CloakShare CloakShare
Log in Get API Key

February 28, 2026

How to Self-Host a Secure Document Sharing Platform with Docker

If you need secure document sharing but don't want your files sitting on someone else's servers, self-hosting is the answer. Cloak is an open-source, MIT-licensed platform that gives you tokenized links with watermarks, analytics, and access controls — all running on your own infrastructure. This guide walks you through setting it up with Docker Compose in under ten minutes.

Prerequisites

You need a machine (local or cloud) with Docker and Docker Compose installed. That's it. Cloak's Docker image bundles everything — the API server, the document viewer, the processing pipeline, and ffmpeg for video transcoding. No external dependencies.

  • + Docker Engine 20.10 or newer
  • + Docker Compose v2
  • + 2 GB of RAM minimum (4 GB recommended for video processing)
  • + A domain name (optional, but required for HTTPS in production)

Step 1: Clone the repository

Pull down the Cloak source code and navigate to the project root. 

$ git clone https://github.com/cloakshare/cloakshare.git
$ cd cloak

Step 2: Configure environment

Copy the example environment file and set your secrets. The only required value is a random string for SECRET_KEY — this signs your API tokens and link URLs. 

$ cp .env.example .env
$ nano .env

# .env
SECRET_KEY=your-random-secret-at-least-32-chars
DATABASE_URL=postgres://cloak:cloak@db:5432/cloak
STORAGE_PATH=/data/uploads
BASE_URL=https://your-domain.com

Step 3: Start the server

One command brings up the API server, PostgreSQL database, and file storage — all pre-configured and networked together. 

$ docker compose up -d

✓ Container cloak-db      Started
✓ Container cloak-server  Started

$ curl http://localhost:3000/health
{"status": "ok"}

Step 4: Create your API key

Use the built-in CLI to generate your first API key. This key authenticates all subsequent API calls. 

$ docker compose exec server cloak apikey create --name "my-key"

{"api_key": "ck_live_s3cR3tK3y...", "name": "my-key", "created_at": "2026-02-28T12:00:00Z"}

Step 5: Upload your first document

With the API key in hand, upload a PDF and get a secure link back. Set watermarking and email gating to protect the content. 

$ curl -X POST http://localhost:3000/v1/links \
    -H "Authorization: Bearer ck_live_s3cR3tK3y..." \
    -F file=@contract.pdf \
    -F watermark=true \
    -F email_required=true

{"id": "lnk_aB3xZ9", "secure_url": "http://localhost:3000/s/lnk_aB3xZ9", "type": "document", "pages": 12}

Step 6: Share the link

Send the secure_url to your recipient. They'll see a browser-based document viewer with your watermark overlay. Every page view, time-on-page, and completion event is logged and queryable via the analytics API. No plugins, no downloads — it just works.

Video support

Cloak also supports video files. When you upload an MP4, WebM, or MOV, the server transcodes it to HLS using ffmpeg, which is already included in the Docker image. No additional setup is needed. The same security features — watermarks, email gate, expiry, and analytics — apply to video links.

Production considerations

For production deployments, put a reverse proxy (Nginx, Caddy, or Traefik) in front of Cloak to handle TLS termination. Point your domain's DNS to the server, set the BASE_URL in your .env, and your secure links will use your custom domain automatically.

Next steps

You now have a fully functional secure document sharing platform on your own server. No vendor lock-in, no per-user fees, and full control over your data.

Sign up at app.cloakshare.dev if you'd prefer a managed cloud version with CDN delivery, custom domains, and team management. Or explore the full API in the GitHub repository.