CryptPad on Ubuntu 24.04 on Azure User Guide
Overview
CryptPad is a fully open source, end to end encrypted collaboration suite that you host yourself, a privacy first alternative to the mainstream online office suites. Every document is encrypted and decrypted in your browser, so the server stores only ciphertext and never sees your content or your password. Your team gets real time collaborative rich text Pads, Code and Markdown editors, full OnlyOffice backed Documents, Spreadsheets and Presentations, Kanban boards, a Whiteboard, Forms and Polls, a Calendar, and an encrypted Drive to organise it all.
The cloudimg image installs CryptPad 2026.5.1 (AGPL-3.0-or-later licensed) to /opt/cryptpad, runs it on Node.js 22 LTS as a hardened systemd service bound to the loopback address, and fronts it with nginx. Because CryptPad's security sandbox needs two separate browser origins, the image serves a main origin on port 80 and an isolated sandbox origin on port 3001, and configures both for your VM automatically on first boot from the instance's own public IP. CryptPad is end to end encrypted, so there is no server side administrator password: the admin panel ships locked, and you unlock it by adding your own account's public signing key. Every VM generates its own unique secrets and an empty datastore on first boot. Backed by 24/7 cloudimg support.
What is included:
- CryptPad 2026.5.1 in
/opt/cryptpad, running on Node.js 22 LTS - The OnlyOffice document editors for Documents, Spreadsheets and Presentations
- The CryptPad server bound to loopback (
127.0.0.1:3000plus the websocket on3003), never exposed directly - nginx serving the main origin on
:80and the isolated sandbox origin on:3001 - Two per VM origins written on first boot from the instance's public IP, never a baked hostname
- An empty adminKeys list: no administrator ships in the image, you promote yourself
- A fresh, unique instance install token and datastore generated on first boot
cryptpad.serviceandnginx.serviceas systemd units- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point for a small team. NSG inbound: allow 22/tcp from your management network, plus 80/tcp (the main origin) and 3001/tcp (the security sandbox origin). Both 80 and 3001 must be reachable by your users' browsers or the sandbox cannot load. CryptPad serves plain HTTP by default; for production, put your own domain in front and terminate TLS (see the HTTPS section below).
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for CryptPad by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and custom TCP 3001. Then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name cryptpad \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name cryptpad --port 80 --priority 1010
az vm open-port --resource-group <your-rg> --name cryptpad --port 3001 --priority 1020
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services and the two origin architecture
CryptPad runs as cryptpad.service (the Node.js server, bound to loopback), with nginx.service as the public reverse proxy. The check below shows both services active and the listeners: CryptPad on 127.0.0.1:3000 (HTTP) and 127.0.0.1:3003 (websocket) is bound to loopback only, while nginx listens publicly on :80 (the main origin) and :3001 (the sandbox origin).
systemctl is-active cryptpad.service nginx.service
sudo ss -tlnp | grep -E ':3000|:3003|:80 |:3001'
node --version
Both services report active, the CryptPad ports are bound to 127.0.0.1 only, nginx is the sole public listener on :80 and :3001, and Node.js reports v22.x.

Step 5 - Retrieve your per VM instance details
Each VM generates its own instance details on first boot and writes them to a root only file, including a one time link you can use to create the first administrator account. Confirm the site is also being served through nginx on port 80:
sudo cat /root/cryptpad-credentials.txt
curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/
The file contains CRYPTPAD_URL (your main origin), CRYPTPAD_SANDBOX_URL, and a CRYPTPAD_INSTALL_TOKEN with a one time CRYPTPAD_ADMIN_SETUP_URL for creating your first admin. The landing page returns HTTP 200 through nginx. Store these somewhere safe.

Step 6 - The two origin security sandbox
CryptPad isolates untrusted UI in a separate browser origin (the sandbox) from the origin that holds your account keys, so an XSS in the interface cannot reach your cryptographic keys. This image sets both origins to your VM's own address on first boot. The live server configuration below shows the per VM main and sandbox origins and an empty admin key list:
curl -s http://localhost/api/config | grep -E 'httpUnsafeOrigin|httpSafeOrigin|adminKeys'
httpUnsafeOrigin is your main origin (http://<vm-public-ip>), httpSafeOrigin is the sandbox origin on port 3001 (http://<vm-public-ip>:3001), and adminKeys is an empty list, confirming the origins are configured per VM and no administrator is baked into the image.

Step 7 - No baked administrator
Because CryptPad is end to end encrypted there is no server side admin password to leak. The image ships with an empty adminKeys list, and every VM regenerates its own unique install token and instance secret on first boot rather than shipping a shared one. The check below shows the empty admin list and confirms a fresh per VM install token with no pre added administrator key:
grep -n 'adminKeys' /etc/cryptpad/config.js
python3 -c "import json;L=[json.loads(x) for x in open('/var/lib/cryptpad/data/decrees/decree.ndjson') if x.strip()];print('install token present :', any(d[0]=='ADD_INSTALL_TOKEN' for d in L if isinstance(d,list) and d));print('baked admin key :', any(d[0] in ('ADD_ADMIN_KEY','ADD_ADMIN_KEYS') for d in L if isinstance(d,list) and d))"
adminKeys is [], the install token is present (freshly generated for this VM), and no administrator key is baked in. You become the administrator in Step 11.

Step 8 - Open the web UI and register
Browse to http://<vm-public-ip>/. The CryptPad landing page presents the full encrypted suite: Documents, Spreadsheets and Presentations, rich text Pads, Kanban, Code, Forms, Diagrams and more, with Sign up and Log in in the top right.

Select Sign up, choose a username and password, and confirm the warning that, because your data is end to end encrypted, a lost password cannot be recovered.
Step 9 - Collaborate on a pad
Create a Rich text pad from the landing page. CryptPad opens the collaborative editor with a full formatting toolbar; everything you type is encrypted in your browser before it reaches the server. Use Share to invite colleagues by encrypted link and edit the same document together in real time; the count in the top right shows how many people are online.

Step 10 - Your encrypted Drive
Signed in, your CryptDrive organises every document, spreadsheet, presentation and pad you create or that is shared with you. Create nested folders, use Templates and Trash, and track your storage. Everything in the Drive is end to end encrypted.

Step 11 - Promote yourself to administrator
No administrator ships in the image. To unlock the admin panel, open Settings and copy your account's Public Signing Key (the bracketed [cryptpad-user...] string). Add it to the adminKeys list in the configuration file and restart CryptPad:
sudo nano /etc/cryptpad/config.js
# set: adminKeys: [ "[your-public-signing-key]" ],
sudo systemctl restart cryptpad
Alternatively, visit the one time CRYPTPAD_ADMIN_SETUP_URL from Step 5 to create the first administrator directly. After either method, the Admin panel at /admin becomes available to your account.

Step 12 - Registration and instance policy
Open registration is enabled by default so your team can create accounts. Because the server can never read encrypted data, this is a reasonable default for a private instance, but once you are an administrator you can close registration from the admin panel (Users then Close registration) so only existing users remain. Storage limits, instance name and other policies are also managed from the admin panel.
Step 13 - Add a custom domain and HTTPS for production
CryptPad works over plain HTTP on a bare IP, but for production use your own domain with TLS. Point two names at the VM (a main domain and a sandbox domain, for example pad.example.com and sandbox-pad.example.com), obtain certificates, then set both origins in the configuration and restart:
sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d pad.example.com -d sandbox-pad.example.com
Then edit /etc/cryptpad/config.js and set httpUnsafeOrigin: 'https://pad.example.com' and httpSafeOrigin: 'https://sandbox-pad.example.com', and run sudo systemctl restart cryptpad so generated links and the security sandbox use your HTTPS domains. Serving over HTTPS also enables the offline service worker and other secure context features.
Maintenance
- Restart the app:
sudo systemctl restart cryptpad.service - View logs:
sudo journalctl -u cryptpad.service -e - Configuration: runtime settings live in
/etc/cryptpad/config.js; the app is in/opt/cryptpadand data in/var/lib/cryptpad. - OS updates: unattended-upgrades is enabled; apply the latest security updates with
sudo apt-get update && sudo apt-get -y upgradeand reboot if a new kernel is installed. - Back up: stop
cryptpad.serviceand copy/var/lib/cryptpad(the encrypted datastore, blocks, blobs and decrees).
Support
This image is maintained by cloudimg with 24/7 support. CryptPad is licensed under AGPL-3.0-or-later and is shipped unmodified. "CryptPad" is a trademark of its respective owner; this image is provided by cloudimg and is not endorsed by or affiliated with CryptPad or XWiki.