MiniLockbox is a simple and tiny self-hosted Dropbox clone that synchronizes one directory between clients. Files are end-to-end encrypted between clients, so the central server does not need to be trusted.


System tray menu on Windows

MiniLockbox comes with a system tray icon that features a simple context menu, shown here on Windows.

The paradigm of synchronizing a single directory between devices, as popularized by Dropbox, is something I have come to appreciate. When I was untangling myself from third-party cloud services, I needed a self-hosted replacement. I tried a few and spent the longest time with Seafile out of all of them, but there were always small things that bugged me.

I wanted to run the software on my Raspberry Pi at home, for which full disk encryption is not viable, so I wanted something that would encrypt files in such a way that the server’s storage does not need to be trusted, and keep as much other information secret from the server as possible too. At the same time, a central server was needed because I wanted the system to synchronize even if only one of the clients was powered on at a time. Another goal was the use of HTTP(S) as a transport protocol to ensure compatibility with restrictive public and corporate networks. Lastly it needed to run on Linux and Windows desktops.


System tray menu on Ubuntu Linux

The tray menu is pretty much identical on Linux (shown here: Ubuntu) and Windows.

The Python code for MiniLockbox is surprisingly short and simple for what it does, numbering less than 250 lines for the server and about 500 for the client. It makes use of the Python modules http.server, hashlib and several parts of cryptography. The Linux desktop client uses QT 5 for no particular reason other than it makes it easy to have a tray icon.

The client watches one specific directory for changes. When it detects new or modified files, it compresses them into a bz2-tarball, which it then pads with some proportionate random data to hide the actual file sizes from the server. The result is then encrypted using a private 4096-bit RSA key (shared between all clients) and sent to the server via its HTTP(S) interface. The server adds the revision to its internal list and provides it to the clients via a pull-based update API.

Project Perspective

I was initially hoping to turn this one into a project viable for public use, but in practice it just doesn’t work very reliably and I can’t be bothered to put time into finding out why. I do use it on my machines and for small files it works more often than it doesn’t, but I still fall back on USB sticks from time to time. Another reason I’m reluctant to open source it is because I’m not an expert on cryptography and I wouldn’t want users to be stuck with my unvetted cryptography code.

Considering its features and scope though, I still think there’s a niche for it among self-hosting enthusiasts. If you’d like to turn it into something better than it is right now, contact me and let me know!