zero-knowledge · local-first · peer-to-peer

Your data.Your devices.Nobody else.

Sharu is a decentralized, zero-knowledge, local-first backup and sync platform. Files are encrypted on your device and synced peer-to-peer across your own machines — no servers, no accounts, and no one who can read them but you.

See the pipeline

The problem

Cloud backup asks you to trust someone else with everything.

You hand over the keys

Conventional cloud storage can read, scan, and monetize your files. One breach or quiet policy change exposes a lifetime of data.

A single point of failure

Accounts get locked, companies shut down, terms change. Your backup should not depend on one provider staying alive and benevolent.

Lock-in and rent

Your own files held behind a monthly subscription and a proprietary client you do not control.

How it works

Encrypt locally. Sync directly. Restore anywhere.

  1. Encrypt on device

    Your passphrase derives a key with Argon2id. Files are split into content-defined chunks and sealed with AES-256-GCM. The key never leaves your device.

  2. Address by hash

    Every encrypted block is addressed by its BLAKE3 hash — content-addressed, tamper-evident storage where only ciphertext is ever written.

  3. Sync peer-to-peer

    Your devices find each other over Iroh (QUIC) and exchange encrypted blocks directly — relay-only in the browser, direct hole-punching on desktop. The relay only ever sees ciphertext.

  4. Restore with proof

    A conflict-free replicated table tracks every file across devices. Restore reverses the pipeline and verifies each block against its hash.

Principles

Built on guarantees, not promises.

Zero-knowledge
Only ciphertext crosses the wire. Keys are never persisted in plaintext.
Local-first
Your files live on your devices and work offline. The network is an optimization, not a dependency.
Peer-to-peer
No central server owns your data. Devices sync directly with each other.
Streaming
Files are never fully buffered — multi-gigabyte backups stay memory-bounded.
Conflict-free
A CRDT allocation table converges deterministically and never silently drops a write.
Yours to own
Open architecture, content you can self-host, and a revocable trust model for lost devices.

Backup node

Add an always-on replica from your terminal.

Run safu-node on a server, NAS, or Raspberry Pi to keep a full ciphertext replica of everything your devices back up — an always-reachable copy, zero-knowledge and over Iroh. One command installs it; link a device with its connection code and it starts replicating.

Linux & macOScurl -fsSL https://new.sharu.io/install.sh | sh
Windows · PowerShellirm https://new.sharu.io/install.ps1 | iex

Prefer to read it first? Inspect the install script before you run it.

Take your backups back.

No account. No upload to anyone. Set a passphrase and start.