{},"With AES-256-GCM (the most common choice), a modern laptop encrypts at roughly 2-4 GB\u002Fs. That's decent. But AEGIS-128L on the same hardware hits 8-16 GB\u002Fs. For a 4 GB video file, that's the difference between 1-2 seconds of encryption time and under half a second.",[15,1308,1310],{"id":1309},"what-is-aegis-128l","What is AEGIS-128L?",[11,1312,1313,1314,1317],{},"AEGIS-128L is an ",[51,1315,1316],{},"AEAD cipher"," (Authenticated Encryption with Associated Data).",[11,1319,1320,1323],{},[51,1321,1322],{},"Authenticated"," means every encrypted message includes a tag that proves it hasn't been tampered with. If even a single bit of the ciphertext is changed, decryption fails rather than producing garbled output. This prevents an attacker from subtly modifying your encrypted files.",[11,1325,1326,1329],{},[51,1327,1328],{},"Encryption"," is the obvious part -- it turns plaintext into ciphertext that's indistinguishable from random noise.",[11,1331,1332,1335],{},[51,1333,1334],{},"Associated Data"," lets you bind unencrypted metadata (like a file ID or chunk number) to the ciphertext. The metadata isn't hidden, but it is authenticated -- an attacker can't swap one encrypted chunk for another without detection.",[11,1337,1338],{},"AEGIS was designed by Hongjun Wu and Bart Mennink. It was a finalist in the CAESAR competition (a multi-year effort to identify next-generation authenticated ciphers, concluded in 2019), where it was selected for the high-performance use case profile. It has since been standardized through the IETF process.",[11,1340,1341,1342,1345],{},"The key insight in AEGIS-128L's design: it uses the ",[51,1343,1344],{},"AES round function"," as its core building block, but arranges it differently than AES-GCM does. Where AES-GCM processes one block at a time through a chain of AES rounds, AEGIS-128L maintains a larger internal state (8 AES blocks) and processes two blocks of input simultaneously. This means it can do more useful work per clock cycle.",[15,1347,1349],{"id":1348},"why-its-so-fast","Why It's So Fast",[11,1351,1352],{},"AEGIS-128L's speed comes from exploiting hardware that already exists in your CPU.",[11,1354,1355,1356,1359,1360,1363],{},"Since 2010, virtually every x86 CPU (Intel and AMD) has included ",[51,1357,1358],{},"AES-NI"," -- dedicated hardware instructions for computing AES rounds. These are incredibly fast: a single AES round instruction (",[226,1361,1362],{},"AESENC",") achieves roughly 1-cycle throughput on modern pipelined hardware.",[11,1365,1366],{},"AES-GCM uses these instructions, but it's limited by how many AES rounds it needs per block of data (10 rounds for AES-128, 14 for AES-256), plus it needs a separate GCM multiplication for authentication.",[11,1368,1369],{},"AEGIS-128L uses fewer AES round operations per byte of input because of its wider state. It processes 32 bytes of plaintext per step by applying the AES round function 8 times across its internal state, allowing CPU instruction-level pipelining. The authentication is built into the same structure -- no separate step needed. The result: more data encrypted per clock cycle.",[11,1371,1372],{},"Here's a rough comparison on a modern laptop (Intel 12th gen or AMD Zen 3+):",[85,1374,1375,1388],{},[88,1376,1377],{},[91,1378,1379,1382,1385],{},[94,1380,1381],{},"Cipher",[94,1383,1384],{},"Speed",[94,1386,1387],{},"Notes",[104,1389,1390,1401,1412,1423],{},[91,1391,1392,1395,1398],{},[109,1393,1394],{},"AES-256-GCM",[109,1396,1397],{},"~3 GB\u002Fs",[109,1399,1400],{},"Industry standard, well-trusted",[91,1402,1403,1406,1409],{},[109,1404,1405],{},"AES-128-GCM",[109,1407,1408],{},"~4 GB\u002Fs",[109,1410,1411],{},"Faster due to fewer rounds",[91,1413,1414,1417,1420],{},[109,1415,1416],{},"ChaCha20-Poly1305",[109,1418,1419],{},"~2 GB\u002Fs",[109,1421,1422],{},"No AES-NI needed",[91,1424,1425,1428,1431],{},[109,1426,1427],{},"AEGIS-128L",[109,1429,1430],{},"~10 GB\u002Fs",[109,1432,1433],{},"Same AES-NI hardware, better utilization",[11,1435,1436],{},"AEGIS-128L typically achieves 2-4x the throughput of AES-256-GCM on the same CPU.",[15,1438,1440],{"id":1439},"what-about-security","What About Security?",[11,1442,1443],{},"Speed is meaningless if the cipher is weak. So how does AEGIS-128L compare on security?",[11,1445,1446,1449],{},[51,1447,1448],{},"Key size",": 128 bits, providing 128-bit security against brute force. 128-bit keys are already computationally infeasible to break -- 2^128 operations would take longer than the age of the universe on all computers ever built, running simultaneously. 256-bit keys guard against quantum computers running Grover's algorithm, which halves effective key length, but AEGIS-256 exists for that scenario.",[11,1451,1452,1455],{},[51,1453,1454],{},"Nonce size",": 128 bits (vs. 96 bits for AES-GCM). A larger nonce means less risk of nonce reuse, which is the primary way GCM-based ciphers can catastrophically fail in practice.",[11,1457,1458,1461],{},[51,1459,1460],{},"Authentication tag",": 128 bits (256-bit tags are also defined in the spec). Hoodik uses the 128-bit tag. The tag proves data integrity -- if anything was modified, decryption fails.",[11,1463,1464,1467],{},[51,1465,1466],{},"Security proofs",": AEGIS-128L has formal security proofs showing it meets standard AEAD security definitions. It's been analyzed extensively since its publication in 2014 and has no known weaknesses.",[11,1469,1470],{},"The one caveat: AEGIS is newer than AES-GCM (which has been standard since 2007). Some organizations require 15+ years of public scrutiny before adopting a cipher. For those use cases, AES-GCM remains perfectly fine. But AEGIS has a decade of analysis with no issues found, backing from respected cryptographers, and IETF standardization.",[15,1472,1474],{"id":1473},"hoodiks-multi-cipher-approach","Hoodik's Multi-Cipher Approach",[11,1476,1477],{},"Not every device has AES-NI. Older phones, some ARM processors, and embedded devices might not have hardware acceleration for AES operations. That's why Hoodik supports multiple ciphers:",[11,1479,1480,1482],{},[51,1481,1427],{}," (default): For any device with AES-NI (virtually all modern x86 CPUs and recent ARM chips with crypto extensions). Maximum speed.",[11,1484,1485,1487],{},[51,1486,1416],{},": For devices without AES-NI. ChaCha20 is a software-friendly cipher that's fast even without hardware acceleration. It's the same cipher used in TLS when AES-NI isn't available, and it powers WireGuard VPN. On hardware without AES-NI, ChaCha20 is typically faster than software AES.",[11,1489,1490,1493],{},[51,1491,1492],{},"Ascon-128a",": For constrained devices. Ascon won the NIST Lightweight Cryptography Competition in 2023. It's designed for environments with limited CPU and memory -- think IoT devices and low-power microcontrollers. Not as fast as AEGIS on powerful hardware, but efficient where resources are scarce.",[15,1495,1497],{"id":1496},"forward-compatibility","Forward Compatibility",[11,1499,1500],{},"Every encrypted file records which cipher was used to encrypt it, stored in the file's metadata in the database.",[11,1502,1503],{},"Why does this matter? Because ciphers evolve. Five years from now, there might be an even better option. When that happens, Hoodik can adopt the new cipher for new files without breaking access to old ones. Your file from 2024 encrypted with AEGIS-128L will still decrypt correctly in 2034, because the system knows exactly which cipher to use.",[11,1505,1506],{},"This also means that if you connect from a device without AES-NI, files can be encrypted with ChaCha20-Poly1305, and they'll decrypt correctly on any device -- each device just needs to support the cipher used for that specific file.",[15,1508,1510],{"id":1509},"what-this-means-in-practice","What This Means in Practice",[11,1512,1513],{},"For day-to-day usage, AEGIS-128L's speed means:",[45,1515,1516,1522,1528,1534],{},[48,1517,1518,1521],{},[51,1519,1520],{},"Large file uploads feel instant"," (the encryption step, at least -- your internet is still the bottleneck for actual transfer)",[48,1523,1524,1527],{},[51,1525,1526],{},"Photo libraries encrypt quickly"," when uploading hundreds of files",[48,1529,1530,1533],{},[51,1531,1532],{},"Browser-based encryption"," is viable even for large files (WASM can't use AES-NI directly, but AEGIS's structure still provides excellent performance in WASM compared to alternatives)",[48,1535,1536,1539],{},[51,1537,1538],{},"Battery life"," on mobile devices is preserved because encryption completes faster, letting the CPU return to idle sooner",[11,1541,1542],{},"The goal of choosing AEGIS-128L isn't to win a benchmark. It's to make end-to-end encryption invisible -- fast enough that you never think about it, never wait for it, and never feel tempted to turn it off for performance reasons.",[15,1544,1546],{"id":1545},"where-this-lands","Where This Lands",[11,1548,1549],{},"AEGIS-128L represents where symmetric cryptography is heading: using existing hardware (AES-NI) more efficiently rather than requiring new instructions. It's standardized, well-analyzed, and dramatically faster than the previous generation of AEAD ciphers.",[11,1551,1552],{},"For Hoodik, it means end-to-end encryption without a performance tax. Your files are encrypted with a modern, vetted algorithm that's as fast as your hardware allows -- and if your hardware doesn't support it, the system falls back to the best alternative for your device.",[11,1554,1555],{},"Encryption should be fast enough to forget it's happening. AEGIS-128L gets there.",{"title":435,"searchDepth":464,"depth":464,"links":1557},[1558,1559,1560,1561,1562,1563,1564,1565],{"id":1282,"depth":464,"text":1283},{"id":1309,"depth":464,"text":1310},{"id":1348,"depth":464,"text":1349},{"id":1439,"depth":464,"text":1440},{"id":1473,"depth":464,"text":1474},{"id":1496,"depth":464,"text":1497},{"id":1509,"depth":464,"text":1510},{"id":1545,"depth":464,"text":1546},"Technical","AEGIS-128L is 2-4x faster than AES-256-GCM while providing the same security guarantees. Here's why we chose it and what it means for your file encryption.",{},"\u002Fblog\u002Faegis-128l-hardware-accelerated-encryption",{"title":1267,"description":1567},"blog\u002Faegis-128l-hardware-accelerated-encryption",[1573,1574,1575,1576,1577,1578],"aegis-128l","encryption","aead","aes-ni","cryptography","performance","szLgIWGU6qRwizMYkptYyzmfe5lrApQOrKQESUR_vCQ",{"id":1581,"title":1582,"author":6,"body":1583,"category":1246,"date":1247,"description":2416,"draft":1249,"extension":1250,"image":1251,"meta":2417,"navigation":1253,"path":1185,"seo":2418,"stem":2419,"tags":2420,"__hash__":2425},"blog\u002Fblog\u002Fbackblaze-b2-hoodik-unlimited-encrypted-storage.md","Backblaze B2 + Hoodik: Encrypted Storage at $6\u002FTB",{"type":8,"value":1584,"toc":2400},[1585,1588,1591,1595,1598,1601,1627,1630,1634,1705,1708,1711,1714,1718,1721,1726,1732,1735,1749,1752,1756,1760,1770,1818,1822,1869,1880,1884,1887,2005,2008,2046,2049,2053,2056,2264,2271,2277,2281,2295,2298,2302,2305,2324,2335,2339,2342,2345,2348,2352,2355,2381,2384,2388,2391,2394,2397],[1271,1586,1582],{"id":1587},"backblaze-b2-hoodik-encrypted-storage-at-6tb",[11,1589,1590],{},"Pair Backblaze B2 with Hoodik and you get unlimited encrypted cloud storage for a fraction of what Google or Dropbox charges -- with the guarantee that nobody, not even the storage provider, can read your files. B2 handles the cheap, reliable object storage. Hoodik handles the encryption, access control, and user interface. B2 only ever sees encrypted noise.",[15,1592,1594],{"id":1593},"what-is-backblaze-b2","What is Backblaze B2?",[11,1596,1597],{},"Backblaze B2 is an S3-compatible object storage service. Think of it like AWS S3 but dramatically cheaper and simpler. There are no complicated storage tiers, no confusing pricing calculators, no surprise egress fees that bankrupt your side project.",[11,1599,1600],{},"The pricing is straightforward:",[45,1602,1603,1609,1615,1621],{},[48,1604,1605,1608],{},[51,1606,1607],{},"Storage",": $6 per TB per month",[48,1610,1611,1614],{},[51,1612,1613],{},"Downloads",": First 3x your average monthly storage is free per month (store 1 TB, download up to 3 TB\u002Fmonth free)",[48,1616,1617,1620],{},[51,1618,1619],{},"API calls",": First 2,500 class B calls free per day, then $0.004 per 1,000",[48,1622,1623,1626],{},[51,1624,1625],{},"Uploads",": Free",[11,1628,1629],{},"No \"retrieval fees,\" no \"minimum storage duration charges,\" no nickel-and-diming.",[15,1631,1633],{"id":1632},"the-cost-comparison","The Cost Comparison",[85,1635,1636,1651],{},[88,1637,1638],{},[91,1639,1640,1642,1645,1648],{},[94,1641,1607],{},[94,1643,1644],{},"Google One",[94,1646,1647],{},"Dropbox Plus",[94,1649,1650],{},"B2 + Hoodik",[104,1652,1653,1667,1681,1693],{},[91,1654,1655,1658,1661,1664],{},[109,1656,1657],{},"100 GB",[109,1659,1660],{},"$2\u002Fmo",[109,1662,1663],{},"--",[109,1665,1666],{},"$0.60\u002Fmo",[91,1668,1669,1672,1675,1678],{},[109,1670,1671],{},"2 TB",[109,1673,1674],{},"$10\u002Fmo",[109,1676,1677],{},"$12\u002Fmo*",[109,1679,1680],{},"$12\u002Fmo",[91,1682,1683,1686,1688,1690],{},[109,1684,1685],{},"5 TB",[109,1687,1663],{},[109,1689,1663],{},[109,1691,1692],{},"$30\u002Fmo",[91,1694,1695,1698,1700,1702],{},[109,1696,1697],{},"10 TB",[109,1699,1663],{},[109,1701,1663],{},[109,1703,1704],{},"$60\u002Fmo",[11,1706,1707],{},"*Dropbox Plus includes 2 TB. Google One's consumer plans top out at 2 TB ($10\u002Fmo). Beyond that, pricing varies by plan tier.",[11,1709,1710],{},"Google and Dropbox can read your files. With B2 + Hoodik, files are encrypted before they leave your device -- B2 stores ciphertext. Even if someone compromised your B2 bucket, they'd get meaningless encrypted blobs.",[11,1712,1713],{},"And there's no hard cap. Need 50 TB? That's $300\u002Fmo. Need 100 TB? $600\u002Fmo. You scale linearly without hitting artificial walls.",[15,1715,1717],{"id":1716},"why-this-combination-works","Why This Combination Works",[11,1719,1720],{},"Each piece has a clear job.",[11,1722,1723,1725],{},[51,1724,274],{}," runs on a small server (a $5\u002Fmo VPS works fine -- it uses about 20 MB of RAM). It handles user authentication, access control, end-to-end encryption (RSA-2048 + AEGIS-128L), the web interface and API, encrypted file metadata and folder structure, and privacy-preserving search.",[11,1727,1728,1731],{},[51,1729,1730],{},"Backblaze B2"," handles storing the actual encrypted file blobs, with reliable and redundant storage across multiple data centers.",[11,1733,1734],{},"When you upload a file through Hoodik:",[201,1736,1737,1740,1743,1746],{},[48,1738,1739],{},"Your browser encrypts the file with AEGIS-128L",[48,1741,1742],{},"The encrypted data is sent to the Hoodik server",[48,1744,1745],{},"Hoodik streams the ciphertext to your B2 bucket",[48,1747,1748],{},"B2 stores it, having no idea what's inside",[11,1750,1751],{},"The Hoodik server never sees plaintext either -- encryption happens in your browser before the data is transmitted.",[15,1753,1755],{"id":1754},"step-by-step-setup","Step-by-Step Setup",[77,1757,1759],{"id":1758},"_1-create-a-backblaze-b2-bucket","1. Create a Backblaze B2 Bucket",[11,1761,1762,1763,1769],{},"Sign up at ",[993,1764,1768],{"href":1765,"rel":1766},"https:\u002F\u002Fwww.backblaze.com",[1767],"nofollow","backblaze.com"," (if you haven't already), then:",[201,1771,1772,1782,1788,1794,1801,1808],{},[48,1773,1774,1775,1778,1779],{},"Go to ",[51,1776,1777],{},"B2 Cloud Storage"," > ",[51,1780,1781],{},"Buckets",[48,1783,1784,1785],{},"Click ",[51,1786,1787],{},"Create a Bucket",[48,1789,1790,1791],{},"Name it something like ",[226,1792,1793],{},"hoodik-storage",[48,1795,1796,1797,1800],{},"Set it to ",[51,1798,1799],{},"Private"," (very important -- this bucket should never be publicly accessible)",[48,1802,1803,1804,1807],{},"Disable ",[51,1805,1806],{},"Object Lock"," (not needed)",[48,1809,1810,1811,1814,1815,740],{},"Note your bucket name and the ",[51,1812,1813],{},"Endpoint"," URL (looks like ",[226,1816,1817],{},"s3.us-west-004.backblazeb2.com",[77,1819,1821],{"id":1820},"_2-create-application-keys","2. Create Application Keys",[201,1823,1824,1832,1837,1843,1849,1859],{},[48,1825,1774,1826,1778,1829],{},[51,1827,1828],{},"Account",[51,1830,1831],{},"Application Keys",[48,1833,1784,1834],{},[51,1835,1836],{},"Add a New Application Key",[48,1838,1839,1840],{},"Give it a name like ",[226,1841,1842],{},"hoodik-access",[48,1844,1845,1846,1848],{},"Restrict it to your ",[226,1847,1793],{}," bucket",[48,1850,1851,1852,1855,1856],{},"Allow both ",[51,1853,1854],{},"Read"," and ",[51,1857,1858],{},"Write",[48,1860,1861,1862,1855,1865,1868],{},"Save the ",[51,1863,1864],{},"keyID",[51,1866,1867],{},"applicationKey"," -- you won't see the application key again",[11,1870,1871,1872,1875,1876,1879],{},"The keyID is your ",[226,1873,1874],{},"AWS_ACCESS_KEY_ID"," and the applicationKey is your ",[226,1877,1878],{},"AWS_SECRET_ACCESS_KEY"," (B2 is S3-compatible, so it uses the same terminology).",[77,1881,1883],{"id":1882},"_3-deploy-hoodik-with-docker","3. Deploy Hoodik with Docker",[11,1885,1886],{},"The docker run command with S3\u002FB2 configuration:",[430,1888,1890],{"className":432,"code":1889,"language":434,"meta":435,"style":435},"docker run -d \\\n --name hoodik \\\n -p 5443:5443 \\\n -e DATA_DIR=\u002Fdata \\\n -e APP_URL=https:\u002F\u002Fyour-domain.com \\\n -e STORAGE_PROVIDER=s3 \\\n -e S3_ENDPOINT=https:\u002F\u002Fs3.us-west-004.backblazeb2.com \\\n -e S3_REGION=us-west-004 \\\n -e S3_BUCKET=hoodik-storage \\\n -e S3_ACCESS_KEY=your-key-id \\\n -e S3_SECRET_KEY=your-application-key \\\n -v hoodik_data:\u002Fdata \\\n hudik\u002Fhoodik:latest\n",[226,1891,1892,1902,1910,1918,1927,1936,1945,1954,1963,1972,1981,1990,2000],{"__ignoreMap":435},[439,1893,1894,1896,1898,1900],{"class":441,"line":442},[439,1895,500],{"class":445},[439,1897,516],{"class":453},[439,1899,519],{"class":449},[439,1901,522],{"class":449},[439,1903,1904,1906,1908],{"class":441,"line":464},[439,1905,528],{"class":449},[439,1907,1019],{"class":453},[439,1909,522],{"class":449},[439,1911,1912,1914,1916],{"class":441,"line":525},[439,1913,550],{"class":449},[439,1915,1063],{"class":453},[439,1917,522],{"class":449},[439,1919,1920,1922,1925],{"class":441,"line":536},[439,1921,670],{"class":449},[439,1923,1924],{"class":453}," DATA_DIR=\u002Fdata",[439,1926,522],{"class":449},[439,1928,1929,1931,1934],{"class":441,"line":547},[439,1930,670],{"class":449},[439,1932,1933],{"class":453}," APP_URL=https:\u002F\u002Fyour-domain.com",[439,1935,522],{"class":449},[439,1937,1938,1940,1943],{"class":441,"line":558},[439,1939,670],{"class":449},[439,1941,1942],{"class":453}," STORAGE_PROVIDER=s3",[439,1944,522],{"class":449},[439,1946,1947,1949,1952],{"class":441,"line":569},[439,1948,670],{"class":449},[439,1950,1951],{"class":453}," S3_ENDPOINT=https:\u002F\u002Fs3.us-west-004.backblazeb2.com",[439,1953,522],{"class":449},[439,1955,1956,1958,1961],{"class":441,"line":579},[439,1957,670],{"class":449},[439,1959,1960],{"class":453}," S3_REGION=us-west-004",[439,1962,522],{"class":449},[439,1964,1965,1967,1970],{"class":441,"line":687},[439,1966,670],{"class":449},[439,1968,1969],{"class":453}," S3_BUCKET=hoodik-storage",[439,1971,522],{"class":449},[439,1973,1974,1976,1979],{"class":441,"line":697},[439,1975,670],{"class":449},[439,1977,1978],{"class":453}," S3_ACCESS_KEY=your-key-id",[439,1980,522],{"class":449},[439,1982,1983,1985,1988],{"class":441,"line":707},[439,1984,670],{"class":449},[439,1986,1987],{"class":453}," S3_SECRET_KEY=your-application-key",[439,1989,522],{"class":449},[439,1991,1993,1995,1998],{"class":441,"line":1992},12,[439,1994,561],{"class":449},[439,1996,1997],{"class":453}," hoodik_data:\u002Fdata",[439,1999,522],{"class":449},[439,2001,2003],{"class":441,"line":2002},13,[439,2004,1070],{"class":453},[11,2006,2007],{},"Replace the values:",[45,2009,2010,2016,2022,2028,2034,2040],{},[48,2011,2012,2015],{},[226,2013,2014],{},"APP_URL",": your server's public URL",[48,2017,2018,2021],{},[226,2019,2020],{},"S3_ENDPOINT",": your B2 bucket's S3 endpoint",[48,2023,2024,2027],{},[226,2025,2026],{},"S3_REGION",": the region from your endpoint URL",[48,2029,2030,2033],{},[226,2031,2032],{},"S3_BUCKET",": your bucket name",[48,2035,2036,2039],{},[226,2037,2038],{},"S3_ACCESS_KEY",": your keyID",[48,2041,2042,2045],{},[226,2043,2044],{},"S3_SECRET_KEY",": your applicationKey",[11,2047,2048],{},"Hoodik will now store all file data in your B2 bucket.",[77,2050,2052],{"id":2051},"_4-using-docker-compose-recommended","4. Using Docker Compose (Recommended)",[11,2054,2055],{},"For a production setup, docker-compose is cleaner:",[430,2057,2061],{"className":2058,"code":2059,"language":2060,"meta":435,"style":435},"language-yaml shiki shiki-themes github-light github-dark","version: \"3.8\"\nservices:\n hoodik:\n image: hudik\u002Fhoodik:latest\n container_name: hoodik\n restart: unless-stopped\n ports:\n - \"5443:5443\"\n environment:\n DATA_DIR: \u002Fdata\n APP_URL: https:\u002F\u002Fyour-domain.com\n STORAGE_PROVIDER: s3\n S3_ENDPOINT: https:\u002F\u002Fs3.us-west-004.backblazeb2.com\n S3_REGION: us-west-004\n S3_BUCKET: hoodik-storage\n S3_ACCESS_KEY: ${B2_KEY_ID}\n S3_SECRET_KEY: ${B2_APP_KEY}\n volumes:\n - hoodik_data:\u002Fdata\n\nvolumes:\n hoodik_data:\n","yaml",[226,2062,2063,2075,2083,2090,2100,2110,2120,2127,2135,2142,2152,2162,2172,2182,2193,2204,2215,2226,2234,2242,2248,2256],{"__ignoreMap":435},[439,2064,2065,2069,2072],{"class":441,"line":442},[439,2066,2068],{"class":2067},"s9eBZ","version",[439,2070,2071],{"class":479},": ",[439,2073,2074],{"class":453},"\"3.8\"\n",[439,2076,2077,2080],{"class":441,"line":464},[439,2078,2079],{"class":2067},"services",[439,2081,2082],{"class":479},":\n",[439,2084,2085,2088],{"class":441,"line":525},[439,2086,2087],{"class":2067}," hoodik",[439,2089,2082],{"class":479},[439,2091,2092,2095,2097],{"class":441,"line":536},[439,2093,2094],{"class":2067}," image",[439,2096,2071],{"class":479},[439,2098,2099],{"class":453},"hudik\u002Fhoodik:latest\n",[439,2101,2102,2105,2107],{"class":441,"line":547},[439,2103,2104],{"class":2067}," container_name",[439,2106,2071],{"class":479},[439,2108,2109],{"class":453},"hoodik\n",[439,2111,2112,2115,2117],{"class":441,"line":558},[439,2113,2114],{"class":2067}," restart",[439,2116,2071],{"class":479},[439,2118,2119],{"class":453},"unless-stopped\n",[439,2121,2122,2125],{"class":441,"line":569},[439,2123,2124],{"class":2067}," ports",[439,2126,2082],{"class":479},[439,2128,2129,2132],{"class":441,"line":579},[439,2130,2131],{"class":479}," - ",[439,2133,2134],{"class":453},"\"5443:5443\"\n",[439,2136,2137,2140],{"class":441,"line":687},[439,2138,2139],{"class":2067}," environment",[439,2141,2082],{"class":479},[439,2143,2144,2147,2149],{"class":441,"line":697},[439,2145,2146],{"class":2067}," DATA_DIR",[439,2148,2071],{"class":479},[439,2150,2151],{"class":453},"\u002Fdata\n",[439,2153,2154,2157,2159],{"class":441,"line":707},[439,2155,2156],{"class":2067}," APP_URL",[439,2158,2071],{"class":479},[439,2160,2161],{"class":453},"https:\u002F\u002Fyour-domain.com\n",[439,2163,2164,2167,2169],{"class":441,"line":1992},[439,2165,2166],{"class":2067}," STORAGE_PROVIDER",[439,2168,2071],{"class":479},[439,2170,2171],{"class":453},"s3\n",[439,2173,2174,2177,2179],{"class":441,"line":2002},[439,2175,2176],{"class":2067}," S3_ENDPOINT",[439,2178,2071],{"class":479},[439,2180,2181],{"class":453},"https:\u002F\u002Fs3.us-west-004.backblazeb2.com\n",[439,2183,2185,2188,2190],{"class":441,"line":2184},14,[439,2186,2187],{"class":2067}," S3_REGION",[439,2189,2071],{"class":479},[439,2191,2192],{"class":453},"us-west-004\n",[439,2194,2196,2199,2201],{"class":441,"line":2195},15,[439,2197,2198],{"class":2067}," S3_BUCKET",[439,2200,2071],{"class":479},[439,2202,2203],{"class":453},"hoodik-storage\n",[439,2205,2207,2210,2212],{"class":441,"line":2206},16,[439,2208,2209],{"class":2067}," S3_ACCESS_KEY",[439,2211,2071],{"class":479},[439,2213,2214],{"class":453},"${B2_KEY_ID}\n",[439,2216,2218,2221,2223],{"class":441,"line":2217},17,[439,2219,2220],{"class":2067}," S3_SECRET_KEY",[439,2222,2071],{"class":479},[439,2224,2225],{"class":453},"${B2_APP_KEY}\n",[439,2227,2229,2232],{"class":441,"line":2228},18,[439,2230,2231],{"class":2067}," volumes",[439,2233,2082],{"class":479},[439,2235,2237,2239],{"class":441,"line":2236},19,[439,2238,2131],{"class":479},[439,2240,2241],{"class":453},"hoodik_data:\u002Fdata\n",[439,2243,2245],{"class":441,"line":2244},20,[439,2246,2247],{"emptyLinePlaceholder":1253},"\n",[439,2249,2251,2254],{"class":441,"line":2250},21,[439,2252,2253],{"class":2067},"volumes",[439,2255,2082],{"class":479},[439,2257,2259,2262],{"class":441,"line":2258},22,[439,2260,2261],{"class":2067}," hoodik_data",[439,2263,2082],{"class":479},[11,2265,2266,2267,2270],{},"Store your B2 credentials in a ",[226,2268,2269],{},".env"," file next to your compose file:",[430,2272,2275],{"className":2273,"code":2274,"language":784},[782],"B2_KEY_ID=your-key-id\nB2_APP_KEY=your-application-key\n",[226,2276,2274],{"__ignoreMap":435},[77,2278,2280],{"id":2279},"_5-verify-its-working","5. Verify It's Working",[201,2282,2283,2286,2289,2292],{},[48,2284,2285],{},"Open your Hoodik instance in a browser",[48,2287,2288],{},"Create an account and upload a test file",[48,2290,2291],{},"Go to your B2 bucket in the Backblaze dashboard",[48,2293,2294],{},"You should see new objects appearing -- if you try to download one directly from B2, it'll be unintelligible encrypted data",[11,2296,2297],{},"That last point is the proof: B2 is storing your files, but it has absolutely no idea what they are.",[15,2299,2301],{"id":2300},"already-using-hoodik-with-local-storage","Already Using Hoodik with Local Storage?",[11,2303,2304],{},"If you've been running Hoodik with local disk storage and want to migrate to B2, there's a built-in command for that:",[430,2306,2308],{"className":432,"code":2307,"language":434,"meta":435,"style":435},"docker exec hoodik hoodik migrate-storage\n",[226,2309,2310],{"__ignoreMap":435},[439,2311,2312,2314,2317,2319,2321],{"class":441,"line":442},[439,2313,500],{"class":445},[439,2315,2316],{"class":453}," exec",[439,2318,1019],{"class":453},[439,2320,1019],{"class":453},[439,2322,2323],{"class":453}," migrate-storage\n",[11,2325,2326,2327,2330,2331,2334],{},"This will move all existing file data from your local ",[226,2328,2329],{},"DATA_DIR"," to the configured S3 backend. ",[51,2332,2333],{},"Important:"," Stop the Hoodik server before running the migration to avoid data inconsistencies. If files are being uploaded while chunks are being migrated, some chunks may be missed.",[15,2336,2338],{"id":2337},"bandwidth-considerations","Bandwidth Considerations",[11,2340,2341],{},"B2's free download allowance is generous: you get 3x your average monthly storage in free downloads per month. If you store 1 TB, you can download up to 3 TB per month at no cost. For most personal or small-team use, you'll never pay for bandwidth.",[11,2343,2344],{},"If you do exceed the free tier, downloads are $0.01\u002FGB. Still dramatically cheaper than most alternatives.",[11,2346,2347],{},"For context: actively streaming 4K video from your storage all day would be the kind of usage that might generate bandwidth fees. Normal file access -- opening documents, downloading photos, syncing to your phone -- typically stays well within the free allowance.",[15,2349,2351],{"id":2350},"other-s3-compatible-backends","Other S3-Compatible Backends",[11,2353,2354],{},"While this guide focuses on Backblaze B2, Hoodik works with any S3-compatible storage:",[45,2356,2357,2363,2369,2375],{},[48,2358,2359,2362],{},[51,2360,2361],{},"Wasabi",": ~$7\u002FTB\u002Fmo, no egress fees, minimum 1 TB billing, 90-day minimum storage duration",[48,2364,2365,2368],{},[51,2366,2367],{},"AWS S3",": more expensive but global presence",[48,2370,2371,2374],{},[51,2372,2373],{},"MinIO",": self-hosted, zero cost beyond your own hardware",[48,2376,2377,2380],{},[51,2378,2379],{},"Cloudflare R2",": $0.015\u002FGB\u002Fmo, zero egress fees",[11,2382,2383],{},"The setup is identical -- just swap the endpoint, region, bucket, and credentials.",[15,2385,2387],{"id":2386},"why-it-actually-matters","Why It Actually Matters",[11,2389,2390],{},"Saving money is nice, but the more important part is the architecture. You own the encryption keys -- not Backblaze, not Google. B2 stores encrypted blobs with no plaintext metadata; from Backblaze's perspective, your bucket is unreadable noise. Hoodik itself runs on 20 MB of RAM, so a $5\u002Fmo VPS is genuinely sufficient.",[11,2392,2393],{},"Storage scales linearly with no plan upgrades or artificial caps. And if Backblaze raises prices or disappears, you swap to Wasabi or MinIO -- your encryption keys and metadata live on your Hoodik server, not the storage backend.",[11,2395,2396],{},"That's the difference between cloud storage and private cloud storage.",[1218,2398,2399],{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":435,"searchDepth":464,"depth":464,"links":2401},[2402,2403,2404,2405,2412,2413,2414,2415],{"id":1593,"depth":464,"text":1594},{"id":1632,"depth":464,"text":1633},{"id":1716,"depth":464,"text":1717},{"id":1754,"depth":464,"text":1755,"children":2406},[2407,2408,2409,2410,2411],{"id":1758,"depth":525,"text":1759},{"id":1820,"depth":525,"text":1821},{"id":1882,"depth":525,"text":1883},{"id":2051,"depth":525,"text":2052},{"id":2279,"depth":525,"text":2280},{"id":2300,"depth":464,"text":2301},{"id":2337,"depth":464,"text":2338},{"id":2350,"depth":464,"text":2351},{"id":2386,"depth":464,"text":2387},"Set up truly private cloud storage with Backblaze B2 and Hoodik. End-to-end encrypted, S3-compatible, and a fraction of the cost of Google Drive.",{},{"title":1582,"description":2416},"blog\u002Fbackblaze-b2-hoodik-unlimited-encrypted-storage",[2421,2422,1259,2423,2424,500],"backblaze b2","s3","tutorial","encrypted storage","St5XjYA03-sKa05rLkaaT0TE8FrNPMZp912AfWANO7I",{"id":2427,"title":2428,"author":6,"body":2429,"category":2783,"date":1247,"description":2784,"draft":1249,"extension":1250,"image":1251,"meta":2785,"navigation":1253,"path":2786,"seo":2787,"stem":2788,"tags":2789,"__hash__":2793},"blog\u002Fblog\u002Fend-to-end-encryption-explained.md","End-to-End Encryption Explained: What It Actually Means for Your Files",{"type":8,"value":2430,"toc":2771},[2431,2434,2437,2441,2444,2450,2456,2459,2462,2466,2469,2472,2479,2496,2499,2503,2506,2509,2512,2516,2523,2526,2540,2543,2547,2553,2603,2606,2609,2613,2620,2623,2640,2643,2647,2650,2680,2683,2687,2692,2695,2700,2703,2708,2711,2715,2718,2738,2741,2745,2748,2765,2768],[11,2432,2433],{},"Every cloud storage provider says they \"encrypt your data.\" It's right there on their marketing page, usually with a padlock icon and a reassuring shade of green. That statement is technically true, but it often means something very different from what you'd expect.",[11,2435,2436],{},"Encryption in the context of cloud storage is genuinely nuanced. The algorithm matters far less than who holds the keys — and most providers aren't eager to explain that part.",[15,2438,2440],{"id":2439},"the-locked-box-vs-the-transparent-envelope","The Locked Box vs. The Transparent Envelope",[11,2442,2443],{},"Imagine you need to send a private document to yourself for safekeeping. You have two options:",[11,2445,2446,2449],{},[51,2447,2448],{},"Option A: The Transparent Envelope."," You put your document in a transparent envelope and hand it to a courier service. They promise to put the envelope in a locked warehouse. The document is \"secured\" — the warehouse has guards, cameras, and strong locks. But the courier saw your document. The warehouse workers can see it. Anyone with a master key to the warehouse can read it. You're trusting a lot of people and systems.",[11,2451,2452,2455],{},[51,2453,2454],{},"Option B: The Locked Box."," You put your document in a locked box that only you have the key to, then hand the locked box to the courier. They put it in their warehouse. Nobody — not the courier, not the warehouse workers, not even the warehouse owner — can read your document. They can see that you stored a box. They know how big it is. But the contents are completely opaque to everyone except you.",[11,2457,2458],{},"Most cloud storage providers operate like Option A. They tell you your files are \"encrypted at rest\" and \"encrypted in transit\" — and they are. But the provider holds the keys. They can decrypt your files whenever they want (or whenever they're compelled to).",[11,2460,2461],{},"End-to-end encryption is Option B. You hold the only key. The server stores your locked box without ever being able to peek inside.",[15,2463,2465],{"id":2464},"encryption-at-rest-what-it-actually-protects","\"Encryption at Rest\" — What It Actually Protects",[11,2467,2468],{},"When a provider says \"your files are encrypted at rest,\" they mean the physical hard drives in their data center are encrypted. If someone physically steals a hard drive, they can't read the raw data on it.",[11,2470,2471],{},"This protects against one specific threat: physical theft of storage hardware.",[11,2473,2474,2475,2478],{},"It does ",[51,2476,2477],{},"not"," protect against:",[45,2480,2481,2484,2487,2490,2493],{},[48,2482,2483],{},"The company itself reading your files",[48,2485,2486],{},"Employees accessing your data",[48,2488,2489],{},"Government requests or subpoenas",[48,2491,2492],{},"Hackers who gain access to the application layer (where decryption keys are accessible)",[48,2494,2495],{},"Data being used for advertising, AI training, or analytics",[11,2497,2498],{},"The server decrypts your files every time you (or anyone with server access) requests them. The encryption keys sit right next to the encrypted data, managed by the same systems. It's like storing your valuables in a safe but leaving the combination taped to the door.",[15,2500,2502],{"id":2501},"encryption-in-transit-what-that-covers","\"Encryption in Transit\" — What That Covers",[11,2504,2505],{},"\"Encrypted in transit\" means your files are protected while traveling between your device and the server (using TLS\u002FHTTPS). This prevents someone from intercepting your data in flight — like on a coffee shop's WiFi network.",[11,2507,2508],{},"This is important, but it's also the absolute bare minimum. Every website you visit uses HTTPS. Your bank does, your email does, even most spam websites do. It's table stakes, not a differentiator.",[11,2510,2511],{},"Once your data arrives at the server, transit encryption's job is done. The server has your data in plaintext and can do whatever it wants with it.",[15,2513,2515],{"id":2514},"end-to-end-encryption-the-key-never-leaves-your-device","End-to-End Encryption: The Key Never Leaves Your Device",[11,2517,2518,2519,2522],{},"End-to-end encryption (E2E) means your data is encrypted ",[51,2520,2521],{},"on your device, before it leaves",". The encrypted data travels to the server. The server stores the encrypted data. When you want your files back, the server sends the encrypted data to your device, and your device decrypts it locally.",[11,2524,2525],{},"At no point does the server have access to:",[45,2527,2528,2531,2534,2537],{},[48,2529,2530],{},"Your unencrypted files",[48,2532,2533],{},"Your encryption keys",[48,2535,2536],{},"Your file names (in properly implemented systems)",[48,2538,2539],{},"Any information about the content of your files",[11,2541,2542],{},"The server is purely a storage medium — like a safety deposit box where even the bank can't see what's inside.",[15,2544,2546],{"id":2545},"who-holds-the-keys-thats-the-whole-question","Who Holds the Keys? That's the Whole Question",[11,2548,2549,2550],{},"The simplest way to evaluate any storage provider's encryption claims: ",[51,2551,2552],{},"ask who holds the decryption keys.",[85,2554,2555,2568],{},[88,2556,2557],{},[91,2558,2559,2562,2565],{},[94,2560,2561],{},"Scenario",[94,2563,2564],{},"Who holds the key",[94,2566,2567],{},"What it means",[104,2569,2570,2581,2592],{},[91,2571,2572,2575,2578],{},[109,2573,2574],{},"Encryption at rest",[109,2576,2577],{},"The provider",[109,2579,2580],{},"They can read your files anytime",[91,2582,2583,2586,2589],{},[109,2584,2585],{},"\"Customer-managed keys\"",[109,2587,2588],{},"Usually still the provider's infrastructure",[109,2590,2591],{},"Slightly better, but keys are often accessible to the provider's systems",[91,2593,2594,2597,2600],{},[109,2595,2596],{},"End-to-end encryption",[109,2598,2599],{},"Only you",[109,2601,2602],{},"Nobody else can read your files, period",[11,2604,2605],{},"Some providers offer \"customer-managed keys\" or \"bring your own key\" features. These sound good but often still involve the provider's infrastructure managing or having access to the keys at some point during processing. Read the fine print carefully.",[11,2607,2608],{},"True end-to-end encryption means the keys are generated on your device, live only on your device, and never travel to the server in any form the server can use.",[15,2610,2612],{"id":2611},"zero-knowledge-architecture","Zero-Knowledge Architecture",[11,2614,2615,2616,2619],{},"You might also hear the term \"zero-knowledge\" used alongside E2E encryption. This is a stronger claim: it means the server doesn't just lack access to your file contents — it knows essentially ",[51,2617,2618],{},"nothing"," about what you're storing.",[11,2621,2622],{},"In a zero-knowledge system:",[45,2624,2625,2628,2631,2634,2637],{},[48,2626,2627],{},"File names are encrypted before upload",[48,2629,2630],{},"Folder structures are encrypted",[48,2632,2633],{},"File metadata is encrypted",[48,2635,2636],{},"Search happens through privacy-preserving methods (like tokenized, hashed queries)",[48,2638,2639],{},"The server couldn't comply with a data request even if it wanted to, because it genuinely doesn't have the information",[11,2641,2642],{},"This is fundamentally different from a system that encrypts file contents but stores metadata in plaintext. If someone can see that you have a file called \"tax-return-2025.pdf\" in a folder called \"Financial\u002FIRS,\" they've learned something significant about you — even without seeing the file contents.",[15,2644,2646],{"id":2645},"the-technical-side-without-getting-too-deep","The Technical Side (Without Getting Too Deep)",[11,2648,2649],{},"For the curious, here's how a well-implemented E2E encrypted storage system actually works under the hood:",[201,2651,2652,2658,2664,2670],{},[48,2653,2654,2657],{},[51,2655,2656],{},"Account creation:"," Your browser generates a key pair (public key + private key). The private key is encrypted with a key derived from your password and stored on the server. The server has the encrypted private key but cannot decrypt it without your password — which is never sent to the server.",[48,2659,2660,2663],{},[51,2661,2662],{},"File upload:"," Your browser generates a random symmetric encryption key for this specific file. The file is encrypted locally with this key. The symmetric key is then encrypted with your public key. Both the encrypted file and the encrypted key are uploaded.",[48,2665,2666,2669],{},[51,2667,2668],{},"File download:"," The server sends you the encrypted file and the encrypted key. Your browser decrypts the key using your private key, then decrypts the file using the symmetric key. All of this happens in your browser — the server just shuffles encrypted bytes around.",[48,2671,2672,2675,2676,2679],{},[51,2673,2674],{},"Sharing via public links:"," When you create a public link, a special link key is generated and placed in the URL fragment (",[226,2677,2678],{},"#key","). This key encrypts the file's symmetric key. When a recipient opens the link, the server uses the link key to decrypt and stream the file — this is a deliberate, scoped tradeoff that protects the actual file encryption key from being publicly exposed. Links can be set to expire, and if you share the URL without the fragment, the recipient must enter the link key manually via a password prompt — giving you control over how the key is distributed.",[11,2681,2682],{},"The server's only job is storage and delivery. For regular file access, it never performs decryption. Public link downloads are the one intentional exception — the server temporarily handles plaintext in memory during the stream to protect the underlying file key from exposure.",[15,2684,2686],{"id":2685},"common-objections-and-honest-answers","Common Objections and Honest Answers",[11,2688,2689],{},[51,2690,2691],{},"\"If I lose my password, I lose my files.\"",[11,2693,2694],{},"Yes. This is the fundamental tradeoff. In a true E2E system, there's no \"forgot password\" button that magically recovers everything, because the server can't decrypt your data to re-encrypt it with a new password. Some systems mitigate this with recovery keys you store separately, but the core principle remains: you are responsible for your keys.",[11,2696,2697],{},[51,2698,2699],{},"\"Isn't this slower?\"",[11,2701,2702],{},"Marginally. Modern encryption algorithms (like AEGIS-128L, which uses hardware acceleration on modern processors) add negligible overhead. You won't notice the difference for typical file sizes. For very large files, the overhead is still small — a few percent at most.",[11,2704,2705],{},[51,2706,2707],{},"\"Can I still search my files?\"",[11,2709,2710],{},"Yes, but it requires clever engineering. You can't just search an encrypted index on the server. Privacy-preserving search uses techniques like tokenizing file names, hashing those tokens, and searching the hashes. The server never sees your search terms in plaintext — it just matches hashes. Hoodik even supports full-text search across encrypted notes using the same approach.",[15,2712,2714],{"id":2713},"how-hoodik-implements-this","How Hoodik Implements This",[11,2716,2717],{},"Hoodik is built from the ground up as a zero-knowledge, end-to-end encrypted storage system. Concretely:",[45,2719,2720,2723,2726,2729,2732,2735],{},[48,2721,2722],{},"Key generation happens in your browser using WebCrypto and compiled Rust code (WASM). Your private key is encrypted with a key derived from your password before storage — the server gets the encrypted blob, not the key itself.",[48,2724,2725],{},"Files are encrypted client-side with AEGIS-128L (a modern, hardware-accelerated AEAD cipher) using per-file symmetric keys.",[48,2727,2728],{},"File names and metadata are encrypted before they leave your device.",[48,2730,2731],{},"The server stores only ciphertext — encrypted files, encrypted names, encrypted keys. For regular file access, it has no way to decrypt any of it. (The one exception: public link downloads, where the server uses a link key to stream files to recipients — a deliberate tradeoff to protect the underlying file key.)",[48,2733,2734],{},"Search is privacy-preserving: file names are tokenized with a BERT tokenizer, hashed with SHA256, and only hashes are sent to the server. Notes support full-text search through the same mechanism.",[48,2736,2737],{},"RSA-2048 handles asymmetric operations (key wrapping, key exchange).",[11,2739,2740],{},"The server is written in Rust — chosen specifically because memory safety matters enormously when you're handling cryptographic operations. The entire system is open source, so you can verify these claims yourself.",[15,2742,2744],{"id":2743},"evaluating-claims","Evaluating Claims",[11,2746,2747],{},"When a cloud storage provider talks about encryption, don't settle for \"we encrypt your data.\" Ask the harder questions:",[201,2749,2750,2753,2756,2759,2762],{},[48,2751,2752],{},"Who holds the decryption keys?",[48,2754,2755],{},"Can your employees access my files?",[48,2757,2758],{},"What happens when you receive a legal request for my data?",[48,2760,2761],{},"Are file names and metadata also encrypted?",[48,2763,2764],{},"Is the system open source so I can verify the claims?",[11,2766,2767],{},"If the answer to #1 isn't \"only you,\" everything else is window dressing. End-to-end encryption isn't just a feature — it's the only architecture that makes the other promises enforceable by math rather than by policy.",[11,2769,2770],{},"Your files should be readable by you, and only you.",{"title":435,"searchDepth":464,"depth":464,"links":2772},[2773,2774,2775,2776,2777,2778,2779,2780,2781,2782],{"id":2439,"depth":464,"text":2440},{"id":2464,"depth":464,"text":2465},{"id":2501,"depth":464,"text":2502},{"id":2514,"depth":464,"text":2515},{"id":2545,"depth":464,"text":2546},{"id":2611,"depth":464,"text":2612},{"id":2645,"depth":464,"text":2646},{"id":2685,"depth":464,"text":2686},{"id":2713,"depth":464,"text":2714},{"id":2743,"depth":464,"text":2744},"Privacy","A clear explanation of end-to-end encryption vs encryption at rest, zero-knowledge architecture, and why who holds the keys matters more than the algorithm.",{},"\u002Fblog\u002Fend-to-end-encryption-explained",{"title":2428,"description":2784},"blog\u002Fend-to-end-encryption-explained",[1574,2790,2791,1261,2792],"end-to-end encryption","zero knowledge","security","sYLom3PT2gChbpr2KjPs9xNiIj4aGAtLCuvn0DQ-QhU",{"id":2795,"title":2796,"author":6,"body":2797,"category":1246,"date":1247,"description":3423,"draft":1249,"extension":1250,"image":1251,"meta":3424,"navigation":1253,"path":3425,"seo":3426,"stem":3427,"tags":3428,"__hash__":3432},"blog\u002Fblog\u002Fleaving-google-drive-migration-guide.md","Leaving Google Drive: A Complete Migration Guide",{"type":8,"value":2798,"toc":3401},[2799,2802,2805,2808,2812,2819,2885,2888,2892,2895,2915,2921,2925,2928,2934,2937,2941,2947,2950,2956,2967,2973,2984,2987,2991,2995,2998,3057,3060,3064,3067,3177,3181,3184,3198,3201,3205,3208,3212,3229,3232,3238,3242,3245,3249,3252,3263,3267,3270,3273,3284,3287,3290,3294,3300,3306,3312,3318,3324,3328,3331,3337,3343,3349,3355,3361,3365,3368,3385,3388,3392,3395,3398],[1271,2800,2796],{"id":2801},"leaving-google-drive-a-complete-migration-guide",[11,2803,2804],{},"You've decided to leave Google Drive. Maybe you're tired of Google scanning your files. Maybe you hit the 15 GB free tier limit and don't want to pay $10\u002Fmonth for 2 TB of storage where Google still holds the keys. Maybe you just want to own your data without depending on a company that might lock your account over an automated false positive.",[11,2806,2807],{},"This guide walks you through the full migration without losing anything. It's a planned process: extract everything, set up your new home, and move in at your own pace. Not a \"delete everything and start over\" situation.",[15,2809,2811],{"id":2810},"step-1-export-everything-with-google-takeout","Step 1: Export Everything with Google Takeout",[11,2813,2814,2815,2818],{},"Google provides a tool called ",[51,2816,2817],{},"Takeout"," that lets you export all your data from every Google service. To use it for Drive specifically:",[201,2820,2821,2828,2834,2840,2846,2851,2880],{},[48,2822,1774,2823],{},[993,2824,2827],{"href":2825,"rel":2826},"https:\u002F\u002Ftakeout.google.com",[1767],"takeout.google.com",[48,2829,1784,2830,2833],{},[51,2831,2832],{},"Deselect all"," (by default it selects every Google service)",[48,2835,2836,2837],{},"Scroll down and select only ",[51,2838,2839],{},"Drive",[48,2841,1784,2842,2845],{},[51,2843,2844],{},"All Drive data included"," to verify it's exporting everything (you can exclude specific folders if needed)",[48,2847,1784,2848],{},[51,2849,2850],{},"Next step",[48,2852,2853,2854],{},"Choose your export settings:\n",[45,2855,2856,2862,2868,2874],{},[48,2857,2858,2861],{},[51,2859,2860],{},"Delivery method",": \"Send download link via email\" is simplest",[48,2863,2864,2867],{},[51,2865,2866],{},"Frequency",": \"Export once\"",[48,2869,2870,2873],{},[51,2871,2872],{},"File type",": ZIP",[48,2875,2876,2879],{},[51,2877,2878],{},"File size",": Choose the largest option (50 GB) to minimize the number of split archives",[48,2881,1784,2882],{},[51,2883,2884],{},"Create export",[11,2886,2887],{},"Google will process your export and email you download links when it's ready. This can take hours or even days for large accounts -- they're not in a rush to help you leave.",[77,2889,2891],{"id":2890},"what-you-get","What You Get",[11,2893,2894],{},"Your export will be one or more ZIP files containing:",[45,2896,2897,2900,2903,2906,2909,2912],{},[48,2898,2899],{},"All your regular files (PDFs, images, documents, videos) in their original format",[48,2901,2902],{},"Your folder structure preserved as filesystem directories",[48,2904,2905],{},"Google Docs converted to Microsoft Office format (.docx, .xlsx, .pptx) or PDF",[48,2907,2908],{},"Google Sheets as .xlsx files",[48,2910,2911],{},"Google Slides as .pptx files",[48,2913,2914],{},"Google Drawings as .png or .svg",[11,2916,2917,2920],{},[51,2918,2919],{},"Important",": Google's proprietary formats (Docs, Sheets, Slides) don't exist as files -- they're database entries that Google renders as documents. Takeout converts them to equivalent formats. The conversion is usually good, but complex formatting might shift slightly.",[77,2922,2924],{"id":2923},"download-and-extract","Download and Extract",[11,2926,2927],{},"Download all the ZIP files to your computer and extract them. You'll end up with a folder structure like:",[430,2929,2932],{"className":2930,"code":2931,"language":784},[782],"Takeout\u002F\n Drive\u002F\n My Drive\u002F\n Documents\u002F\n report.pdf\n notes.docx\n Photos\u002F\n vacation-2024\u002F\n IMG_001.jpg\n IMG_002.jpg\n Projects\u002F\n budget.xlsx\n",[226,2933,2931],{"__ignoreMap":435},[11,2935,2936],{},"Take a moment to browse through it. Make sure everything looks right. This is your complete archive -- once you're confident it's all here, you're ready to set up your new storage.",[15,2938,2940],{"id":2939},"step-2-figure-out-your-storage-needs","Step 2: Figure Out Your Storage Needs",[11,2942,2943,2944],{},"Before setting up anything, answer one question: ",[51,2945,2946],{},"how much data do you actually have?",[11,2948,2949],{},"Check the size of your extracted Takeout folder. Then decide where you want to store it:",[11,2951,2952,2955],{},[51,2953,2954],{},"Local disk"," (files stored on your Hoodik server's drive):",[45,2957,2958,2961,2964],{},[48,2959,2960],{},"Best for: small to medium collections (under 500 GB), single-server setups",[48,2962,2963],{},"Cost: just your server hardware\u002FVPS",[48,2965,2966],{},"Simplest to set up",[11,2968,2969,2972],{},[51,2970,2971],{},"S3-compatible storage"," (Backblaze B2, Wasabi, MinIO):",[45,2974,2975,2978,2981],{},[48,2976,2977],{},"Best for: large collections, scalable storage, redundancy",[48,2979,2980],{},"Cost: $6\u002FTB\u002Fmonth with Backblaze B2",[48,2982,2983],{},"Separates your storage from your server",[11,2985,2986],{},"For most people leaving Google Drive's 15 GB free tier or 100 GB plan, local disk on a small VPS is plenty. If you're on the 2 TB plan, an S3 backend makes more sense for both cost and reliability.",[15,2988,2990],{"id":2989},"step-3-set-up-hoodik","Step 3: Set Up Hoodik",[77,2992,2994],{"id":2993},"option-a-quick-start-with-docker","Option A: Quick Start with Docker",[11,2996,2997],{},"If you have a server (VPS, Raspberry Pi, NAS, old laptop in a closet), you can have Hoodik running in under a minute:",[430,2999,3001],{"className":432,"code":3000,"language":434,"meta":435,"style":435},"docker run -d \\\n --name hoodik \\\n -p 5443:5443 \\\n -e DATA_DIR=\u002Fdata \\\n -e APP_URL=https:\u002F\u002Fyour-domain.com \\\n -v hoodik_data:\u002Fdata \\\n hudik\u002Fhoodik:latest\n",[226,3002,3003,3013,3021,3029,3037,3045,3053],{"__ignoreMap":435},[439,3004,3005,3007,3009,3011],{"class":441,"line":442},[439,3006,500],{"class":445},[439,3008,516],{"class":453},[439,3010,519],{"class":449},[439,3012,522],{"class":449},[439,3014,3015,3017,3019],{"class":441,"line":464},[439,3016,528],{"class":449},[439,3018,1019],{"class":453},[439,3020,522],{"class":449},[439,3022,3023,3025,3027],{"class":441,"line":525},[439,3024,550],{"class":449},[439,3026,1063],{"class":453},[439,3028,522],{"class":449},[439,3030,3031,3033,3035],{"class":441,"line":536},[439,3032,670],{"class":449},[439,3034,1924],{"class":453},[439,3036,522],{"class":449},[439,3038,3039,3041,3043],{"class":441,"line":547},[439,3040,670],{"class":449},[439,3042,1933],{"class":453},[439,3044,522],{"class":449},[439,3046,3047,3049,3051],{"class":441,"line":558},[439,3048,561],{"class":449},[439,3050,1997],{"class":453},[439,3052,522],{"class":449},[439,3054,3055],{"class":441,"line":569},[439,3056,1070],{"class":453},[11,3058,3059],{},"Hoodik runs with about 20 MB of RAM. A $5\u002Fmonth VPS handles it comfortably.",[77,3061,3063],{"id":3062},"option-b-with-s3-storage-backend","Option B: With S3 Storage Backend",[11,3065,3066],{},"If you're using Backblaze B2 or another S3-compatible backend:",[430,3068,3070],{"className":432,"code":3069,"language":434,"meta":435,"style":435},"docker run -d \\\n --name hoodik \\\n -p 5443:5443 \\\n -e DATA_DIR=\u002Fdata \\\n -e APP_URL=https:\u002F\u002Fyour-domain.com \\\n -e STORAGE_PROVIDER=s3 \\\n -e S3_ENDPOINT=https:\u002F\u002Fs3.us-west-004.backblazeb2.com \\\n -e S3_REGION=us-west-004 \\\n -e S3_BUCKET=your-bucket-name \\\n -e S3_ACCESS_KEY=your-key \\\n -e S3_SECRET_KEY=your-secret \\\n -v hoodik_data:\u002Fdata \\\n hudik\u002Fhoodik:latest\n",[226,3071,3072,3082,3090,3098,3106,3114,3122,3130,3138,3147,3156,3165,3173],{"__ignoreMap":435},[439,3073,3074,3076,3078,3080],{"class":441,"line":442},[439,3075,500],{"class":445},[439,3077,516],{"class":453},[439,3079,519],{"class":449},[439,3081,522],{"class":449},[439,3083,3084,3086,3088],{"class":441,"line":464},[439,3085,528],{"class":449},[439,3087,1019],{"class":453},[439,3089,522],{"class":449},[439,3091,3092,3094,3096],{"class":441,"line":525},[439,3093,550],{"class":449},[439,3095,1063],{"class":453},[439,3097,522],{"class":449},[439,3099,3100,3102,3104],{"class":441,"line":536},[439,3101,670],{"class":449},[439,3103,1924],{"class":453},[439,3105,522],{"class":449},[439,3107,3108,3110,3112],{"class":441,"line":547},[439,3109,670],{"class":449},[439,3111,1933],{"class":453},[439,3113,522],{"class":449},[439,3115,3116,3118,3120],{"class":441,"line":558},[439,3117,670],{"class":449},[439,3119,1942],{"class":453},[439,3121,522],{"class":449},[439,3123,3124,3126,3128],{"class":441,"line":569},[439,3125,670],{"class":449},[439,3127,1951],{"class":453},[439,3129,522],{"class":449},[439,3131,3132,3134,3136],{"class":441,"line":579},[439,3133,670],{"class":449},[439,3135,1960],{"class":453},[439,3137,522],{"class":449},[439,3139,3140,3142,3145],{"class":441,"line":687},[439,3141,670],{"class":449},[439,3143,3144],{"class":453}," S3_BUCKET=your-bucket-name",[439,3146,522],{"class":449},[439,3148,3149,3151,3154],{"class":441,"line":697},[439,3150,670],{"class":449},[439,3152,3153],{"class":453}," S3_ACCESS_KEY=your-key",[439,3155,522],{"class":449},[439,3157,3158,3160,3163],{"class":441,"line":707},[439,3159,670],{"class":449},[439,3161,3162],{"class":453}," S3_SECRET_KEY=your-secret",[439,3164,522],{"class":449},[439,3166,3167,3169,3171],{"class":441,"line":1992},[439,3168,561],{"class":449},[439,3170,1997],{"class":453},[439,3172,522],{"class":449},[439,3174,3175],{"class":441,"line":2002},[439,3176,1070],{"class":453},[77,3178,3180],{"id":3179},"first-account-setup","First Account Setup",[11,3182,3183],{},"Open your Hoodik instance in a browser. The first account you create automatically becomes the admin. During signup:",[201,3185,3186,3189,3192,3195],{},[48,3187,3188],{},"Choose a strong password -- this password (combined with your email) derives your encryption keys",[48,3190,3191],{},"Your browser will generate an RSA-2048 key pair",[48,3193,3194],{},"The private key is encrypted with your password and stored on the server",[48,3196,3197],{},"The server never sees your unencrypted private key",[11,3199,3200],{},"If you lose your password and haven't exported your private key, your files are permanently unrecoverable. This is the tradeoff of real encryption -- there's no \"reset password\" backdoor. Write it down somewhere safe.",[15,3202,3204],{"id":3203},"step-4-upload-your-files","Step 4: Upload Your Files",[11,3206,3207],{},"Time to move your data into its new encrypted home.",[77,3209,3211],{"id":3210},"via-the-web-interface","Via the Web Interface",[201,3213,3214,3217,3220,3226],{},[48,3215,3216],{},"Open Hoodik in your browser",[48,3218,3219],{},"Create your folder structure (or just start uploading -- Hoodik preserves folder structure from drag-and-drop)",[48,3221,3222,3225],{},[51,3223,3224],{},"Drag and drop"," folders from your extracted Takeout directory directly into the browser window",[48,3227,3228],{},"Hoodik will encrypt each file in your browser and upload the ciphertext",[11,3230,3231],{},"For large migrations, this is best done on a wired connection. Each file gets encrypted locally before upload, so the process is: read from disk, encrypt in browser, upload encrypted data.",[11,3233,3234,3237],{},[51,3235,3236],{},"Tip",": Do it in batches. Start with your most important folder, verify everything uploaded correctly, then continue with the rest. Don't try to drag 500 GB all at once.",[77,3239,3241],{"id":3240},"via-the-mobile-app","Via the Mobile App",[11,3243,3244],{},"If you've already moved files to your phone, the Hoodik Android\u002FiOS app supports uploading files and photos. The app handles encryption through the same Rust code as the web version (via native FFI), so security is identical.",[77,3246,3248],{"id":3247},"organization-strategy","Organization Strategy",[11,3250,3251],{},"You don't have to replicate your Google Drive structure exactly. This is a good time to reorganize:",[45,3253,3254,3257,3260],{},[48,3255,3256],{},"Combine scattered documents into logical folders",[48,3258,3259],{},"Archive old projects you'll rarely access",[48,3261,3262],{},"Create a clear top-level structure (Documents, Photos, Projects, Archive)",[15,3264,3266],{"id":3265},"step-5-invite-your-people","Step 5: Invite Your People",[11,3268,3269],{},"If you shared Google Drive files with family or colleagues, you'll need to bring them along.",[11,3271,3272],{},"Hoodik supports multiple user accounts. As admin, you can:",[201,3274,3275,3278,3281],{},[48,3276,3277],{},"Enable user registration (or create accounts manually)",[48,3279,3280],{},"Create public links (with optional expiration dates and password protection) so anyone can download specific files",[48,3282,3283],{},"Manage storage quotas and user permissions from the admin dashboard",[11,3285,3286],{},"Each user gets their own encryption keys. All encryption happens on the device — the server never sees plaintext data.",[11,3288,3289],{},"Note: sharing files directly between accounts on the same server isn't available yet. Each user's storage is private to them. You can share files externally via public links — these support expiration dates and optional password protection (the link key acts as the password; exclude it from the URL to require manual entry).",[15,3291,3293],{"id":3292},"what-you-gain","What You Gain",[11,3295,3296,3299],{},[51,3297,3298],{},"Real privacy",": Your files are encrypted before they leave your device. The server stores ciphertext. Even if someone compromised the server hardware, they'd get meaningless encrypted data.",[11,3301,3302,3305],{},[51,3303,3304],{},"No storage caps",": Whether you use local disk or S3, you're limited only by what you're willing to pay for, not by an arbitrary plan tier.",[11,3307,3308,3311],{},[51,3309,3310],{},"No scanning",": Nobody is running your photos through image classifiers, analyzing your documents for ad targeting, or flagging your files for \"policy violations.\"",[11,3313,3314,3317],{},[51,3315,3316],{},"Control",": You decide what software runs, what gets stored, who has access, and what the rules are. No terms of service that change without notice.",[11,3319,3320,3323],{},[51,3321,3322],{},"Your infrastructure",": Your data lives on hardware you control. If you decide to stop using Hoodik someday, your data and the open source code to decrypt it are both in your hands -- no vendor lock-in.",[15,3325,3327],{"id":3326},"what-you-lose-honestly","What You Lose (Honestly)",[11,3329,3330],{},"It would be dishonest not to mention the tradeoffs:",[11,3332,3333,3336],{},[51,3334,3335],{},"Google Docs collaboration",": Real-time collaborative editing doesn't exist in a zero-knowledge system (the server can't mediate edits it can't read). Hoodik does include a built-in rich text editor for encrypted notes with full-text search — great for personal notes and documentation. But if you depend on multiple people editing the same document simultaneously, you'll need a separate tool for that (like CryptPad for privacy-respecting collaboration, or just sharing Office files).",[11,3338,3339,3342],{},[51,3340,3341],{},"Google-format files",": Those converted .docx and .xlsx files from Takeout work fine in LibreOffice, Microsoft Office, or any standard office suite. But they're no longer \"live\" Google Docs with comment histories and suggestion mode.",[11,3344,3345,3348],{},[51,3346,3347],{},"Zero effort maintenance",": Google Drive just works. Self-hosting means keeping a server running, doing occasional updates, and managing backups of your database. It's minimal work (Hoodik is a single Docker container), but it's not zero.",[11,3350,3351,3354],{},[51,3352,3353],{},"Seamless mobile integration",": Google Drive is deeply integrated into Android. Hoodik has dedicated Android and iOS apps that work well, but it's not baked into the OS the way Google's apps are.",[11,3356,3357,3360],{},[51,3358,3359],{},"AI features",": Google's AI-powered search, suggested files, and smart categorization all require reading your files. Privacy and AI convenience are currently at odds.",[15,3362,3364],{"id":3363},"step-6-the-transition-period","Step 6: The Transition Period",[11,3366,3367],{},"Don't delete your Google Drive immediately. Run both systems in parallel for a while:",[201,3369,3370,3373,3376,3379,3382],{},[48,3371,3372],{},"Upload everything to Hoodik",[48,3374,3375],{},"Verify you can access and open all your files",[48,3377,3378],{},"Start using Hoodik for new files",[48,3380,3381],{},"After a month of no issues, start removing data from Google Drive",[48,3383,3384],{},"Eventually, downgrade or close your Google storage plan",[11,3386,3387],{},"This gives you a safety net. If you discover a file didn't export properly or something is missing, you can still grab it from Google.",[15,3389,3391],{"id":3390},"wrapping-up","Wrapping Up",[11,3393,3394],{},"Migrating from Google Drive to self-hosted encrypted storage is less dramatic than it sounds. Export your data (Google makes this easy with Takeout), run a Docker container, drag and drop your files. The whole process takes an afternoon for smaller accounts, or a weekend for larger ones.",[11,3396,3397],{},"The result is cloud storage that works like you'd expect -- files go up, files come down -- but with a fundamental difference: nobody else can read them. Not the server, not the storage provider, not an automated scanning system.",[1218,3399,3400],{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":435,"searchDepth":464,"depth":464,"links":3402},[3403,3407,3408,3413,3418,3419,3420,3421,3422],{"id":2810,"depth":464,"text":2811,"children":3404},[3405,3406],{"id":2890,"depth":525,"text":2891},{"id":2923,"depth":525,"text":2924},{"id":2939,"depth":464,"text":2940},{"id":2989,"depth":464,"text":2990,"children":3409},[3410,3411,3412],{"id":2993,"depth":525,"text":2994},{"id":3062,"depth":525,"text":3063},{"id":3179,"depth":525,"text":3180},{"id":3203,"depth":464,"text":3204,"children":3414},[3415,3416,3417],{"id":3210,"depth":525,"text":3211},{"id":3240,"depth":525,"text":3241},{"id":3247,"depth":525,"text":3248},{"id":3265,"depth":464,"text":3266},{"id":3292,"depth":464,"text":3293},{"id":3326,"depth":464,"text":3327},{"id":3363,"depth":464,"text":3364},{"id":3390,"depth":464,"text":3391},"Step-by-step guide to exporting your files from Google Drive and migrating to private, self-hosted encrypted storage without losing anything.",{},"\u002Fblog\u002Fleaving-google-drive-migration-guide",{"title":2796,"description":3423},"blog\u002Fleaving-google-drive-migration-guide",[3429,3430,1259,1261,2423,3431],"google drive","migration","google takeout","QgMjZ8tchqN0niTU9Us0viMuPo3RYp3DIbBVowUemrs",{"id":4,"title":5,"author":6,"body":3434,"category":1246,"date":1247,"description":1248,"draft":1249,"extension":1250,"image":1251,"meta":4336,"navigation":1253,"path":1254,"seo":4337,"stem":1256,"tags":4338,"__hash__":1263},{"type":8,"value":3435,"toc":4311},[3436,3438,3440,3442,3444,3446,3448,3450,3452,3454,3456,3474,3476,3478,3480,3528,3530,3532,3534,3536,3538,3540,3542,3544,3546,3548,3550,3552,3554,3556,3564,3566,3568,3570,3574,3576,3578,3580,3582,3604,3606,3626,3628,3680,3682,3684,3686,3690,3694,3696,3700,3702,3704,3708,3710,3712,3714,3742,3744,3746,3748,3816,3820,3822,3826,3920,3922,3930,3940,3944,3946,3948,3950,3962,3966,3971,3975,3977,4043,4047,4049,4051,4055,4057,4113,4115,4129,4133,4135,4139,4205,4209,4213,4215,4217,4281,4283,4285,4287,4291,4293,4295,4297,4299,4301,4303,4309],[11,3437,13],{},[15,3439,18],{"id":17},[11,3441,21],{},[11,3443,24],{},[11,3445,27],{},[11,3447,30],{},[11,3449,33],{},[11,3451,36],{},[15,3453,40],{"id":39},[11,3455,43],{},[45,3457,3458,3462,3466,3470],{},[48,3459,3460,54],{},[51,3461,53],{},[48,3463,3464,60],{},[51,3465,59],{},[48,3467,3468,66],{},[51,3469,65],{},[48,3471,3472,72],{},[51,3473,71],{},[11,3475,75],{},[77,3477,80],{"id":79},[11,3479,83],{},[85,3481,3482,3492],{},[88,3483,3484],{},[91,3485,3486,3488,3490],{},[94,3487,96],{},[94,3489,99],{},[94,3491,102],{},[104,3493,3494,3504,3512,3520],{},[91,3495,3496,3498,3500],{},[109,3497,111],{},[109,3499,114],{},[109,3501,3502],{},[51,3503,119],{},[91,3505,3506,3508,3510],{},[109,3507,124],{},[109,3509,127],{},[109,3511,130],{},[91,3513,3514,3516,3518],{},[109,3515,135],{},[109,3517,138],{},[109,3519,141],{},[91,3521,3522,3524,3526],{},[109,3523,146],{},[109,3525,149],{},[109,3527,152],{},[11,3529,155],{},[77,3531,159],{"id":158},[11,3533,162],{},[77,3535,166],{"id":165},[11,3537,169],{},[11,3539,172],{},[15,3541,176],{"id":175},[11,3543,179],{},[77,3545,183],{"id":182},[11,3547,186],{},[11,3549,189],{},[11,3551,192],{},[77,3553,196],{"id":195},[11,3555,199],{},[201,3557,3558,3560,3562],{},[48,3559,205],{},[48,3561,208],{},[48,3563,211],{},[11,3565,214],{},[77,3567,218],{"id":217},[11,3569,221],{},[11,3571,224,3572,229],{},[226,3573,228],{},[77,3575,233],{"id":232},[11,3577,236],{},[15,3579,240],{"id":239},[11,3581,243],{},[45,3583,3584,3588,3592,3596,3600],{},[48,3585,3586,251],{},[51,3587,250],{},[48,3589,3590,257],{},[51,3591,256],{},[48,3593,3594,263],{},[51,3595,262],{},[48,3597,3598,269],{},[51,3599,268],{},[48,3601,3602,275],{},[51,3603,274],{},[11,3605,278],{},[45,3607,3608,3610,3612,3614,3616,3618,3620,3624],{},[48,3609,283],{},[48,3611,286],{},[48,3613,289],{},[48,3615,292],{},[48,3617,295],{},[48,3619,298],{},[48,3621,301,3622,305],{},[226,3623,304],{},[48,3625,308],{},[11,3627,311],{},[85,3629,3630,3638],{},[88,3631,3632],{},[91,3633,3634,3636],{},[94,3635,320],{},[94,3637,323],{},[104,3639,3640,3646,3652,3658,3664,3670],{},[91,3641,3642,3644],{},[109,3643,330],{},[109,3645,333],{},[91,3647,3648,3650],{},[109,3649,338],{},[109,3651,341],{},[91,3653,3654,3656],{},[109,3655,346],{},[109,3657,349],{},[91,3659,3660,3662],{},[109,3661,354],{},[109,3663,357],{},[91,3665,3666,3668],{},[109,3667,362],{},[109,3669,365],{},[91,3671,3672,3676],{},[109,3673,3674],{},[51,3675,372],{},[109,3677,3678],{},[51,3679,377],{},[11,3681,380],{},[15,3683,384],{"id":383},[11,3685,387],{},[11,3687,3688],{},[51,3689,392],{},[11,3691,395,3692,398],{},[226,3693,304],{},[11,3695,401],{},[11,3697,3698],{},[51,3699,406],{},[11,3701,409],{},[11,3703,412],{},[11,3705,415,3706,418],{},[226,3707,304],{},[15,3709,422],{"id":421},[11,3711,425],{},[11,3713,428],{},[430,3715,3716],{"className":432,"code":433,"language":434,"meta":435,"style":435},[226,3717,3718,3730],{"__ignoreMap":435},[439,3719,3720,3722,3724,3726,3728],{"class":441,"line":442},[439,3721,446],{"class":445},[439,3723,450],{"class":449},[439,3725,454],{"class":453},[439,3727,458],{"class":457},[439,3729,461],{"class":445},[439,3731,3732,3734,3736,3738,3740],{"class":441,"line":464},[439,3733,467],{"class":445},[439,3735,470],{"class":453},[439,3737,473],{"class":449},[439,3739,476],{"class":453},[439,3741,480],{"class":479},[11,3743,483],{},[15,3745,487],{"id":486},[11,3747,490],{},[430,3749,3750],{"className":432,"code":493,"language":434,"meta":435,"style":435},[226,3751,3752,3762,3772,3780,3788,3796,3804,3812],{"__ignoreMap":435},[439,3753,3754,3756,3758,3760],{"class":441,"line":442},[439,3755,500],{"class":445},[439,3757,503],{"class":453},[439,3759,506],{"class":453},[439,3761,509],{"class":453},[439,3763,3764,3766,3768,3770],{"class":441,"line":464},[439,3765,500],{"class":445},[439,3767,516],{"class":453},[439,3769,519],{"class":449},[439,3771,522],{"class":449},[439,3773,3774,3776,3778],{"class":441,"line":525},[439,3775,528],{"class":449},[439,3777,531],{"class":453},[439,3779,522],{"class":449},[439,3781,3782,3784,3786],{"class":441,"line":536},[439,3783,539],{"class":449},[439,3785,542],{"class":453},[439,3787,522],{"class":449},[439,3789,3790,3792,3794],{"class":441,"line":547},[439,3791,550],{"class":449},[439,3793,553],{"class":453},[439,3795,522],{"class":449},[439,3797,3798,3800,3802],{"class":441,"line":558},[439,3799,561],{"class":449},[439,3801,564],{"class":453},[439,3803,522],{"class":449},[439,3805,3806,3808,3810],{"class":441,"line":569},[439,3807,561],{"class":449},[439,3809,574],{"class":453},[439,3811,522],{"class":449},[439,3813,3814],{"class":441,"line":579},[439,3815,582],{"class":453},[11,3817,585,3818,589],{},[226,3819,588],{},[15,3821,593],{"id":592},[11,3823,596,3824,599],{},[226,3825,304],{},[430,3827,3828],{"className":432,"code":602,"language":434,"meta":435,"style":435},[226,3829,3830,3840,3848,3856,3864,3876,3884,3892,3900,3908,3916],{"__ignoreMap":435},[439,3831,3832,3834,3836,3838],{"class":441,"line":442},[439,3833,500],{"class":445},[439,3835,516],{"class":453},[439,3837,519],{"class":449},[439,3839,522],{"class":449},[439,3841,3842,3844,3846],{"class":441,"line":464},[439,3843,528],{"class":449},[439,3845,621],{"class":453},[439,3847,522],{"class":449},[439,3849,3850,3852,3854],{"class":441,"line":525},[439,3851,539],{"class":449},[439,3853,542],{"class":453},[439,3855,522],{"class":449},[439,3857,3858,3860,3862],{"class":441,"line":536},[439,3859,636],{"class":449},[439,3861,639],{"class":453},[439,3863,522],{"class":449},[439,3865,3866,3868,3870,3872,3874],{"class":441,"line":547},[439,3867,550],{"class":449},[439,3869,648],{"class":453},[439,3871,651],{"class":449},[439,3873,654],{"class":453},[439,3875,522],{"class":449},[439,3877,3878,3880,3882],{"class":441,"line":558},[439,3879,550],{"class":449},[439,3881,663],{"class":453},[439,3883,522],{"class":449},[439,3885,3886,3888,3890],{"class":441,"line":569},[439,3887,670],{"class":449},[439,3889,673],{"class":453},[439,3891,522],{"class":449},[439,3893,3894,3896,3898],{"class":441,"line":579},[439,3895,670],{"class":449},[439,3897,682],{"class":453},[439,3899,522],{"class":449},[439,3901,3902,3904,3906],{"class":441,"line":687},[439,3903,561],{"class":449},[439,3905,692],{"class":453},[439,3907,522],{"class":449},[439,3909,3910,3912,3914],{"class":441,"line":697},[439,3911,561],{"class":449},[439,3913,702],{"class":453},[439,3915,522],{"class":449},[439,3917,3918],{"class":441,"line":707},[439,3919,710],{"class":453},[11,3921,713],{},[11,3923,3924,719,3926,723,3928,727],{},[51,3925,718],{},[226,3927,722],{},[51,3929,726],{},[45,3931,3932,3936],{},[48,3933,732,3934],{},[226,3935,304],{},[48,3937,737,3938,740],{},[226,3939,228],{},[11,3941,743,3942,746],{},[226,3943,304],{},[15,3945,750],{"id":749},[11,3947,753],{},[11,3949,756],{},[430,3951,3952],{"className":432,"code":759,"language":434,"meta":435,"style":435},[226,3953,3954],{"__ignoreMap":435},[439,3955,3956,3958,3960],{"class":441,"line":442},[439,3957,766],{"class":445},[439,3959,651],{"class":449},[439,3961,771],{"class":453},[11,3963,774,3964,778],{},[226,3965,777],{},[430,3967,3969],{"className":3968,"code":783,"language":784},[782],[226,3970,783],{"__ignoreMap":435},[11,3972,789,3973,793],{},[226,3974,792],{},[11,3976,796],{},[430,3978,3979],{"className":432,"code":799,"language":434,"meta":435,"style":435},[226,3980,3981,3991,3999,4007,4015,4023,4031,4039],{"__ignoreMap":435},[439,3982,3983,3985,3987,3989],{"class":441,"line":442},[439,3984,500],{"class":445},[439,3986,516],{"class":453},[439,3988,519],{"class":449},[439,3990,522],{"class":449},[439,3992,3993,3995,3997],{"class":441,"line":464},[439,3994,528],{"class":449},[439,3996,818],{"class":453},[439,3998,522],{"class":449},[439,4000,4001,4003,4005],{"class":441,"line":525},[439,4002,539],{"class":449},[439,4004,542],{"class":453},[439,4006,522],{"class":449},[439,4008,4009,4011,4013],{"class":441,"line":536},[439,4010,833],{"class":449},[439,4012,836],{"class":453},[439,4014,522],{"class":449},[439,4016,4017,4019,4021],{"class":441,"line":547},[439,4018,561],{"class":449},[439,4020,845],{"class":453},[439,4022,522],{"class":449},[439,4024,4025,4027,4029],{"class":441,"line":558},[439,4026,561],{"class":449},[439,4028,854],{"class":453},[439,4030,522],{"class":449},[439,4032,4033,4035,4037],{"class":441,"line":569},[439,4034,561],{"class":449},[439,4036,863],{"class":453},[439,4038,522],{"class":449},[439,4040,4041],{"class":441,"line":579},[439,4042,870],{"class":453},[11,4044,873,4045,877],{},[226,4046,876],{},[15,4048,881],{"id":880},[11,4050,884],{},[11,4052,4053,890],{},[51,4054,889],{},[11,4056,893],{},[430,4058,4059],{"className":432,"code":896,"language":434,"meta":435,"style":435},[226,4060,4061,4071,4079,4087,4095,4101],{"__ignoreMap":435},[439,4062,4063,4065,4067,4069],{"class":441,"line":442},[439,4064,500],{"class":445},[439,4066,516],{"class":453},[439,4068,519],{"class":449},[439,4070,522],{"class":449},[439,4072,4073,4075,4077],{"class":441,"line":464},[439,4074,528],{"class":449},[439,4076,915],{"class":453},[439,4078,522],{"class":449},[439,4080,4081,4083,4085],{"class":441,"line":525},[439,4082,539],{"class":449},[439,4084,542],{"class":453},[439,4086,522],{"class":449},[439,4088,4089,4091,4093],{"class":441,"line":536},[439,4090,833],{"class":449},[439,4092,836],{"class":453},[439,4094,522],{"class":449},[439,4096,4097,4099],{"class":441,"line":547},[439,4098,938],{"class":453},[439,4100,522],{"class":449},[439,4102,4103,4105,4107,4109,4111],{"class":441,"line":558},[439,4104,945],{"class":453},[439,4106,948],{"class":449},[439,4108,516],{"class":453},[439,4110,953],{"class":449},[439,4112,956],{"class":453},[11,4114,959],{},[45,4116,4117,4121,4125],{},[48,4118,964,4119],{},[226,4120,967],{},[48,4122,732,4123],{},[226,4124,972],{},[48,4126,975,4127],{},[226,4128,978],{},[11,4130,981,4131,984],{},[226,4132,304],{},[15,4134,988],{"id":987},[11,4136,991,4137,997],{},[993,4138,996],{"href":995},[430,4140,4141],{"className":432,"code":1000,"language":434,"meta":435,"style":435},[226,4142,4143,4153,4161,4169,4177,4185,4193,4201],{"__ignoreMap":435},[439,4144,4145,4147,4149,4151],{"class":441,"line":442},[439,4146,500],{"class":445},[439,4148,516],{"class":453},[439,4150,519],{"class":449},[439,4152,522],{"class":449},[439,4154,4155,4157,4159],{"class":441,"line":464},[439,4156,528],{"class":449},[439,4158,1019],{"class":453},[439,4160,522],{"class":449},[439,4162,4163,4165,4167],{"class":441,"line":525},[439,4164,539],{"class":449},[439,4166,542],{"class":453},[439,4168,522],{"class":449},[439,4170,4171,4173,4175],{"class":441,"line":536},[439,4172,670],{"class":449},[439,4174,1036],{"class":453},[439,4176,522],{"class":449},[439,4178,4179,4181,4183],{"class":441,"line":547},[439,4180,670],{"class":449},[439,4182,1045],{"class":453},[439,4184,522],{"class":449},[439,4186,4187,4189,4191],{"class":441,"line":558},[439,4188,561],{"class":449},[439,4190,1054],{"class":453},[439,4192,522],{"class":449},[439,4194,4195,4197,4199],{"class":441,"line":569},[439,4196,550],{"class":449},[439,4198,1063],{"class":453},[439,4200,522],{"class":449},[439,4202,4203],{"class":441,"line":579},[439,4204,1070],{"class":453},[11,4206,1073,4207,1077],{},[226,4208,1076],{},[11,4210,1080,4211,1084],{},[226,4212,1083],{},[15,4214,1088],{"id":1087},[11,4216,1091],{},[85,4218,4219,4229],{},[88,4220,4221],{},[91,4222,4223,4225,4227],{},[94,4224,1100],{},[94,4226,1103],{},[94,4228,1106],{},[104,4230,4231,4241,4251,4261,4271],{},[91,4232,4233,4237,4239],{},[109,4234,4235],{},[51,4236,1115],{},[109,4238,1118],{},[109,4240,1121],{},[91,4242,4243,4247,4249],{},[109,4244,4245],{},[51,4246,256],{},[109,4248,1130],{},[109,4250,1133],{},[91,4252,4253,4257,4259],{},[109,4254,4255],{},[51,4256,262],{},[109,4258,1142],{},[109,4260,1145],{},[91,4262,4263,4267,4269],{},[109,4264,4265],{},[51,4266,268],{},[109,4268,1154],{},[109,4270,1157],{},[91,4272,4273,4277,4279],{},[109,4274,4275],{},[51,4276,274],{},[109,4278,1166],{},[109,4280,1169],{},[11,4282,1172],{},[15,4284,1176],{"id":1175},[11,4286,1179],{},[11,4288,1182,4289,1187],{},[993,4290,1186],{"href":1185},[11,4292,1190],{},[11,4294,1193],{},[11,4296,1196],{},[15,4298,1200],{"id":1199},[11,4300,1203],{},[11,4302,1206],{},[11,4304,1209,4305,1212,4307,1216],{},[993,4306,996],{"href":995},[993,4308,1215],{"href":1185},[1218,4310,1220],{},{"title":435,"searchDepth":464,"depth":464,"links":4312},[4313,4314,4319,4325,4326,4327,4328,4329,4330,4331,4332,4333,4334,4335],{"id":17,"depth":464,"text":18},{"id":39,"depth":464,"text":40,"children":4315},[4316,4317,4318],{"id":79,"depth":525,"text":80},{"id":158,"depth":525,"text":159},{"id":165,"depth":525,"text":166},{"id":175,"depth":464,"text":176,"children":4320},[4321,4322,4323,4324],{"id":182,"depth":525,"text":183},{"id":195,"depth":525,"text":196},{"id":217,"depth":525,"text":218},{"id":232,"depth":525,"text":233},{"id":239,"depth":464,"text":240},{"id":383,"depth":464,"text":384},{"id":421,"depth":464,"text":422},{"id":486,"depth":464,"text":487},{"id":592,"depth":464,"text":593},{"id":749,"depth":464,"text":750},{"id":880,"depth":464,"text":881},{"id":987,"depth":464,"text":988},{"id":1087,"depth":464,"text":1088},{"id":1175,"depth":464,"text":1176},{"id":1199,"depth":464,"text":1200},{},{"title":5,"description":1248},[1258,1259,1260,500,1261,1262],{"id":4340,"title":4341,"author":6,"body":4342,"category":2783,"date":1247,"description":4526,"draft":1249,"extension":1250,"image":1251,"meta":4527,"navigation":1253,"path":4528,"seo":4529,"stem":4530,"tags":4531,"__hash__":4533},"blog\u002Fblog\u002Fself-hosted-cloud-storage-why-it-matters.md","Self-Hosted Cloud Storage: Why Owning Your Data Actually Matters",{"type":8,"value":4343,"toc":4512},[4344,4347,4350,4353,4357,4360,4371,4378,4381,4385,4388,4392,4395,4398,4402,4405,4408,4412,4415,4418,4422,4425,4429,4432,4446,4450,4453,4456,4460,4463,4466,4477,4480,4484,4487,4494,4497,4501,4504,4507],[11,4345,4346],{},"There's a question that more people are starting to ask: \"Where are my files, really?\" Not on your computer — that much is clear. They're on someone else's computer, in someone else's data center, governed by someone else's terms of service.",[11,4348,4349],{},"For most of the last decade, that felt fine. Cloud storage was convenient, cheap, and mostly invisible. But things are shifting. Between high-profile shutdowns, sudden policy changes, and growing awareness about data privacy, the idea of hosting your own files is moving from \"paranoid niche hobby\" to \"reasonable thing a normal person might do.\"",[11,4351,4352],{},"Self-hosting is easier than it used to be — and the reasons to care about it are more concrete than they were a decade ago.",[15,4354,4356],{"id":4355},"what-self-hosting-actually-means","What Self-Hosting Actually Means",[11,4358,4359],{},"Self-hosting means running software on hardware you control. That could be:",[45,4361,4362,4365,4368],{},[48,4363,4364],{},"A Raspberry Pi sitting on your desk",[48,4366,4367],{},"An old laptop repurposed as a server",[48,4369,4370],{},"A $4\u002Fmonth virtual private server (VPS) from a provider like Hetzner or DigitalOcean",[11,4372,4373,4374,4377],{},"The key difference from traditional cloud storage: ",[51,4375,4376],{},"you"," decide where the data lives, who can access it, and what happens to it. There's no intermediary making those decisions for you.",[11,4379,4380],{},"This doesn't mean you need to be a Linux wizard or have a server rack in your closet. Modern self-hosted applications come packaged in Docker containers — you run one command, and the software is up and running. We'll get to that in a minute.",[15,4382,4384],{"id":4383},"the-problem-with-someone-elses-cloud","The Problem With Someone Else's Cloud",[11,4386,4387],{},"Centralized cloud storage works great until it doesn't. And when it doesn't, you usually have no recourse.",[77,4389,4391],{"id":4390},"terms-of-service-are-a-moving-target","Terms of Service Are a Moving Target",[11,4393,4394],{},"Remember when Google offered unlimited storage for Google Photos? Then they didn't. Remember when Google Workspace had \"unlimited\" plans for enterprises? Then those became capped plans with reduced storage limits on short notice.",[11,4396,4397],{},"Every major cloud provider has changed their storage terms at some point. And they can — because their terms of service explicitly say they can modify anything, anytime, with minimal notice. You agreed to that when you clicked \"I Accept\" without reading 47 pages of legal text.",[77,4399,4401],{"id":4400},"services-shut-down","Services Shut Down",[11,4403,4404],{},"Google alone has shut down over 250 products. The graveyard includes Google Reader, Google+, Inbox, Stadia, and dozens more. While Google Drive isn't going anywhere tomorrow, smaller providers absolutely do disappear. And even with big providers, specific features or tiers get deprecated regularly.",[11,4406,4407],{},"When a service shuts down, you get a migration window — usually a few weeks or months. If you miss it, or if the export format doesn't preserve your folder structure, or if you have terabytes of data and a slow connection... tough luck.",[77,4409,4411],{"id":4410},"government-access-and-legal-requests","Government Access and Legal Requests",[11,4413,4414],{},"This isn't about having something to hide. It's about the principle that your personal files — family photos, financial documents, medical records, private notes — shouldn't be accessible to anyone without your explicit consent.",[11,4416,4417],{},"When your files are on a centralized cloud provider's servers, that provider can be compelled by courts, subpoenas, or national security letters to hand over your data. Sometimes without ever notifying you. This isn't hypothetical — it happens regularly, to ordinary people, often through overly broad legal requests.",[77,4419,4421],{"id":4420},"the-data-mining-question","The Data Mining Question",[11,4423,4424],{},"If you're using a free tier of any cloud service, you should ask yourself how that service makes money. The answer is usually advertising, which is powered by understanding you — your habits, your files, your communications. Even paid tiers often include broad data-use clauses in their terms.",[15,4426,4428],{"id":4427},"what-changes-when-you-self-host","What Changes When You Self-Host",[11,4430,4431],{},"When you run your own storage server, the dynamic shifts in a few concrete ways:",[45,4433,4434,4437,4440,4443],{},[48,4435,4436],{},"Nobody can change your storage limits overnight or deprecate your account tier. Terms of service changes don't apply to software you run yourself.",[48,4438,4439],{},"Your server runs until you decide to turn it off. No migration windows, no export scrambles.",[48,4441,4442],{},"Your files aren't on someone else's infrastructure where they could be accessed without your knowledge — no third-party access, no data mining, no AI training on your documents.",[48,4444,4445],{},"You own the backup strategy. The data lives in a storage directory and a database — standard backup tools work on both, and you decide the redundancy level.",[15,4447,4449],{"id":4448},"self-hosting-used-to-be-hard","Self-Hosting Used to Be Hard",[11,4451,4452],{},"Historically, self-hosting storage meant wrestling with FTP servers, Samba shares, or complex groupware suites. Configuration files with hundreds of options. Separate databases to manage. SSL certificates to manually renew. Updates that broke things.",[11,4454,4455],{},"That's no longer true.",[15,4457,4459],{"id":4458},"one-docker-container","One Docker Container",[11,4461,4462],{},"Modern self-hosted storage can be as simple as running a single Docker container. No complex multi-service setups, no external databases to manage, no deep Linux expertise required.",[11,4464,4465],{},"A minimal setup today:",[201,4467,4468,4471,4474],{},[48,4469,4470],{},"Get a machine (Raspberry Pi, old computer, cheap VPS — anything with Docker)",[48,4472,4473],{},"Run one container",[48,4475,4476],{},"Open it in your browser",[11,4478,4479],{},"You have a private cloud storage system running on hardware you control. The resource requirements have dropped dramatically too — 20MB of RAM for the server process, not gigabytes, not even hundreds of megabytes. Even the cheapest VPS or an old Raspberry Pi handles it comfortably.",[15,4481,4483],{"id":4482},"but-what-about-security","But What About Security?",[11,4485,4486],{},"Self-hosting alone doesn't solve the security problem — it just moves it. If your self-hosted server stores files in plaintext, anyone who compromises that server sees everything.",[11,4488,4489,4490,4493],{},"That's why the best self-hosted solutions add end-to-end encryption on top. This means your files are encrypted ",[51,4491,4492],{},"before"," they leave your device, and the server only ever stores encrypted data. Even if someone gains access to the server itself — through a vulnerability, physical access, or a legal demand — all they get is encrypted noise.",[11,4495,4496],{},"The encryption keys live in your browser or on your phone. The server never has them for regular file access. This is what \"zero-knowledge\" architecture means: the server genuinely cannot read your data. (The one deliberate exception is public link downloads, where the server temporarily decrypts in memory to stream files to recipients without exposing the underlying file key.)",[15,4498,4500],{"id":4499},"getting-started","Getting Started",[11,4502,4503],{},"If this sounds appealing, the barrier to entry is lower than you'd think. Hoodik is a self-hosted, end-to-end encrypted cloud storage system that runs as a single Docker container. It uses about 20MB of RAM, handles multiple users, includes a rich text editor for encrypted notes with full-text search, and encrypts everything client-side with RSA-2048 and AEGIS-128L before it touches the server.",[11,4505,4506],{},"You can run it on a Raspberry Pi, an old computer, or a $3.50\u002Fmonth VPS. Setup takes about 10 minutes if you already have Docker installed.",[11,4508,1209,4509,4511],{},[993,4510,996],{"href":995}," to set up your own private, encrypted cloud in minutes — hardware you control, files only you can read.",{"title":435,"searchDepth":464,"depth":464,"links":4513},[4514,4515,4521,4522,4523,4524,4525],{"id":4355,"depth":464,"text":4356},{"id":4383,"depth":464,"text":4384,"children":4516},[4517,4518,4519,4520],{"id":4390,"depth":525,"text":4391},{"id":4400,"depth":525,"text":4401},{"id":4410,"depth":525,"text":4411},{"id":4420,"depth":525,"text":4421},{"id":4427,"depth":464,"text":4428},{"id":4448,"depth":464,"text":4449},{"id":4458,"depth":464,"text":4459},{"id":4482,"depth":464,"text":4483},{"id":4499,"depth":464,"text":4500},"What self-hosted cloud storage means, why it matters for privacy, and how to take control of your files without becoming a sysadmin.",{},"\u002Fblog\u002Fself-hosted-cloud-storage-why-it-matters",{"title":4341,"description":4526},"blog\u002Fself-hosted-cloud-storage-why-it-matters",[1259,1261,1260,4532,500],"own your data","WCBsXbcqlsStO7mHwMRJ2KGbm4Pj0ToQ5nGdETPCKLE",{"id":4535,"title":4536,"author":6,"body":4537,"category":5252,"date":1247,"description":5253,"draft":1249,"extension":1250,"image":1251,"meta":5254,"navigation":1253,"path":5255,"seo":5256,"stem":5257,"tags":5258,"__hash__":5261},"blog\u002Fblog\u002Ftrue-cost-of-cloud-storage.md","The True Cost of Cloud Storage: Self-Hosting vs. Google Drive, Dropbox, and iCloud",{"type":8,"value":4538,"toc":5234},[4539,4542,4545,4549,4552,4645,4648,4651,4655,4658,4702,4705,4708,4712,4715,4719,4725,4764,4767,4771,4774,4821,4824,4871,4874,4878,4881,4964,4970,4976,4979,4983,4986,5083,5086,5089,5093,5096,5100,5106,5112,5118,5124,5130,5136,5140,5146,5152,5158,5164,5170,5174,5177,5180,5183,5187,5190,5204,5207,5218,5222,5225,5228],[11,4540,4541],{},"Cloud storage pricing looks simple on the surface. Google gives you 15GB free, 100GB for $2\u002Fmonth, 2TB for $10\u002Fmonth. Dropbox starts at $12\u002Fmonth for 2TB. iCloud is $1 for 50GB, $3 for 200GB, $10 for 2TB.",[11,4543,4544],{},"The full picture is more interesting -- not just the sticker price, but what you're actually getting (and giving up) over time, and how that stacks up against running your own storage.",[15,4546,4548],{"id":4547},"what-you-pay-the-big-providers","What You Pay the Big Providers",[11,4550,4551],{},"The major cloud storage providers as of early 2026:",[85,4553,4554,4569],{},[88,4555,4556],{},[91,4557,4558,4561,4563,4566],{},[94,4559,4560],{},"Provider",[94,4562,1607],{},[94,4564,4565],{},"Monthly",[94,4567,4568],{},"Annual",[104,4570,4571,4584,4596,4607,4621,4631],{},[91,4572,4573,4575,4578,4581],{},[109,4574,1644],{},[109,4576,4577],{},"100GB",[109,4579,4580],{},"$2",[109,4582,4583],{},"$24",[91,4585,4586,4588,4591,4593],{},[109,4587,1644],{},[109,4589,4590],{},"2TB",[109,4592,365],{},[109,4594,4595],{},"$120",[91,4597,4598,4600,4602,4604],{},[109,4599,1647],{},[109,4601,4590],{},[109,4603,341],{},[109,4605,4606],{},"$144",[91,4608,4609,4612,4615,4618],{},[109,4610,4611],{},"iCloud+",[109,4613,4614],{},"200GB",[109,4616,4617],{},"$3",[109,4619,4620],{},"$36",[91,4622,4623,4625,4627,4629],{},[109,4624,4611],{},[109,4626,4590],{},[109,4628,365],{},[109,4630,4595],{},[91,4632,4633,4636,4639,4642],{},[109,4634,4635],{},"Microsoft 365",[109,4637,4638],{},"1TB",[109,4640,4641],{},"$7",[109,4643,4644],{},"$70*",[11,4646,4647],{},"*Microsoft 365 Personal is $6.99\u002Fmo monthly or $69.99\u002Fyr annual — and includes the full Office suite, not just storage.",[11,4649,4650],{},"These are per-user prices. If you have a family of four, multiply accordingly (family plans exist but typically cap at 5-6 people and share a pool).",[77,4652,4654],{"id":4653},"the-long-term-math","The Long-Term Math",[11,4656,4657],{},"Google One at 2TB is the most popular option for people who need real storage. Over time:",[85,4659,4660,4669],{},[88,4661,4662],{},[91,4663,4664,4667],{},[94,4665,4666],{},"Period",[94,4668,323],{},[104,4670,4671,4678,4686,4694],{},[91,4672,4673,4676],{},[109,4674,4675],{},"1 year",[109,4677,4595],{},[91,4679,4680,4683],{},[109,4681,4682],{},"3 years",[109,4684,4685],{},"$360",[91,4687,4688,4691],{},[109,4689,4690],{},"5 years",[109,4692,4693],{},"$600",[91,4695,4696,4699],{},[109,4697,4698],{},"10 years",[109,4700,4701],{},"$1,200",[11,4703,4704],{},"That's $1,200 for a decade of storage with no privacy guarantees, no encryption you control, and terms of service that can change at any time.",[11,4706,4707],{},"Google One family plans let you share 2TB across up to 6 members for the same $10\u002Fmonth — which is a decent deal per person. But it's shared storage, so if everyone's a heavy user, you'll need more.",[15,4709,4711],{"id":4710},"what-self-hosting-actually-costs","What Self-Hosting Actually Costs",[11,4713,4714],{},"Two real scenarios: a cheap VPS for the server and Backblaze B2 for overflow storage.",[77,4716,4718],{"id":4717},"scenario-1-small-setup-up-to-200gb","Scenario 1: Small Setup (Up to 200GB)",[11,4720,4721,4724],{},[51,4722,4723],{},"VPS-only approach"," — everything on one server:",[85,4726,4727,4735],{},[88,4728,4729],{},[91,4730,4731,4733],{},[94,4732,320],{},[94,4734,323],{},[104,4736,4737,4745,4753],{},[91,4738,4739,4742],{},[109,4740,4741],{},"Hetzner Cloud CX22 (2 vCPU, 4GB RAM, 40GB disk)",[109,4743,4744],{},"$4.35\u002Fmonth",[91,4746,4747,4750],{},[109,4748,4749],{},"Additional 160GB block storage",[109,4751,4752],{},"$7.04\u002Fmonth",[91,4754,4755,4759],{},[109,4756,4757],{},[51,4758,372],{},[109,4760,4761],{},[51,4762,4763],{},"$11.39\u002Fmonth",[11,4765,4766],{},"That's more than Google Drive for the same amount of storage. Keep reading.",[77,4768,4770],{"id":4769},"scenario-2-smart-setup-up-to-2tb","Scenario 2: Smart Setup (Up to 2TB)",[11,4772,4773],{},"This is where self-hosting starts winning. Use a minimal VPS for the server and offload actual file storage to Backblaze B2, which is dramatically cheaper per gigabyte:",[85,4775,4776,4785],{},[88,4777,4778],{},[91,4779,4780,4782],{},[94,4781,320],{},[94,4783,4784],{},"Monthly Cost",[104,4786,4787,4793,4801,4809],{},[91,4788,4789,4791],{},[109,4790,4741],{},[109,4792,4744],{},[91,4794,4795,4798],{},[109,4796,4797],{},"Backblaze B2 storage: 500GB",[109,4799,4800],{},"$3.00\u002Fmonth",[91,4802,4803,4806],{},[109,4804,4805],{},"Backblaze B2 download (estimated 50GB\u002Fmonth)",[109,4807,4808],{},"$0.50\u002Fmonth",[91,4810,4811,4816],{},[109,4812,4813],{},[51,4814,4815],{},"Total for 500GB",[109,4817,4818],{},[51,4819,4820],{},"$7.85\u002Fmonth",[11,4822,4823],{},"For 2TB on B2:",[85,4825,4826,4834],{},[88,4827,4828],{},[91,4829,4830,4832],{},[94,4831,320],{},[94,4833,4784],{},[104,4835,4836,4843,4851,4859],{},[91,4837,4838,4841],{},[109,4839,4840],{},"Hetzner Cloud CX22",[109,4842,4744],{},[91,4844,4845,4848],{},[109,4846,4847],{},"Backblaze B2 storage: 2TB",[109,4849,4850],{},"$12.00\u002Fmonth",[91,4852,4853,4856],{},[109,4854,4855],{},"Backblaze B2 download (estimated 100GB\u002Fmonth)",[109,4857,4858],{},"$1.00\u002Fmonth",[91,4860,4861,4866],{},[109,4862,4863],{},[51,4864,4865],{},"Total for 2TB",[109,4867,4868],{},[51,4869,4870],{},"$17.35\u002Fmonth",[11,4872,4873],{},"$17.35 vs Google's $10 for the same 2TB -- more expensive on raw numbers. The reason to do it anyway comes in the next two scenarios.",[77,4875,4877],{"id":4876},"scenario-3-home-server-the-sweet-spot","Scenario 3: Home Server (The Sweet Spot)",[11,4879,4880],{},"This is where the math gets compelling. A Raspberry Pi or any always-on computer at home:",[85,4882,4883,4894],{},[88,4884,4885],{},[91,4886,4887,4889,4891],{},[94,4888,320],{},[94,4890,323],{},[94,4892,4893],{},"Type",[104,4895,4896,4905,4915,4925,4936,4950],{},[91,4897,4898,4900,4902],{},[109,4899,330],{},[109,4901,333],{},[109,4903,4904],{},"One-time",[91,4906,4907,4910,4913],{},[109,4908,4909],{},"1TB USB SSD",[109,4911,4912],{},"$70",[109,4914,4904],{},[91,4916,4917,4920,4923],{},[109,4918,4919],{},"Power supply + case",[109,4921,4922],{},"$25",[109,4924,4904],{},[91,4926,4927,4930,4933],{},[109,4928,4929],{},"Electricity (~5W, 24\u002F7)",[109,4931,4932],{},"$0.55\u002Fmonth",[109,4934,4935],{},"Ongoing",[91,4937,4938,4943,4948],{},[109,4939,4940],{},[51,4941,4942],{},"Hardware total",[109,4944,4945],{},[51,4946,4947],{},"$155",[109,4949,4904],{},[91,4951,4952,4957,4962],{},[109,4953,4954],{},[51,4955,4956],{},"Monthly running cost",[109,4958,4959],{},[51,4960,4961],{},"$0.55",[109,4963,4935],{},[11,4965,4966,4967],{},"The 5-year total cost: $155 + ($0.55 x 60) = ",[51,4968,4969],{},"$188 for 1TB over five years.",[11,4971,4972,4973],{},"Compare to Google One 2TB over five years: ",[51,4974,4975],{},"$600.",[11,4977,4978],{},"Even if you add a Backblaze B2 bucket for offsite backup of your most important files (say 200GB at ~$1.20\u002Fmonth), you're at ~$218 over five years. Still well under half the cost of Google.",[15,4980,4982],{"id":4981},"the-comparison-table","The Comparison Table",[11,4984,4985],{},"A 2TB (or equivalent) setup over different time periods:",[85,4987,4988,5004],{},[88,4989,4990],{},[91,4991,4992,4995,4998,5001],{},[94,4993,4994],{},"Solution",[94,4996,4997],{},"1 Year",[94,4999,5000],{},"3 Years",[94,5002,5003],{},"5 Years",[104,5005,5006,5017,5030,5041,5055,5069],{},[91,5007,5008,5011,5013,5015],{},[109,5009,5010],{},"Google One (2TB)",[109,5012,4595],{},[109,5014,4685],{},[109,5016,4693],{},[91,5018,5019,5022,5024,5027],{},[109,5020,5021],{},"Dropbox Plus (2TB)",[109,5023,4606],{},[109,5025,5026],{},"$432",[109,5028,5029],{},"$720",[91,5031,5032,5035,5037,5039],{},[109,5033,5034],{},"iCloud+ (2TB)",[109,5036,4595],{},[109,5038,4685],{},[109,5040,4693],{},[91,5042,5043,5046,5049,5052],{},[109,5044,5045],{},"Self-hosted VPS + B2 (2TB)",[109,5047,5048],{},"$208",[109,5050,5051],{},"$624",[109,5053,5054],{},"$1,041",[91,5056,5057,5060,5063,5066],{},[109,5058,5059],{},"Self-hosted Pi + SSD (1TB)",[109,5061,5062],{},"$162*",[109,5064,5065],{},"$175",[109,5067,5068],{},"$188",[91,5070,5071,5074,5077,5080],{},[109,5072,5073],{},"Self-hosted Pi + SSD + B2 backup (1TB + 200GB offsite)",[109,5075,5076],{},"$176*",[109,5078,5079],{},"$197",[109,5081,5082],{},"$218",[11,5084,5085],{},"*First year includes one-time hardware cost.",[11,5087,5088],{},"The home server option wins decisively after year one. And that hardware will last 5-10 years easily.",[15,5090,5092],{"id":5091},"beyond-the-dollar-amounts","Beyond the Dollar Amounts",[11,5094,5095],{},"Raw cost doesn't tell the whole story. There are real differences in what you get -- and what you give up -- with each approach.",[77,5097,5099],{"id":5098},"what-you-get-with-self-hosting-thats-not-in-the-price","What You Get With Self-Hosting (That's Not in the Price)",[11,5101,5102,5105],{},[51,5103,5104],{},"Unlimited users for free."," Google charges per account. A family can share Google One's 2TB pool, but only up to 6 members, and it's still $10\u002Fmonth for the whole group. On your self-hosted setup, adding more users costs exactly nothing. Set up accounts for your whole family, your friends, a small team — no per-seat pricing.",[11,5107,5108,5111],{},[51,5109,5110],{},"No storage caps (only physical limits)."," You're limited only by your actual hardware. Slap on a bigger SSD or add another drive. No corporate decision can suddenly tell you that you need to upgrade to a more expensive tier.",[11,5113,5114,5117],{},[51,5115,5116],{},"Privacy by design."," With end-to-end encryption, your files are encrypted before they leave your device. Even if someone gains access to your server, they see only encrypted data. With Google, Dropbox, or iCloud — your files are readable by the company, by anyone with admin access, and by anyone they're legally compelled to share with.",[11,5119,5120,5123],{},[51,5121,5122],{},"No data mining."," Your files aren't being scanned, analyzed, or fed into automated systems. Google's privacy policy grants them a license to use your content to \"provide, maintain, and improve\" their services — and their automated systems do analyze content as it's stored (for spam\u002Fmalware detection and policy enforcement). The value of your data staying private is hard to quantify, but it's real.",[11,5125,5126,5129],{},[51,5127,5128],{},"No Terms of Service risk."," Nobody can change the deal on you. No sudden price increases, no feature removals, no \"we're sunsetting this product\" emails.",[11,5131,5132,5135],{},[51,5133,5134],{},"Full control over data location."," You know exactly where your data is — physically. For some people and businesses, data residency matters legally.",[77,5137,5139],{"id":5138},"what-you-give-up-being-honest-about-tradeoffs","What You Give Up (Being Honest About Tradeoffs)",[11,5141,5142,5145],{},[51,5143,5144],{},"Setup time."," Cloud storage from Google takes 30 seconds — sign in and you're done. Self-hosting takes 30-60 minutes for initial setup. It's not hard, but it's not zero effort either.",[11,5147,5148,5151],{},[51,5149,5150],{},"You're responsible for availability."," If your Raspberry Pi's SD card dies at 2 AM, nobody's going to fix it for you. This is mitigable (use an SSD, keep backups, set up monitoring) but it's a real difference from a service with a 99.9% SLA.",[11,5153,5154,5157],{},[51,5155,5156],{},"You manage updates."," Pulling a new Docker image takes 30 seconds, but you need to remember to do it. Or set up automatic updates — either way, it's your responsibility.",[11,5159,5160,5163],{},[51,5161,5162],{},"Backups are on you."," Google isn't going to lose your data (probably). With self-hosting, you need a backup strategy. Hoodik stores files as encrypted chunks alongside a database that tracks them — so backing up means copying the entire data directory (not individual files). The simplest strategy: regularly snapshot your data directory to a separate location or a cheap storage bucket. But you need to set it up.",[11,5165,5166,5169],{},[51,5167,5168],{},"Upload speed matters."," If you're hosting at home, your upload speed limits access from outside. Most home internet connections have asymmetric speeds (fast download, slower upload). A 50 Mbps upload means files will be a bit slower to access remotely compared to a data center. For documents and photos, this is barely noticeable. For large video files, you'll notice.",[15,5171,5173],{"id":5172},"the-hidden-cost-your-data-as-the-product","The Hidden Cost: Your Data as the Product",[11,5175,5176],{},"One cost never shows up on any invoice: when you use free or cheap cloud storage from an advertising company, your data is the product.",[11,5178,5179],{},"Google knows what documents you create, what photos you take, where you've been (from photo metadata), what receipts you store, what medical documents you have. This information feeds their advertising profile about you.",[11,5181,5182],{},"Is this worth $5-10\u002Fmonth in savings? That's a personal decision. But it's a cost — just not one denominated in dollars.",[15,5184,5186],{"id":5185},"when-self-hosting-wins-on-cost","When Self-Hosting Wins on Cost",[11,5188,5189],{},"Self-hosting is cheaper than commercial cloud storage when:",[45,5191,5192,5195,5198,5201],{},[48,5193,5194],{},"You use a home server (Pi, old laptop, NAS) rather than a VPS",[48,5196,5197],{},"You have multiple users (family, small team)",[48,5199,5200],{},"You're in it for more than a year (hardware cost amortizes quickly)",[48,5202,5203],{},"You value privacy and would otherwise need a premium \"zero-knowledge\" provider (which costs $8-15\u002Fmonth)",[11,5205,5206],{},"Self-hosting costs more when:",[45,5208,5209,5212,5215],{},[48,5210,5211],{},"You need a VPS and lots of storage (B2 costs add up at scale)",[48,5213,5214],{},"You only need it for one person with modest storage (Google's $2\u002Fmonth for 100GB is hard to beat on pure cost)",[48,5216,5217],{},"Your time is extremely expensive and the setup\u002Fmaintenance hours aren't worth it",[15,5219,5221],{"id":5220},"what-wed-suggest","What We'd Suggest",[11,5223,5224],{},"For most privacy-conscious people storing up to 1-2TB of files, a Raspberry Pi 5 with a 1TB SSD running Hoodik is the sweet spot. Total hardware cost under $200, lasts 5+ years, monthly operating cost under $1 (electricity). No ongoing subscriptions, no per-user fees. Amortized over five years, that's roughly $3\u002Fmonth for 1TB of end-to-end encrypted storage with unlimited users.",[11,5226,5227],{},"Google charges $120\u002Fyear for 2TB with no encryption you control and actively uses your data for ad targeting. The savings are real, and you get actual privacy in the deal.",[11,5229,5230,5231,5233],{},"If that sounds worth an hour of setup, check out our ",[993,5232,996],{"href":995},".",{"title":435,"searchDepth":464,"depth":464,"links":5235},[5236,5239,5244,5245,5249,5250,5251],{"id":4547,"depth":464,"text":4548,"children":5237},[5238],{"id":4653,"depth":525,"text":4654},{"id":4710,"depth":464,"text":4711,"children":5240},[5241,5242,5243],{"id":4717,"depth":525,"text":4718},{"id":4769,"depth":525,"text":4770},{"id":4876,"depth":525,"text":4877},{"id":4981,"depth":464,"text":4982},{"id":5091,"depth":464,"text":5092,"children":5246},[5247,5248],{"id":5098,"depth":525,"text":5099},{"id":5138,"depth":525,"text":5139},{"id":5172,"depth":464,"text":5173},{"id":5185,"depth":464,"text":5186},{"id":5220,"depth":464,"text":5221},"Comparisons","Real cost comparison of Google Drive, Dropbox, and iCloud vs self-hosting with Hoodik over 1, 3, and 5 years. The math might surprise you.",{},"\u002Fblog\u002Ftrue-cost-of-cloud-storage",{"title":4536,"description":5253},"blog\u002Ftrue-cost-of-cloud-storage",[1260,5259,5260,1259,2421],"cost comparison","google drive alternative","pFVKNWQeZenY0kjbaH7S0HozL6xTHpcN2yiou21jKEg",{"id":5263,"title":5264,"author":6,"body":5265,"category":2783,"date":1247,"description":5479,"draft":1249,"extension":1250,"image":1251,"meta":5480,"navigation":1253,"path":5481,"seo":5482,"stem":5483,"tags":5484,"__hash__":5485},"blog\u002Fblog\u002Fwhy-your-cloud-provider-can-read-your-files.md","Why Your Cloud Provider Can Read Your Files",{"type":8,"value":5266,"toc":5466},[5267,5270,5273,5279,5283,5289,5292,5295,5312,5315,5319,5323,5326,5329,5333,5336,5340,5343,5346,5350,5353,5370,5373,5376,5380,5390,5407,5410,5413,5416,5420,5423,5426,5429,5432,5436,5439,5453,5456,5460,5463],[1271,5268,5264],{"id":5269},"why-your-cloud-provider-can-read-your-files",[11,5271,5272],{},"There's a comforting phrase that shows up on nearly every cloud storage marketing page: \"Your files are encrypted.\" It sounds reassuring. It makes you think your vacation photos, tax documents, and private notes are locked away where nobody can peek at them.",[11,5274,5275,5278],{},[51,5276,5277],{},"Encryption doesn't mean privacy"," unless you control the keys. Most providers don't lead with that distinction.",[15,5280,5282],{"id":5281},"what-encryption-at-rest-actually-means","What \"Encryption at Rest\" Actually Means",[11,5284,5285,5286,5233],{},"When Google Drive, Dropbox, or OneDrive say your files are \"encrypted at rest,\" they're telling you the truth. Your files are indeed encrypted when they sit on their hard drives. The part they don't emphasize: ",[51,5287,5288],{},"they hold the encryption keys",[11,5290,5291],{},"Think of it like a hotel safe. Yes, your valuables are locked up. But the hotel has a master key. The safe protects your stuff from other guests and random break-ins, but not from the hotel itself.",[11,5293,5294],{},"\"Encryption at rest\" protects against one specific threat: someone physically stealing a hard drive from a data center. It doesn't protect your data from:",[45,5296,5297,5300,5303,5306,5309],{},[48,5298,5299],{},"The provider's employees",[48,5301,5302],{},"Automated scanning systems",[48,5304,5305],{},"Government requests with valid warrants",[48,5307,5308],{},"Internal policy enforcement bots",[48,5310,5311],{},"Data breaches where encryption keys are also compromised",[11,5313,5314],{},"This isn't a theoretical concern. It's how these services operate every day.",[15,5316,5318],{"id":5317},"real-examples-of-providers-reading-your-files","Real Examples of Providers Reading Your Files",[77,5320,5322],{"id":5321},"google-photos-and-drive","Google Photos and Drive",[11,5324,5325],{},"Google actively scans files stored in your account. Their CSAM (Child Sexual Abuse Material) detection system analyzes every photo you upload. In 2022, a father in San Francisco had his Google account permanently banned after taking photos of his child's medical condition to send to a doctor. Google's automated system flagged the images, reported them to NCMEC, and locked his entire digital life -- email, photos, documents, phone number -- with no appeal.",[11,5327,5328],{},"Beyond CSAM detection, Google's terms of service grant a license to use your content to \"provide, maintain, and improve\" their services. Their automated systems analyze content as it's received and stored — for spam detection, malware scanning, and policy enforcement. Google holds the keys that make this analysis possible.",[77,5330,5332],{"id":5331},"microsoft-onedrive","Microsoft OneDrive",[11,5334,5335],{},"Microsoft's terms of service reserve the right to scan content for policy violations. Microsoft scans OneDrive content for policy violations, and users have documented cases of losing access to personal files — including family photos and creative writing — when automated systems triggered false positives. Because Microsoft holds the encryption keys, their systems can read and evaluate any file in your account.",[77,5337,5339],{"id":5338},"dropbox","Dropbox",[11,5341,5342],{},"Dropbox's privacy policy permits personnel access to file contents when legally required, for debugging, and to enforce their Terms of Service. They've implemented hash-matching systems and employ trust & safety teams who review flagged content.",[11,5344,5345],{},"Their deduplication feature -- where uploading a file someone else already has doesn't consume extra storage -- is actually a reveal in itself. It means Dropbox can tell when two users have identical files, which requires them to read (or at least hash) your plaintext data.",[15,5347,5349],{"id":5348},"the-server-side-encryption-illusion","The Server-Side Encryption Illusion",[11,5351,5352],{},"Typical cloud storage encryption works like this:",[201,5354,5355,5358,5361,5364,5367],{},[48,5356,5357],{},"You upload a file",[48,5359,5360],{},"The provider's server receives your plaintext file",[48,5362,5363],{},"The server encrypts it with a key the provider generates and controls",[48,5365,5366],{},"The encrypted file is stored on disk",[48,5368,5369],{},"When you want it back, the server decrypts it and sends it to you",[11,5371,5372],{},"At step 2 and step 5, your file exists in plaintext on their servers. The encryption only exists between steps 3 and 5 — and the provider holds the key the entire time.",[11,5374,5375],{},"It's like sending a postcard, having the post office put it in an envelope for storage, then taking it back out to deliver it. The envelope didn't stop the post office from reading it.",[15,5377,5379],{"id":5378},"what-zero-knowledge-architecture-looks-like","What Zero-Knowledge Architecture Looks Like",[11,5381,5382,5383,5386,5387,5389],{},"The alternative is what's called ",[51,5384,5385],{},"zero-knowledge"," or ",[51,5388,2790],{}," for storage. The principle: encryption and decryption happen on your device, and the server never sees the keys.",[201,5391,5392,5395,5398,5401,5404],{},[48,5393,5394],{},"Your device encrypts the file with a key that only you have",[48,5396,5397],{},"The encrypted ciphertext is uploaded to the server",[48,5399,5400],{},"The server stores the encrypted blob — it literally cannot decrypt it",[48,5402,5403],{},"When you want your file back, the server sends the encrypted blob",[48,5405,5406],{},"Your device decrypts it locally",[11,5408,5409],{},"The server in this model is a dumb storage box. It doesn't know if you stored a photo, a document, or random noise. It can't scan your content because it can't read your content.",[11,5411,5412],{},"This is the approach Hoodik takes. Every file is encrypted on your device using RSA-2048 for key exchange and AEGIS-128L for file encryption before it ever touches the server. The server stores ciphertext and has no mechanism to decrypt it -- even if someone got full access to the server and its database, they'd get nothing but encrypted noise.",[11,5414,5415],{},"Even search is privacy-preserving: file names are tokenized and hashed before being sent to the server, so the server can help you find files without ever knowing what they're called.",[15,5417,5419],{"id":5418},"but-i-have-nothing-to-hide","\"But I Have Nothing to Hide\"",[11,5421,5422],{},"This is the most common response, and it misses the point. Privacy isn't about hiding wrongdoing.",[11,5424,5425],{},"That father who lost his entire Google account wasn't doing anything wrong. Automated systems make errors, and when the provider can read your files, those errors have real consequences — locked accounts, reports to law enforcement, no meaningful appeal process.",[11,5427,5428],{},"Content policies also change. Governments change. Data that was fine to store last year might trigger a violation next year. If someone else can read, scan, and make decisions about your files, are they really yours? You're renting space under someone else's rules, which can change at any time.",[11,5430,5431],{},"There's also a practical security argument: in a data breach, if the provider has your keys, the attacker gets your keys too. With zero-knowledge encryption, a server breach exposes encrypted blobs that are useless without your private key.",[15,5433,5435],{"id":5434},"what-to-look-for","What to Look For",[11,5437,5438],{},"When evaluating cloud storage for privacy, four questions cut through most of the marketing:",[201,5440,5441,5444,5447,5450],{},[48,5442,5443],{},"Who holds the encryption keys? If it's the provider, they can read your files.",[48,5445,5446],{},"Where does encryption happen? \"On our servers\" means your plaintext passes through their infrastructure.",[48,5448,5449],{},"Can they reset your password and give you back your files? If yes, they have your keys. True zero-knowledge means losing your key means losing your data — there's no backdoor by design.",[48,5451,5452],{},"Do they offer features that require reading your content? Server-side search, thumbnails generated on the server, AI categorization — these all require access to plaintext.",[11,5454,5455],{},"The tradeoff with zero-knowledge is real. You're responsible for your own keys, and some convenience features (server-generated previews, full-text search of document contents) aren't possible without more complex engineering. For a lot of people, that tradeoff is worth it.",[15,5457,5459],{"id":5458},"encrypted-vs-private","Encrypted vs. Private",[11,5461,5462],{},"\"Encrypted\" and \"private\" are not the same thing. Most cloud storage is encrypted in a way that protects the provider's liability, not your privacy. If the provider holds your encryption keys, they can read your files — and in many cases, they actively do.",[11,5464,5465],{},"Zero-knowledge architecture, where encryption happens on your device and only you hold the keys, is the only model where \"encrypted\" actually means \"private.\" It's not the most convenient option for every use case, but it's the only one where your files are genuinely yours.",{"title":435,"searchDepth":464,"depth":464,"links":5467},[5468,5469,5474,5475,5476,5477,5478],{"id":5281,"depth":464,"text":5282},{"id":5317,"depth":464,"text":5318,"children":5470},[5471,5472,5473],{"id":5321,"depth":525,"text":5322},{"id":5331,"depth":525,"text":5332},{"id":5338,"depth":525,"text":5339},{"id":5348,"depth":464,"text":5349},{"id":5378,"depth":464,"text":5379},{"id":5418,"depth":464,"text":5419},{"id":5434,"depth":464,"text":5435},{"id":5458,"depth":464,"text":5459},"Most cloud storage encryption only protects against stolen hard drives, not the provider itself. Here's how it actually works and what zero-knowledge means.",{},"\u002Fblog\u002Fwhy-your-cloud-provider-can-read-your-files",{"title":5264,"description":5479},"blog\u002Fwhy-your-cloud-provider-can-read-your-files",[1261,1574,1260,5385,2790],"UnTFWMrB_naGD3e9_hXQZ4bIHRpEmBEPBmX6RpQRjC4",1776081633512]