Skip to content
A Django webapp to escrow filevault keys sent by the Crypt client app.
Python CSS HTML JavaScript Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
fvserver bump version Dec 12, 2019


Crypt is a tool for securely storing secrets such as FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.

This Docker image contains the fully configured Crypt Django web app. A default admin user has been preconfigured, use admin/password to login. If you intend on using the server for anything semi-serious it is a good idea to change the password or add a new admin user and delete the default one.


  • Secrets are encrypted in the database
  • All access is audited - all reasons for retrieval and approval are logged along side the users performing the actions
  • Two step approval for retrieval of secrets is enabled by default
  • Approval permission can be given to all users (so just any two users need to approve the retrieval) or a specific group of users

Installation instructions

It is recommended that you use Docker to run this, but if you wish to run directly on a host, installation instructions are over in the docs directory


These settings are for the upcoming Crypt Server 3 release. Please refer to these settings for the present 2.x releases

All settings that would be entered into can also be passed into the Docker container as environment variables.

  • FIELD_ENCRYPTION_KEY - The key to use when encrypting the secrets. This is required.

  • SEND_EMAIL - Crypt Server can send email notifcations when secrets are requested and approved. Set SEND_EMAIL to True, and set HOST_NAME to your server's host and URL scheme (e.g. For configuring your email settings, see the Django documentation.

  • APPROVE_OWN - By default, users with approval permissons can approve their own key requests. By setting this to False in (or by using the APPROVE_OWN environment variable with Docker), users cannot approve their own requests.

  • ALL_APPROVE - By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in, all users are given this permission when they log in.

  • ROTATE_VIEWED_SECRETS - With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to True or by using ROTATE_VIEWED_SECRETS and setting to true.


Main Page: Crypt Main Page

Computer Info: Computer info

User Key Request: Userkey request

Manage Requests: Manage Requests

Approve Request: Approve Request

Key Retrieval: Key Retrieval

You can’t perform that action at this time.