I built Kurpod: a self-hosted file vault that stores many files inside a single encrypted blob you can name like an innocent file (e.g., “vacation.jpg”).

The twist: the same blob supports two passwords: - Password #1 unlocks a decoy volume (harmless files) - Password #2 unlocks a hidden volume (the real stuff)

Diagram: my_vacation.jpg (really an encrypted blob)

    ├─ pw1 → standard volume (decoy)

    └─ pw2 → hidden volume (real)

Important: this is filename disguise, not steganography / real file-format mimicry. If someone runs `file`, it won’t look like a JPEG.

Crypto primitives: Argon2id for KDF + XChaCha20-Poly1305 for encryption.

Quick start (Docker): docker run -p 3000:3000 -e BLOB_DIR=/data -v ./data:/data ghcr.io/srv1n/kurpod-server:latest open http://localhost:3000

Demo video: https://github.com/user-attachments/assets/d47b10cf-c38e-47e...

It’s an early release (expect bugs / not audited). I’d love feedback on:

  1) threat model: what this protects well vs. where it’s weak

  2) plausible-deniability ergonomics: what user mistakes would ruin the “decoy” story?

  3) file format / crypto review: anything obviously dumb or dangerous?