Source code

You can read the code

All of ColdStorage is on GitHub — the Mac app, the daemon that does the encrypting and uploading, the account service, and this website.

Why it's public

We tell you your files are encrypted before they leave your Mac and that we never get the key. That's a claim, and a claim about encryption isn't worth much if you have to take our word for it. The code is there, so you can go and check instead.

Where to look

The encryption lives in the ColdStorageCore package. Crypto.swift does the per-file envelope encryption, and ZeroKnowledgeKeys.swift is the part that wraps your master key under your recovery code so that only that code can unwrap it. Those two files are where “only you hold the key” is either true or it isn't.

The license, and what it doesn't say

The code is under the Functional Source License. You can read it, run it, change it, and build on it. The one thing you can't do is use it to run a storage service that competes with ours.

Two years after we ship any given version, that restriction lapses and the version becomes Apache 2.0 — a normal open source license, automatically, whether we're still here or not.

That's a real limit, so we're not going to call this open source. It isn't.

Running your own copy

The paid service is still a service. Readable code doesn't come with storage attached — running your own means bringing your own storage account and paying for that directly.

We're not taking contributions

Not for now. It's a small operation, and reviewing patches is time that isn't going into the app. Issues are still worth opening if you find something broken.

If you find a security problem, email it to us instead of opening a public issue, and give us a chance to fix it before you write it up.

Read the code on GitHubgithub.com/benhonda/coldstorage