Self-Hosting

Keeplas is AGPL-3.0 and fully self-hostable. Run the whole stack on your own infrastructure — your data, your servers, your rules. Because the vault is zero-knowledge, self-hosting changes who operates the servers, not who can read your data. Only you can.

Requirements

You need a recent Node toolchain, pnpm, and a Convex deployment. Docker is optional for a containerized dev environment.

  • Node.js 20+ and pnpm 10+ (corepack enable recommended)
  • A Convex deployment — Convex Cloud or self-hosted (CONVEX_MODE=selfhosted)
  • Docker (optional) for a pinned, containerized dev environment

One-command bootstrap

Clone the repo, then run the bootstrap script. It copies .env.local, installs dependencies, and links per-package env files.

git clone https://github.com/Keeplas/keeplas.git
cd keeplas
pnpm bootstrap

Provision Convex and secrets

Generate the audit HMAC secret, provision your Convex deployment, seed the auth keys, sync env, then boot the app.

openssl rand -base64 32        # set KEEPLAS_CTX_SECRET in .env.local
npx convex dev --once --configure=new
npx @convex-dev/auth            # seeds JWT keys
pnpm sync:convex-env
pnpm dev

The app is now serving on http://localhost:3000. Convex is running in dev mode against your account.

Or use Docker

Prefer containers? The provided Dockerfile.dev pins Node and pnpm to match CI, with source bind-mounted for hot reload.

cp .env.local.example .env.local   # then fill KEEPLAS_CTX_SECRET
docker compose up

Deploying to production

The reference deployment targets Vercel for the web app and Convex Cloud for the backend. Both are free tier-friendly and require zero infra work; together they let you run a hardened, observability-equipped Keeplas without managing servers.

If you want full sovereignty, the Convex backend can run self-hosted (CONVEX_MODE=selfhosted) against any Postgres-compatible store. The Next.js app is a standard Node application — deploy it anywhere that runs Node 20+.

Because the vault is zero-knowledge, server operators (you, in this case) only ever see ciphertext. Self-hosting changes who runs the infrastructure, not who can decrypt your data.

What's next

  • Architecture — what's in apps/web, packages/convex, and packages/crypto
  • Contributing — workflow, CLA, restricted areas, security disclosure
editEdit this page on GitHub