Files and filenames are encrypted with AES-256-GCM before hitting disk, so the filesystem contains only ciphertext.
The encryption key is not stored in one place on the server at rest. It’s split between: - a session share stored server-side - an encrypted cookie stored in the browser
Both parts are required to decrypt files. A compromised cookie or session file alone yields nothing.
The core encryption layer is published for review. The full application is not open source at this time. https://core.darkdrive.de/public/a7c3222a5c6e12bef0648266/cr...
I chose server-side encryption over fully client-side systems to keep it simple to host while still allowing features like previews, thumbnails, and easy access across devices.
Darkdrive is a single PHP application that runs on shared hosting with minimal setup. It encrypts filenames and directory names alongside file contents, and uses split-key server-side crypto.
Happy to answer questions about the threat model or implementation.