Open-source secure intake

A drop box with a hard stop.

Sprag is a tiny self-hosted file intake box for one-way uploads. People can push documents into an unguessable URL; they cannot list, browse, or pull anything back out. When server-blind mode is enabled, files are post-quantum end-to-end encrypted in the sender's browser before upload.

Deploy Sprag Know when to use it

One-way file intake

One-way intake. Server-blind when needed.

Single Go binary, SQLite metadata, S3 bodies, optional post-quantum E2E.

GPL-3.0

Admin creates a page. Title, PIN, expiry, limits, and optional E2E identity.
Uploader drops files. No account. No listing. No shared folder.
Admin downloads. Single file or streamed zip, authenticated only.

docker compose up --build -d
BASE_URL=https://sprag.example
E2E_INTAKE_ENABLED=true

What it is

Not sharing. Intake.

Sprag is asymmetric by design. An operator creates a capability URL, gives it to someone who needs to submit files, and receives the upload in an admin-only dashboard. The sender does not need an account, cannot see other submissions, and cannot retrieve the file later.

That narrow shape is the point. Sprag avoids folders, comments, previews, sync, workflow builders, and multi-tenant permission trees so the public surface stays legible enough to inspect and operate.

Why it is unusual

Server-blind post-quantum E2E, without the platform weight.

Most public upload links are collaboration products turned sideways. Their servers can usually read the files in normal operation. Sprag is built only for inbound intake, so the security model can be simpler and sharper.

With E2E intake enabled, the upload page carries the public key, the sender's browser encrypts the file and metadata locally, and the server stores an encrypted envelope it cannot decrypt. The profile combines ML-KEM-1024 with P-384, HKDF-SHA-512, and AES-256-GCM for the file body, not just the TLS connection.

One direction

No uploader listing surface.

Uploaders can open a page, pass a PIN if required, send files, and leave. There is no public file browser behind the URL.

Small footprint

One Go binary, SQLite, S3.

Metadata stays in SQLite; file bodies stream to any S3-compatible bucket. Large uploads do not need local disk buffering.

Server-blind mode

Ciphertext before upload.

When E2E is required, the server and bucket only handle ciphertext and encrypted metadata envelopes.

When to use it

For sensitive files from people who should not need an account.

Good fit

Lawyers receiving privileged client documents.
Journalists collecting source material or leaks.
HR and compliance teams running an intake channel.
Doctors, researchers, and operators collecting sensitive records.

Wrong tool

Shared folders, sync, or collaboration workspaces.
Ticketing systems, form builders, or case management.
Multi-user document review and permission workflows.
Any workflow where the sender must retrieve files later.

Deploy the tool

One binary behind HTTPS.

This website is static, but Sprag itself is a server application. A production deployment needs a public HTTPS URL, a session secret, an admin password hash, a local SQLite path, and credentials for an S3-compatible bucket.

Prepare configuration

Copy `.env.example`, set `BASE_URL`, generate `SESSION_SECRET`, create an admin bcrypt hash, and fill in S3 settings.

openssl rand -base64 32
go run ./cmd/sprag hash-password

Run with Docker Compose

The bundled Compose setup builds Sprag and runs Caddy in front of it for HTTPS. Point DNS at the host first.

SPRAG_DOMAIN=sprag.example \
  docker compose up --build -d

Enable E2E when required

Turn on server-blind intake, create an encrypted page, and back up the private key immediately.

E2E_INTAKE_ENABLED=true
E2E_INTAKE_REQUIRED=true

Operational rule

If an encrypted page's private key is lost, its encrypted uploads are gone. That is the cost of keeping the Sprag server blind.