Getting Started

Broadly speaking, the steps to get started with Redact are as follows:

  1. Get access to a redact-store instance

  2. Install the redact-client locally on a device

  3. Point your browser to a Redact-enabled website

Setup Redact-store

The storage service can be either self-hosted or provided by a third-party. Since it only stores encrypted data, the provider of the storage service does not need to be trusted, but should provide a reasonable level of protection against unauthorized requests.

A self-hosted storage is fairly easy to setup, and primarily involves procuring a database (currently only MongoDB is supported) and standing up the redact-store server to connect to it.

A third-party storage will simply provide a URL for the Client to connect to.

Self-hosted Storage

  1. Get access to a MongoDB instance

    • Sign up for a free, fully-managed instance at (easy, quick)

    • Set up an instance on your local device or host your own instance (harder, time-consuming, more customizable)

    • Minimum supported MongoDB version is 3.6+

    • If running MongoDB locally and the storage cannot connect, try using in the connection string instead of a hostname

  2. Install Rust:

  3. git clone

  4. echo "export REDACT_DB_URL=\"<mongo connection string>\"" >> config/config.env

  5. echo "export REDACT_DB_NAME=\"<db name>\"" >> config/config.env

  6. source config/config.env

  7. cargo r

The port and address listened on by the storage server will be provided to the client.

Support multimedia (e.g. images, video)

Redact leverages object storage services in order to store large chunks of data that are unlikely or difficult to fit in a traditional database.

Currently, the only supported object storage is a Google Cloud Storage bucket.

In order to add this functionality to your storer, do the following:

  1. Sign up for Google Cloud and provision a Google Cloud Storage bucket

  2. Go to the Permissions tab of the bucket details page and add a new principal with Storage Legacy Bucket Writer permissions

  3. Go to the IAM & Admin section of Google Cloud and click on Service Accounts

  4. Click on Keys > Create new key, and create a new JSON key

  5. Download the key and save it to a safe place on your computer

  6. echo "export SERVICE_ACCOUNT=\"<path to file downloaded>\"" >> config/config.env

  7. echo "export REDACT_GOOGLE_STORAGE_BUCKET_NAME=\"<bucket name>\"" >> config/config.env

  8. source config/config.env

  9. cargo r

Install redact-client

  1. git clone

  2. Provide the Storage URL in config/config.yaml#storage.url

    • If you set-up your own storage server using the steps above, the URL will likely be https://localhost:8081

    • If you set-up your own storage server, notice that the config allows for specifying a custom server CA certificate at You MUST copy the CA certificate generated by the storage server to this location. Within the redact-store directory, it should be located at tls/server/cert/ca.pem, copy this file to the client at certs/storer-ca.pem.

  1. cargo r

Visit Redact-enabled website

We have an example website that allows you to demo Redact’s current feature-set called Redact Feed, which allows you to post text and multimedia and see those posts displayed. Redact Feed will soon support data sharing and other social features.

Once the Client is setup locally and points to a working storage instance, Redact-enabled websites will “just work” (TM). The Client handles generation and coordination of cryptographic material with no further input.


Redact currently only supports storing keys unencrypted on the file system. Support for hardware and software key vaults is upcoming.