MSKanban is a self-hostable Kanban board that encrypts your content on your device before it reaches the server. Even a fully compromised server — DB dump, malicious admin, anything short of running code on your machine — cannot read your card titles, descriptions, comments, checklists, custom-field values, or attachments. The server only sees opaque ciphertext and the metadata it strictly needs to route requests (user ids, timestamps, positions).
⚠️ Pre-1.0. The crypto envelope, DB schema and public API may still change without a major-version bump. Each change is documented inCHANGELOG.md. Production data: not yet.
| Feature | Trello | Jira Cloud | Planka | Wekan | MSKanban |
|---|---|---|---|---|---|
| Self-hostable | ❌ | ❌ | ✅ | ✅ | ✅ |
| Zero-knowledge E2EE | ❌ | ❌ | ❌ | ❌ | ✅ |
| WebAuthn / Passkeys | ❌ | ❌ | ✅ | ||
| Real-time sync (CRDT) | ❌ | ❌ | ❌ | ✅ | |
| Offline-first PWA | ❌ | ❌ | ✅ | ||
| Built-in webhooks w/ DLQ | ✅ | ✅ | ❌ | ❌ | ✅ |
| GDPR-ready by design | ❌ | ✅ | ✅ | ||
| WCAG 2.1 AA | ❌ | ✅ | |||
| Signed container + SBOM | ❌ | ❌ | ❌ | ❌ | ✅ |
The differentiator is zero-knowledge: a Trello-style UX with the "server can't read your data" guarantee of Bitwarden / Standard Notes. Read the zero-knowledge ADR and the threat model for the details.
Full user-facing documentation lives at docu.msk-scripts.de/ecosystem/mskanban — overview, installation, feature tour, REST API reference, privacy deep-dive, FAQ.
Thank you to everyone who supports this project!
docker run -d --name mskanban \
-p 3000:3000 \
-e DATABASE_URL='mysql://USER:PASS@db-host:3306/mskanban' \
-e REDIS_URL='redis://redis-host:6379' \
-e AUTH_SECRET="$(openssl rand -base64 32)" \
-e SERVER_ENCRYPTION_KEY="$(openssl rand -base64 32)" \
-e NEXT_PUBLIC_APP_URL='https://kanban.example.com' \
-e WEBAUTHN_RP_ID='kanban.example.com' \
-e WEBAUTHN_RP_NAME='MSKanban' \
-e WEBAUTHN_RP_ORIGIN='https://kanban.example.com' \
ghcr.io/msk-scripts/mskanban:latestYou bring your own MariaDB (10.11+) and Redis (7+); the
docker/docker-compose.prod.yml reference deployment wires all three
together behind Apache.
Verify the image before you run it (you should, every time):
cosign verify ghcr.io/msk-scripts/mskanban:latest \
--certificate-identity-regexp \
'https://github.com/MSK-Scripts/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.comA passing signature means GitHub Actions built this exact image from
the public source. See SECURITY.md for SBOM + SLSA
verification too.
The reference deployment matches how the project's author runs it on a single Debian box:
- Reverse proxy:
apache/mskanban.conf.example - systemd unit:
docs/deployment/mskanban.service - Full guide:
docs/deployment/
pnpm install # Node 22 + pnpm 9
docker compose -f docker/docker-compose.dev.yml up -d # MariaDB + Redis + Adminer
cp .env.development.example .env.local
pnpm prisma migrate dev
pnpm dev # Next.js on :3000
pnpm dev:ws # WS relay on :3001 (optional).env.development.example has FEATURE_PUBLIC_REGISTRATION="true" so
you can register an account on the dev instance. Production templates
keep that off by default.
Your password derives a Master Key (Argon2id, m=64 MiB, t=3, p=4)
in your browser. From it we derive an AuthHash (sent to the server,
not reversible) and a User Symmetric Key (never sent). The User Sym
Key wraps your X25519 keypair; your public key is stored, your private
key is stored encrypted with the Sym Key. Workspace Keys are sealed
to each member's public key (X25519 sealed boxes). Board Keys derive
from the Workspace Key + the board id (HKDF). Card content is encrypted
under the Board Key with XChaCha20-Poly1305. None of those keys ever
leave your device unencrypted. The server stores ciphertext, the
metadata it needs to route requests, and nothing else.
Lose your password → use your 24-word recovery phrase (BIP39). Lose the recovery phrase too → there is no back door, by design (ADR 0004).
Full details: docs/architecture/ (especially
ADRs 0003, 0004, 0007, 0009) and docs/threat-model.md.
- Boards, columns, cards with drag-and-drop (keyboard-equivalent per WCAG 2.1.1), labels, assignees, start + due dates, checklists, custom fields, card templates.
- Milestones group cards into deliverables with an optional date window — drives the burn-down chart and timeline grouping.
- Five views per board: Kanban / Calendar / Timeline (Gantt) / Table / Analytics. Analytics ships cycle time, lead time, CFD, aging WIP, throughput, burn-down per milestone — all computed client- side on decrypted data.
- Real-time collaboration via Yjs CRDTs. Card descriptions sync between users; board-level presence (Yjs awareness) shows who else is online with an avatar stack + per-card "is viewing" dots. The relay server only sees ciphertext bytes — even presence payloads.
- Automation engine (ADR 0010)
— declarative
{when, do}rules per board, fully E2EE. Server sees only the plaintext trigger envelope (trigger_type+trigger_meta) whitelisted on every write; rule bodies live inenc_rule. - Offline-first PWA with IndexedDB snapshot cache and a live online/offline indicator.
- Activity feed + notifications (server-visible metadata only).
- Webhooks with HMAC-SHA256 signing, SSRF guard, persistent delivery queue with exponential backoff + DLQ surfaced in the UI.
- Import from MSKanban JSON, Trello JSON, generic CSV. Export to JSON and Markdown.
- 2FA: TOTP and WebAuthn / Passkeys (both shipped).
- GDPR: account-level export + crypto-shred deletion baked in.
We're happy to take PRs! Read CONTRIBUTING.md first
— it covers the DCO sign-off, dev-environment setup, the test +
crypto-coverage requirements, and the special review rules for
anything under src/lib/crypto/.
CODE_OF_CONDUCT.md (Contributor Covenant 2.1)
applies to every interaction in this repo, the issue tracker and the
discussions.
Security issues go private — see SECURITY.md.
AGPL-3.0-or-later. If you run a modified MSKanban as a network service, you must publish your modifications. We picked the AGPL specifically because we want this to stay community-owned — see ADR 0006 for the reasoning.
v0.1.0-beta — released 2026-05-24, signed via cosign keyless OIDC.
All ten original roadmap phases shipped; post-beta features (milestones,
timeline, presence, automation) ship under [Unreleased] in
CHANGELOG.md and become v0.2.0 when batched.
| Phase | What | Status |
|---|---|---|
| 0–3 | Setup + foundation + auth + core Kanban (plaintext MVP) | ✅ |
| 4 | Zero-knowledge E2EE | ✅ |
| 5 | Advanced UX (labels, custom fields, views, templates, activity) | ✅ |
| 6 | Real-time SSE + PWA + IndexedDB + Yjs WS relay | ✅ |
| 7 | Analytics | ✅ |
| 8 | Integrations & I/O (export, import, webhooks) | ✅ |
| 9 | Hardening (CSP nonces, webhook DLQ, SBOM, Cosign) | ✅ |
| 10 | Public Beta (v0.1.0-beta) |
✅ |
| post-beta | Milestones, Burn-Down, Timeline, Presence, Automation v1 | ✅ shipped, not yet tagged |
Tracker, roadmap and the running design log live in
CLAUDE.md (German — the rest of the docs and code are
in English).
Built by @musiker15 · MSK Scripts ·
msk-scripts.de ·
security@msk-scripts.de