Skip to content
LeafLock

LeafLock Documentation

End-to-end encrypted notes with zero-knowledge architecture. Technical documentation for developers and operators.
Technical Reference View on GitHub

System Overview

Section titled “System Overview”

Stack: Go 1.23 backend (Fiber), React 18 frontend (TypeScript, Vite), PostgreSQL 15, Redis 7

Encryption: XChaCha20-Poly1305 (client-side E2EE), Argon2id (64MB, 3 iterations, 4 parallelism)

Zero-Knowledge: Server stores encrypted blobs only, no plaintext access to user data

Technical Reference

Section titled “Technical Reference”

Encryption Architecture

XChaCha20-Poly1305 implementation, key derivation, zero-knowledge architecture details Read more →

API Reference

REST API endpoints, WebSocket protocol, request/response schemas, authentication flow Read more →

Database Schema

PostgreSQL tables, indexes, triggers, encryption columns, relationships Read more →

Environment Variables

Complete configuration reference, security settings, deployment parameters Read more →

Quick Start

Section titled “Quick Start”
Terminal window
# Clone repository
git clone https://github.com/RelativeSure/LeafLock
cd LeafLock


# Start with Docker Compose
docker compose up -d


# Or with Podman
make up


# Access application
open http://localhost:3000

Default admin: admin@leaflock.app / Configure via DEFAULT_ADMIN_PASSWORD

Features

Section titled “Features”
  • Client-side encryption (XChaCha20-Poly1305, 256-bit keys)
  • Password hashing (Argon2id, 64MB memory)
  • JWT authentication with Redis session validation
  • Real-time WebSocket collaboration
  • Version history and soft-delete trash
  • Folder/tag organization
  • Template system
  • File attachments (encrypted in-database)
  • Searchable encryption (HMAC-based keyword index)
  • GDPR-compliant data handling

Deployment

Section titled “Deployment”
  • Docker/Podman: docker-compose.yml with PostgreSQL, Redis, backend, frontend
  • Kubernetes: Helm charts in helm/leaflock/
  • Railway: IPv6 private network support
  • Coolify: Single-server deployment

View deployment guides →

Architecture

Section titled “Architecture”

Backend (backend/):

  • main.go - HTTP server, routes
  • handlers/ - API endpoints
  • crypto/ - Argon2id password hashing
  • database/ - PostgreSQL schema, migrations
  • middleware/ - JWT validation, CORS, rate limiting

Frontend (frontend/src/):

  • App.tsx - CryptoService (libsodium encryption)
  • components/ - React UI components
  • services/ - API clients

Database:

  • Encrypted columns: BYTEA (ChaCha20-Poly1305 or XChaCha20-Poly1305)
  • Hashed columns: BYTEA (SHA-256) or TEXT (Argon2id)
  • Indexed for performance: partial indexes on active records

Security

Section titled “Security”

Threat Model: Zero-knowledge protects against server compromise and database dumps. Does not protect against client-side XSS or phishing.

Recommendations:

  • HTTPS required
  • Strong passwords (12+ chars, complexity enforced)
  • MFA recommended
  • Regular key rotation (planned feature)
  • CSP headers configured
Section titled “Links”