Zero-trust by default
XChaCha20-Poly1305 + Argon2id. Your storage provider sees encrypted blobs and a manifest whose contents — including file names — are encrypted too.
Encrypted file collaboration that doesn’t trust the cloud.
For small teams handling sensitive files — medical records, legal documents, financial data. Files are encrypted on your machine before they leave it. Lock-based coordination prevents two people from editing the same file at once. No accounts. No servers we run. Your bucket, your keys.
- macOS, Windows, Linux
- One-time purchase — no subscription
- One year of updates included
[ 30s product demo — replace with embed ]
Built for teams who can’t hand the contents to a SaaS provider.
No SaaS lock-in
Bring your own bucket on Tigris (5 GB free), Backblaze B2 (10 GB free), AWS S3, MinIO, or anything S3-compatible. Move providers any time.
Real coordination
Atomic locks on the bucket prevent two people from editing the same file at the same time. No silent overwrites. Audit-trail of every check-in / check-out.
Local-first
Work offline. Sync when you’re back online. No internet round-trips for operations on files you already have.
Open source code
Source code is published for transparency and security review. The binary is proprietary; auditing the code that protects your data is non-negotiable.
Auto-updates & signed builds
Code-signed on macOS (Apple Developer ID + notarization) and Windows (Trusted Signing). Background updater — no manual reinstalls.
What it looks like
[ screenshot: file browser ]
[ screenshot: onboarding wizard ]
[ screenshot: lock detail ]
[ screenshot: settings ]
Simple pricing
Personal
€79 one-time
- One licensed user, any number of devices
- One year of updates included
- 14-day free trial — no card required
- 14-day refund window, no questions
- Email support
Team
€299 up to 5 users, one-time
- Up to 5 named users
- One year of updates for all users
- Priority email support
- 14-day refund window
Renewing for another year of updates after the first is optional — €29/year. The version you bought stays usable forever.
Download & try free for 14 days
Full features for 14 days. After that, read access stays available so you never lose your data.
Frequently asked
Do I need an S3 account before I install?
No. The onboarding wizard walks you through picking a provider (Tigris is recommended — 5 GB free, no card required) and links to their signup page. You enter your access key and secret key once, and Kerveros handles the rest.
What happens if I lose my passphrase?
Your files are unrecoverable. The passphrase derives the encryption key — we never see it, store it on a server, or have a backdoor. Save it in a password manager before you upload anything important.
Can my storage provider read my files?
No. Files are encrypted with XChaCha20-Poly1305 before they leave your machine. The manifest that maps file IDs to file names is also encrypted — the provider can’t even see what files you have, only opaque blobs.
What about HIPAA / SOC 2 compliance?
Kerveros is a tool, not a compliance program. Compliance is a property of your processes and your storage provider. The encryption properties (XChaCha20-Poly1305 + Argon2id, client-side keys) are appropriate for regulated workflows, but you remain responsible for the BAA / DPA with your storage provider, your access policies, and your incident response. We don’t sign BAAs because we never see your data; the chain of custody is between you and your bucket.
What happens after my year of updates ends?
Nothing breaks. The version you have keeps working forever. Renewing for another year of updates is €19. Most users renew because security fixes are part of updates.
How are licenses validated?
Offline. Your license key is an Ed25519-signed token; the app verifies it against an embedded public key. No phone-home, no license server, no internet required after activation.