HermitStash

Stash it quietly. Share it instantly.

Post-quantum encrypted file uploads. Self-hosted. Your server, your keys, your data.

Public Drop Team Sign In GitHub
XChaCha20-Poly1305
ML-KEM-1024 Hybrid KEM
Argon2id Auth
Passkey Login
Zero-Knowledge Vault
Two-Factor Auth
Folder Drops
Chunked Uploads
Teams
Audit Logging
Webhooks & API
Zero npm Deps
Self-Hosted
SHAKE256 KDF
XChaCha20-Poly1305
ML-KEM-1024 Hybrid KEM
Argon2id Auth
Passkey Login
Zero-Knowledge Vault
Two-Factor Auth
Folder Drops
Chunked Uploads
Teams
Audit Logging
Webhooks & API
Zero npm Deps
Self-Hosted
SHAKE256 KDF
Security First

Your files. Your keys.

01

Encrypted at Rest

Every file is encrypted with XChaCha20-Poly1305 using a unique per-file key. Keys are sealed with hybrid ML-KEM-1024 + P-384 ECDH post-quantum cryptography. No plaintext ever touches storage.

02

Post-Quantum Crypto

Hybrid ML-KEM-1024 + P-384 ECDH key encapsulation with SHAKE256 KDF. Algorithm-agile envelope versioning enables future cipher swaps without re-encrypting existing data.

03

Argon2id Authentication

Passwords hashed with Argon2id — memory-hard, GPU-resistant, the winner of the Password Hashing Competition. Passkey/WebAuthn login with no password at all.

04

Full Audit Trail

Every login, upload, download, and admin action is logged. IPs hashed, emails vault-sealed, zero plaintext in audit records. Searchable, filterable, with configurable retention.

05

Self-Hosted Control

Your server, your data. No third-party cloud. Store on local disk, NAS mount, or S3-compatible bucket. Docker-ready.

06

Folder Drops

Drag entire folder trees. Bad file types silently skipped. Concurrent uploads with retry. Recipients browse folders or download as ZIP.

Try it now
Personal Vault

Zero-knowledge. Even from admins.

Client-Side Encryption

Files are encrypted in your browser with ML-KEM-1024 + SHAKE256 + XChaCha20-Poly1305 before they ever leave your device. The server only stores ciphertext it cannot decrypt. Only your passkey can unlock your vault.

Passkey-Gated Access Touch ID, Face ID, YubiKey, or any FIDO2 authenticator to unlock
PRF Mode Derive keys from passkey PRF extension for true zero-knowledge where no seed touches the server
Stealth Mode Hide vault operations from audit logs with passkey re-authentication
Platform

Everything you need. Built in.

Teams

Create teams, assign roles, and isolate file access. Team admins manage their own members and uploads.

Password Bundles

Protect shared bundles with a password. Argon2id-hashed, rate-limited unlock, and session-based access.

Admin Dashboard

Manage users, files, bundles, and 40+ settings across 8 config tabs. Environment tab shows Docker config and runtime info. Export data as CSV. Download database backups.

Webhooks & API

Trigger webhooks on events like bundle finalization. API keys with scoped permissions. SSRF-safe URL validation.

Bundle Expiry

Set bundles to auto-expire in 1, 7, 30, or 90 days. Or keep them forever. Expired files cleaned up automatically.

Email Notifications

Send upload confirmations and admin alerts via SMTP or Resend API. Recipients notified when bundles are ready.

Two-Factor Auth

TOTP with authenticator apps. One-time backup codes. Replay-protected. Works alongside passkeys and passwords.

Chunked Uploads

Large files split into 10MB chunks with concurrent transfer, per-file progress, pause, resume, and retry on failure.

S3 & Local Storage

Store on local disk, NAS, or any S3-compatible bucket. S3 direct mode with server-side encryption. Pre-signed downloads.

How It Works

Two ways in.

Both encrypted at rest. Vault uploads are end-to-end. Shareable links in seconds.

Public

Drop Files

No login required. Files encrypted on arrival.

  1. Visit /drop
  2. Drag folders or files onto the page
  3. Set expiry, password, or message
  4. Files encrypted and stored instantly
  5. Recipients browse folders or download as ZIP
Try It
Team

Sign In & Upload

Passkey, password, Google, or 2FA. Full audit trail.

  1. Sign in with passkey, password, or Google
  2. Upload from your encrypted dashboard
  3. Vault-encrypt files only you can decrypt
  4. Manage teams, users, and settings
  5. Every action logged and auditable
Sign In
Hardened

Built to resist.

12
Rate-limited endpoints
Login, register, 2FA, passkey, uploads, bundle unlock, and more. Per-IP sliding windows with auto-lockout.
6
HTTP security headers
CSP, X-Frame-Options, no-sniff, no-referrer, restrictive permissions policy, and clickjacking protection.
0
Plaintext stored
Every database field is vault-sealed. IPs are SHA3-hashed. Audit logs, emails, names, metadata — all encrypted.
7
Crypto primitives
ML-KEM-1024 + P-384 hybrid KEM, XChaCha20-Poly1305, SHAKE256 KDF, SHA3-512 hashing, Argon2id passwords, ML-DSA-87 and SLH-DSA-SHAKE-256f signatures.
Get Started

Install. Run. Done.

terminal
$ node server.js
Vault keypair generated (ML-KEM-1024 + P-384 hybrid)
Default admin: admin@hermitstash.com / admin
HermitStash is running!
http://localhost:3000

No config files. No build step. No npm install. All dependencies vendored. Settings live in the encrypted database. Configure everything from the admin panel.

Try The Drop