Show HN: Kurpod – an encrypted OSS "container file" you can name vacation.jpg
github.comI built Kurpod: a self-hosted file vault that stores many files inside a single encrypted blob you can name like an innocent file (e.g., “vacation.jpg”).
The twist: the same blob supports two passwords: - Password #1 unlocks a decoy volume (harmless files) - Password #2 unlocks a hidden volume (the real stuff)
Diagram: my_vacation.jpg (really an encrypted blob)
├─ pw1 → standard volume (decoy)
└─ pw2 → hidden volume (real)
Crypto primitives: Argon2id for KDF + XChaCha20-Poly1305 for encryption.
Quick start (Docker): docker run -p 3000:3000 -e BLOB_DIR=/data -v ./data:/data ghcr.io/srv1n/kurpod-server:latest open http://localhost:3000
Demo video: https://github.com/user-attachments/assets/d47b10cf-c38e-47e...
It’s an early release (expect bugs / not audited). I’d love feedback on:
1) threat model: what this protects well vs. where it’s weak
2) plausible-deniability ergonomics: what user mistakes would ruin the “decoy” story?
3) file format / crypto review: anything obviously dumb or dangerous?No comments yet.