StealthSafe backend API for encrypted SSBC2 briefcases, SFTP storage, and secure automation.
303
ilterra/stealth_safe is the backend API and encrypted storage engine for
StealthSafe Docker Edition.
It reads and writes StealthSafe-compatible encrypted .ssbc2 briefcases,
manages encrypted profiles and attachments, connects to local or SFTP storage,
and exposes a versioned REST API for the official web interface and controlled
server-side integrations.
This image is one half of StealthSafe Docker Edition. Most users should run it together with
ilterra/stealth_safe_frontend.
The recommended installation package configures both official images, host folder access, persistent data, and the web port.
After extracting the package, start the published production images.
chmod +x start-stealthsafe-production.sh
./start-stealthsafe-production.sh
Run:
start-stealthsafe-production-windows.bat
When startup finishes, open:
http://localhost:33330
.ssbc2 briefcases./api/v1./docs and an OpenAPI document at /openapi.yaml.The backend can be used without the official frontend by internal tools, automation, or another trusted user interface. It is not intended to be exposed directly to the public Internet without an HTTPS reverse proxy and an appropriate external access-control layer.
The following example publishes the API only on the local machine and mounts a
host folder at /host:
docker run -d \
--name stealthsafe-backend \
--restart unless-stopped \
-p 127.0.0.1:18080:8080 \
-e STEALTHSAFE_DATA_DIR=/data \
-e STEALTHSAFE_LISTEN_ADDR=:8080 \
-e STEALTHSAFE_MOUNT_POINTS=Host=/host \
-v stealthsafe-data:/data \
-v /absolute/path/to/stealthsafe-files:/host \
ilterra/stealth_safe:latest
Then open:
On Windows, replace the bind-mount source with an absolute Docker-compatible
path such as C:/Users/Alex/Documents/StealthSafe.
Host filesystem permissions still apply. The container runs as the
unprivileged user 65532:65532 by default.
| Variable | Default | Purpose |
|---|---|---|
STEALTHSAFE_DATA_DIR | /data | Persistent encrypted profiles and remote cache |
STEALTHSAFE_LISTEN_ADDR | :8080 | Backend HTTP listen address |
STEALTHSAFE_SCAN_MAX_DEPTH | 12 | Maximum folder scan depth |
STEALTHSAFE_MOUNT_POINTS | Host=/host | Display names mapped to container paths |
For several mounted folders, use comma-separated mappings:
Documents=/host-documents,Shared=/host-shared
The /data directory must be persistent. It contains encrypted profile data
and synchronized remote cache data. Host folders containing .ssbc2 files are
mounted separately and remain under the host operating system's permission
model.
The production image contains a compiled and stripped Go binary in a minimal
scratch runtime. It contains no shell, package manager, source tree, or
compiler. Production builds use Garble to increase the cost of reverse
engineering, but data security relies on the encrypted SSBC2 format rather than
source-code secrecy.
Do not embed passwords, private keys, or other secrets in image layers or Compose files. SFTP credentials entered through StealthSafe are stored inside the encrypted user profile.
latest: most recently published release.2.2.1-alpha: pin a specific application release.Published images support:
linux/386linux/amd64linux/arm/v7linux/arm64For repeatable deployments, use the same version tag for both the backend and frontend images.
Content type
Image
Digest
sha256:6871e48c4…
Size
6.4 MB
Last updated
26 days ago
docker pull ilterra/stealth_safe