Applications Azure

CryptPad on Ubuntu 24.04 on Azure User Guide

| Product: CryptPad on Ubuntu 24.04 LTS on Azure

Overview

CryptPad is a fully open source, end to end encrypted collaboration suite that you host yourself, a privacy first alternative to the mainstream online office suites. Every document is encrypted and decrypted in your browser, so the server stores only ciphertext and never sees your content or your password. Your team gets real time collaborative rich text Pads, Code and Markdown editors, full OnlyOffice backed Documents, Spreadsheets and Presentations, Kanban boards, a Whiteboard, Forms and Polls, a Calendar, and an encrypted Drive to organise it all.

The cloudimg image installs CryptPad 2026.5.1 (AGPL-3.0-or-later licensed) to /opt/cryptpad, runs it on Node.js 22 LTS as a hardened systemd service bound to the loopback address, and fronts it with nginx. Because CryptPad's security sandbox needs two separate browser origins, the image serves a main origin on port 80 and an isolated sandbox origin on port 3001, and configures both for your VM automatically on first boot from the instance's own public IP. CryptPad is end to end encrypted, so there is no server side administrator password: the admin panel ships locked, and you unlock it by adding your own account's public signing key. Every VM generates its own unique secrets and an empty datastore on first boot. Backed by 24/7 cloudimg support.

What is included:

  • CryptPad 2026.5.1 in /opt/cryptpad, running on Node.js 22 LTS
  • The OnlyOffice document editors for Documents, Spreadsheets and Presentations
  • The CryptPad server bound to loopback (127.0.0.1:3000 plus the websocket on 3003), never exposed directly
  • nginx serving the main origin on :80 and the isolated sandbox origin on :3001
  • Two per VM origins written on first boot from the instance's public IP, never a baked hostname
  • An empty adminKeys list: no administrator ships in the image, you promote yourself
  • A fresh, unique instance install token and datastore generated on first boot
  • cryptpad.service and nginx.service as systemd units
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point for a small team. NSG inbound: allow 22/tcp from your management network, plus 80/tcp (the main origin) and 3001/tcp (the security sandbox origin). Both 80 and 3001 must be reachable by your users' browsers or the sandbox cannot load. CryptPad serves plain HTTP by default; for production, put your own domain in front and terminate TLS (see the HTTPS section below).

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for CryptPad by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and custom TCP 3001. Then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name cryptpad \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name cryptpad --port 80   --priority 1010
az vm open-port --resource-group <your-rg> --name cryptpad --port 3001 --priority 1020

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services and the two origin architecture

CryptPad runs as cryptpad.service (the Node.js server, bound to loopback), with nginx.service as the public reverse proxy. The check below shows both services active and the listeners: CryptPad on 127.0.0.1:3000 (HTTP) and 127.0.0.1:3003 (websocket) is bound to loopback only, while nginx listens publicly on :80 (the main origin) and :3001 (the sandbox origin).

systemctl is-active cryptpad.service nginx.service
sudo ss -tlnp | grep -E ':3000|:3003|:80 |:3001'
node --version

Both services report active, the CryptPad ports are bound to 127.0.0.1 only, nginx is the sole public listener on :80 and :3001, and Node.js reports v22.x.

CryptPad and nginx active, the CryptPad server bound to loopback 3000 and 3003, and nginx serving the public main origin on 80 and the sandbox origin on 3001

Step 5 - Retrieve your per VM instance details

Each VM generates its own instance details on first boot and writes them to a root only file, including a one time link you can use to create the first administrator account. Confirm the site is also being served through nginx on port 80:

sudo cat /root/cryptpad-credentials.txt
curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/

The file contains CRYPTPAD_URL (your main origin), CRYPTPAD_SANDBOX_URL, and a CRYPTPAD_INSTALL_TOKEN with a one time CRYPTPAD_ADMIN_SETUP_URL for creating your first admin. The landing page returns HTTP 200 through nginx. Store these somewhere safe.

The per-VM CryptPad instance details file with the main and sandbox origins and the one-time admin setup link, and the landing page returning HTTP 200 through nginx

Step 6 - The two origin security sandbox

CryptPad isolates untrusted UI in a separate browser origin (the sandbox) from the origin that holds your account keys, so an XSS in the interface cannot reach your cryptographic keys. This image sets both origins to your VM's own address on first boot. The live server configuration below shows the per VM main and sandbox origins and an empty admin key list:

curl -s http://localhost/api/config | grep -E 'httpUnsafeOrigin|httpSafeOrigin|adminKeys'

httpUnsafeOrigin is your main origin (http://<vm-public-ip>), httpSafeOrigin is the sandbox origin on port 3001 (http://<vm-public-ip>:3001), and adminKeys is an empty list, confirming the origins are configured per VM and no administrator is baked into the image.

The live CryptPad configuration showing the per-VM main and sandbox origins and an empty adminKeys list

Step 7 - No baked administrator

Because CryptPad is end to end encrypted there is no server side admin password to leak. The image ships with an empty adminKeys list, and every VM regenerates its own unique install token and instance secret on first boot rather than shipping a shared one. The check below shows the empty admin list and confirms a fresh per VM install token with no pre added administrator key:

grep -n 'adminKeys' /etc/cryptpad/config.js
python3 -c "import json;L=[json.loads(x) for x in open('/var/lib/cryptpad/data/decrees/decree.ndjson') if x.strip()];print('install token present :', any(d[0]=='ADD_INSTALL_TOKEN' for d in L if isinstance(d,list) and d));print('baked admin key       :', any(d[0] in ('ADD_ADMIN_KEY','ADD_ADMIN_KEYS') for d in L if isinstance(d,list) and d))"

adminKeys is [], the install token is present (freshly generated for this VM), and no administrator key is baked in. You become the administrator in Step 11.

CryptPad ships with an empty adminKeys list and a fresh per-VM install token, and no baked administrator key

Step 8 - Open the web UI and register

Browse to http://<vm-public-ip>/. The CryptPad landing page presents the full encrypted suite: Documents, Spreadsheets and Presentations, rich text Pads, Kanban, Code, Forms, Diagrams and more, with Sign up and Log in in the top right.

The CryptPad landing page served by your VM, showing the end-to-end encrypted collaboration suite with Sign up and Log in

Select Sign up, choose a username and password, and confirm the warning that, because your data is end to end encrypted, a lost password cannot be recovered.

Step 9 - Collaborate on a pad

Create a Rich text pad from the landing page. CryptPad opens the collaborative editor with a full formatting toolbar; everything you type is encrypted in your browser before it reaches the server. Use Share to invite colleagues by encrypted link and edit the same document together in real time; the count in the top right shows how many people are online.

A CryptPad rich text pad with live content and the collaborative editing toolbar

Step 10 - Your encrypted Drive

Signed in, your CryptDrive organises every document, spreadsheet, presentation and pad you create or that is shared with you. Create nested folders, use Templates and Trash, and track your storage. Everything in the Drive is end to end encrypted.

The CryptPad encrypted CryptDrive file manager for a registered account

Step 11 - Promote yourself to administrator

No administrator ships in the image. To unlock the admin panel, open Settings and copy your account's Public Signing Key (the bracketed [cryptpad-user...] string). Add it to the adminKeys list in the configuration file and restart CryptPad:

sudo nano /etc/cryptpad/config.js
# set:  adminKeys: [ "[your-public-signing-key]" ],
sudo systemctl restart cryptpad

Alternatively, visit the one time CRYPTPAD_ADMIN_SETUP_URL from Step 5 to create the first administrator directly. After either method, the Admin panel at /admin becomes available to your account.

The CryptPad Settings page showing the account's public signing key, which you add to adminKeys to become administrator

Step 12 - Registration and instance policy

Open registration is enabled by default so your team can create accounts. Because the server can never read encrypted data, this is a reasonable default for a private instance, but once you are an administrator you can close registration from the admin panel (Users then Close registration) so only existing users remain. Storage limits, instance name and other policies are also managed from the admin panel.

Step 13 - Add a custom domain and HTTPS for production

CryptPad works over plain HTTP on a bare IP, but for production use your own domain with TLS. Point two names at the VM (a main domain and a sandbox domain, for example pad.example.com and sandbox-pad.example.com), obtain certificates, then set both origins in the configuration and restart:

sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d pad.example.com -d sandbox-pad.example.com

Then edit /etc/cryptpad/config.js and set httpUnsafeOrigin: 'https://pad.example.com' and httpSafeOrigin: 'https://sandbox-pad.example.com', and run sudo systemctl restart cryptpad so generated links and the security sandbox use your HTTPS domains. Serving over HTTPS also enables the offline service worker and other secure context features.

Maintenance

  • Restart the app: sudo systemctl restart cryptpad.service
  • View logs: sudo journalctl -u cryptpad.service -e
  • Configuration: runtime settings live in /etc/cryptpad/config.js; the app is in /opt/cryptpad and data in /var/lib/cryptpad.
  • OS updates: unattended-upgrades is enabled; apply the latest security updates with sudo apt-get update && sudo apt-get -y upgrade and reboot if a new kernel is installed.
  • Back up: stop cryptpad.service and copy /var/lib/cryptpad (the encrypted datastore, blocks, blobs and decrees).

Support

This image is maintained by cloudimg with 24/7 support. CryptPad is licensed under AGPL-3.0-or-later and is shipped unmodified. "CryptPad" is a trademark of its respective owner; this image is provided by cloudimg and is not endorsed by or affiliated with CryptPad or XWiki.