Crabdrop
Crabdrop is a fast, lightweight desktop file manager for S3-compatible storage services. It lets you browse, upload, download, and manage files stored in AWS S3, Cloudflare R2, MinIO, or any other S3-compatible provider — all from a native desktop app.
Why Crabdrop?
Most S3 management happens through web consoles or CLI tools. Crabdrop gives you a proper desktop experience with drag-and-drop uploads, progress tracking, and optional client-side encryption — without needing a browser or terminal.
Key Highlights
- Cross-platform — macOS, Windows, and Linux
- Drag and drop — drop files or folders onto the window to upload
- Client-side encryption — optional XChaCha20-Poly1305 encryption before upload
- Multipart uploads — large files (100MB+) are split and uploaded in parallel
- Secure credential storage — keys stored in your OS keychain, never in plaintext
- S3-compatible — works with any service that speaks the S3 API
Tech Stack
Crabdrop is built with Tauri — a Rust backend paired with a TypeScript frontend. This gives you native performance and small binary sizes compared to Electron-based alternatives.
| Layer | Technology |
|---|---|
| Backend | Rust + Tauri 2 |
| Frontend | TypeScript + Vite |
| Storage | AWS SDK for Rust |
| Crypto | XChaCha20-Poly1305 |
Built with love and Rust.
Installation
Pre-built Binaries
Download the latest release from GitHub Releases.
| Platform | Format |
|---|---|
| macOS (Apple Silicon) | .dmg |
| macOS (Intel) | .dmg |
| Windows | .msi or .exe |
| Linux | .deb or .AppImage |
Flathub
flatpak install flathub io.github.alsofelix.crabdrop
Arch Linux (AUR)
Pre-built binary:
yay -S crabdrop-bin
Build from source:
yay -S crabdrop
Building from Source
git clone https://github.com/alsofelix/crabdrop.git
cd crabdrop
bun install
bun tauri build
The built application will be in src-tauri/target/release/bundle/.
Getting Started
When you first launch Crabdrop, you’ll see the setup screen. You need to configure a connection to your S3-compatible storage before you can start browsing files.
Setup
Fill in the following fields:
| Field | Required | Description | Example |
|---|---|---|---|
| Endpoint URL | Yes | Your S3 endpoint. See Supported Services for examples | https://my-account.r2.cloudflarestorage.com |
| Bucket Name | Yes | The name of your S3 bucket | my-bucket |
| Region | Yes | The AWS region (or equivalent for your provider) | us-east-1 |
| Access Key ID | Yes | Your access key for authentication | AKIA... |
| Secret Access Key | Yes | Your secret key for authentication | |
| Encryption Passphrase | Yes | Passphrase for client-side file encryption |
Once filled in, click Connect.
Where Credentials Are Stored
- Storage settings (endpoint, bucket, region) are saved to
~/.config/crabdrop/config.toml - Credentials (access key, secret key, encryption passphrase) are stored in your OS keychain:
- macOS: Keychain Access
- Windows: Credential Manager
- Linux: Secret Service (GNOME Keyring, KDE Wallet, etc.)
Credentials are never stored in plaintext config files.
First Use
After setup, Crabdrop opens the file browser showing the root of your bucket. From here you can:
- Browse — click folders to navigate into them
- Upload — drag and drop files onto the window
- Download — double-click a file to download and open it
- Go back — click the back arrow or use the breadcrumb path
Features
Crabdrop provides a focused set of features for managing files in S3-compatible storage:
- File Browsing — navigate folders, view file metadata
- Uploading — drag-and-drop, multipart, folder uploads
- Downloading — download with progress tracking and auto-open
- Encryption — client-side XChaCha20-Poly1305 encryption
- Sharing Files — generate presigned URLs for temporary access
- Filtering & Sorting — search, filter by type/size/encryption, sort
- Keyboard Shortcuts — navigate and manage files from the keyboard
File Browsing
The file browser is the main view in Crabdrop. It displays all files and folders at the current path in your S3 bucket.
Navigation
- Click a folder to navigate into it
- Click the back arrow to go up one level
- Breadcrumb path shows your current location
File List
Each file entry shows:
| Column | Description |
|---|---|
| Name | File or folder name |
| Size | Human-readable file size (folders show —) |
| Modified | Last modified date |
| Encrypted | Lock icon if the file is encrypted |
Folders are always displayed before files.
Selection
- Single click selects a file (highlights it)
- Double click opens a folder or downloads a file
- Escape deselects the current selection
- Arrow keys move the selection up and down
Right-Click Menu
Right-clicking a file shows a context menu with:
- Download — download the file
- Share — generate a presigned URL
- Delete — delete the file (with confirmation)
Pagination
S3 returns results in pages. Crabdrop handles pagination automatically using continuation tokens, loading all objects at the current prefix.
Encrypted File Display
Encrypted files are stored with UUID filenames in S3. Crabdrop reads the encrypted metadata file to resolve UUIDs back to their original filenames, so you see the real name in the browser — not the UUID.
Uploading
Drag and Drop
Drag files or folders from your file manager onto the Crabdrop window. A confirmation dialog appears asking whether to encrypt the files before upload.
Upload Types
Crabdrop automatically chooses the upload method based on file size:
| File Size | Method | Details |
|---|---|---|
| < 100 MB | Simple upload | Single PUT request |
| >= 100 MB | Multipart upload | Split into 50 MB chunks, 6 uploaded at once |
Multipart Uploads
Large files are split into 50 MB parts and uploaded concurrently with a maximum of 6 parallel uploads. This significantly speeds up large file transfers. The progress panel shows which part is currently uploading.
Folder Uploads
Entire folders can be uploaded. Crabdrop recursively walks the directory and uploads each file, preserving the folder structure. A progress indicator shows how many files have been uploaded out of the total.
Upload Progress
The upload panel at the bottom of the screen shows:
- File name
- Progress percentage
- Current part number (for multipart uploads)
- Total bytes uploaded
Multiple uploads can run simultaneously — each gets its own progress entry.
Encryption on Upload
When dropping files, you’re asked whether to encrypt them. If you choose yes:
- A UUID is generated as the S3 key (hiding the real filename)
- The file data is encrypted in 1 MB chunks using XChaCha20-Poly1305
- The UUID-to-filename mapping is stored in an encrypted metadata file in the bucket
See Encryption for details.
Downloading
How to Download
- Double-click a file to download it
- Or select a file and press Enter
Download Process
- The file streams from S3 to a temporary file in your downloads directory
- Progress is tracked in 1 MB chunks and shown in an overlay
- If the file is encrypted, it’s decrypted on-the-fly during download
- Once complete, the file is renamed to its final name
- The file automatically opens in your default application
File Name Conflicts
If a file with the same name already exists in your downloads folder, Crabdrop appends a number:
photo.jpg
photo (1).jpg
photo (2).jpg
Encrypted File Downloads
When downloading an encrypted file:
- Crabdrop uses the encryption passphrase from your config
- The file is decrypted chunk-by-chunk as it’s written to disk
- If the passphrase is wrong, Crabdrop shows an error (AEAD authentication failure)
Download Progress
The download overlay shows:
- File name being downloaded
- Progress percentage
- Bytes downloaded vs total size
Only one download runs at a time to prevent crashes.
Encryption
Crabdrop provides optional client-side encryption. Files are encrypted before they leave your machine and decrypted after download. Your storage provider never sees the plaintext data.
Algorithm
| Component | Details |
|---|---|
| Cipher | XChaCha20-Poly1305 (AEAD) |
| Key derivation | Argon2 (password + salt → 256-bit key) |
| Nonce | 24 bytes, randomly generated per chunk |
| Chunk size | 1 MB plaintext → 1 MB + 24 byte nonce + 16 byte tag |
How It Works
Encryption (upload)
- Your passphrase and the filename are fed into Argon2 to derive a 256-bit key
- The file is split into 1 MB chunks
- Each chunk gets a random 24-byte nonce
- Each chunk is encrypted with XChaCha20-Poly1305
- Output per chunk:
nonce (24 bytes) || ciphertext || tag (16 bytes) - A UUID is generated as the S3 object key
- The mapping
UUID → original filenameis added to the encrypted metadata file
Decryption (download)
- The same passphrase + filename derive the same key via Argon2
- Each chunk’s nonce is extracted (first 24 bytes)
- The ciphertext is decrypted and authenticated
- If the tag doesn’t match (wrong passphrase), decryption fails with an error
Metadata File
Crabdrop stores a special file in your bucket called CRABDROP_METADATA_DO_NOT_DELETE. This file:
- Contains a JSON map of
UUID → original filenamefor every encrypted file - Is itself encrypted with your passphrase
- Is updated on every encrypted upload
- Is protected by a mutex to prevent race conditions during concurrent uploads
Do not delete this file. Without it, Crabdrop cannot resolve encrypted filenames.
Changing Your Passphrase
When you change your encryption passphrase in settings, Crabdrop re-encrypts the metadata file with the new passphrase. Previously encrypted files remain encrypted with the old key derivation (since the filename salt doesn’t change). The metadata mapping is the only thing re-encrypted.
Important Notes
- Encryption is per-file — you choose on each upload whether to encrypt
- The encryption passphrase is stored in your OS keychain
- Encrypted files appear with a lock icon in the file browser
- Presigned URLs for encrypted files will serve the encrypted (unusable) data — the recipient cannot decrypt without the passphrase and Crabdrop
Sharing Files
Crabdrop can generate presigned URLs for any file in your bucket. A presigned URL gives temporary, direct download access to a file without requiring S3 credentials.
Generating a Presigned URL
- Right-click a file and select Share
- Choose an expiry duration:
- 15 minutes
- 1 hour
- 24 hours
- 7 days
- Click Generate Link
- Copy the URL from the modal
How Presigned URLs Work
- The URL contains a cryptographic signature that grants temporary access
- Anyone with the URL can download the file until it expires
- No authentication is needed by the recipient
- The URL is generated by the AWS SDK using your credentials
Limitations
- Encrypted files: The presigned URL serves the raw encrypted data. The recipient gets the ciphertext, which is unusable without the encryption passphrase and Crabdrop to decrypt it. Only share presigned URLs for unencrypted files unless the recipient also has Crabdrop and your passphrase.
- Expiry: URLs expire after the specified duration. There is no way to revoke a URL before expiry other than deleting the file.
- Provider support: Presigned URL support varies by S3-compatible provider. Most support it, but check your provider’s documentation.
Filtering & Sorting
Crabdrop provides client-side filtering and sorting to help you find files quickly.
Search
Type in the search bar to filter files by name. The search is case-insensitive and matches anywhere in the filename.
Filters
| Filter | Options |
|---|---|
| Type | All, Folders only, Files only |
| Encryption | All, Encrypted only, Unencrypted only |
| Size | All, Small, Medium, Large |
Filters are applied on top of each other — you can combine them.
Sorting
| Sort by | Orders |
|---|---|
| Name | A→Z or Z→A |
| Size | Smallest or Largest first |
| Date | Newest or Oldest first |
Folders are always shown before files regardless of sort order. Sorting applies within folders and within files separately.
Keyboard Shortcuts
Crabdrop supports keyboard navigation for the file browser.
Navigation
| Shortcut | Action |
|---|---|
| Arrow Up | Move selection up |
| Arrow Down | Move selection down |
| Enter | Open folder / download file |
| Escape | Deselect current selection |
Actions
| Shortcut | Action |
|---|---|
| Delete / Backspace | Delete selected file (with confirmation) |
| F5 | Refresh file list |
| Ctrl+R / Cmd+R | Refresh file list |
Configuration
Config File
Crabdrop stores its configuration at:
~/.config/crabdrop/config.toml
This file contains only storage settings (no secrets):
[storage]
endpoint = "https://s3.amazonaws.com"
bucket = "my-bucket"
region = "us-east-1"
Credential Storage
All sensitive credentials are stored in your OS keychain — never in plaintext files:
| Platform | Backend |
|---|---|
| macOS | Keychain Access |
| Windows | Credential Manager |
| Linux | Secret Service (GNOME Keyring, KDE Wallet) |
The keyring entry uses:
- Service:
crabdrop - Account:
default
Stored as JSON containing access_key_id, secret_access_key, and encryption_passphrase.
Migration from Plaintext
If Crabdrop detects credentials in the TOML config file (from older versions), it automatically migrates them to the keychain and removes them from the file. This happens transparently on startup.
Editing Configuration
You can update your configuration through the Settings screen in the app. Click the gear icon to open settings, modify your values, test the connection, and save.
Required Fields
| Field | Required | Notes |
|---|---|---|
| Endpoint URL | Yes | Your S3 endpoint. See Supported Services |
| Bucket Name | Yes | Must exist before connecting |
| Region | Yes | e.g. us-east-1, auto for some providers |
| Access Key ID | Yes | From your provider’s console |
| Secret Access Key | Yes | From your provider’s console |
| Encryption Passphrase | Yes | Used for client-side file encryption |
Supported Services
Crabdrop works with any storage service that implements the S3 API. Here are some common providers and their configuration.
Note: The Endpoint URL and Region fields are always required. Even if a provider doesn’t use regions, you still need to fill in the Region field with something — any value will work (e.g.
us-east-1,auto, or evenx). Crabdrop will crash or fail to connect if either field is left empty.
AWS S3
| Field | Value |
|---|---|
| Endpoint | https://s3.us-east-1.amazonaws.com |
| Region | Your bucket’s region (e.g. us-east-1) |
The most common S3 provider. Create an IAM user with S3 permissions and use its access keys.
The endpoint includes your region. For example, if your bucket is in eu-west-1, use https://s3.eu-west-1.amazonaws.com.
Cloudflare R2
| Field | Value |
|---|---|
| Endpoint | https://<account-id>.r2.cloudflarestorage.com |
| Region | auto |
R2 doesn’t have traditional regions. Set Region to auto — it’s required by the field but R2 ignores it.
Find your account ID in the Cloudflare dashboard under R2. Generate an API token with R2 read/write permissions.
MinIO
| Field | Value |
|---|---|
| Endpoint | http://localhost:9000 (or your host) |
| Region | Anything (e.g. us-east-1) |
MinIO is self-hosted and doesn’t use regions. The Region field is still required, but MinIO doesn’t care what you put there — us-east-1 is a safe default. Use the access key and secret key from your MinIO setup.
DigitalOcean Spaces
| Field | Value |
|---|---|
| Endpoint | https://<region>.digitaloceanspaces.com |
| Region | Your Spaces region (e.g. nyc3) |
The region appears in both the endpoint URL and the Region field. Generate a Spaces access key in the DigitalOcean control panel.
Backblaze B2
| Field | Value |
|---|---|
| Endpoint | https://s3.<region>.backblazeb2.com |
| Region | Your bucket’s region |
Use the S3-compatible API (not the native B2 API). Create an application key with S3 compatibility enabled.
Other Providers
Any service that implements the S3 API should work. You need:
- An S3-compatible Endpoint URL
- A Bucket Name
- A Region — even if the provider doesn’t use regions, put any value here (e.g.
us-east-1) - An Access Key ID and Secret Access Key with read/write permissions
Missing & Planned
Some features that may come in the future.
On the Radar
- Multi-select & bulk operations — select multiple files for delete, download, etc.
- File preview — preview images, text, and PDFs without downloading
- Rename / move files — in-place rename and move between folders
- Multiple profiles — switch between different buckets or accounts without re-entering credentials
- Upload via file picker — a “Choose File” button alongside drag-and-drop
- Download folders — download an entire folder recursively or as a zip
Known Limitations
- One download at a time — concurrent downloads are serialized to prevent crashes
- Presigned URLs + encryption — presigned URLs for encrypted files serve ciphertext, which is unusable without Crabdrop and the passphrase
- Metadata file —
CRABDROP_METADATA_DO_NOT_DELETEmaps encrypted UUIDs to filenames. If deleted, encrypted files still exist but show as UUIDs
Changelog
v0.3.5 (2026-02-19)
- Improves how handling of metadata works for crabdrop, changing encryption passphrase will no longer return aead::Error
- Improves handling of errors when downloading files (wrong passphrase for example)
v0.3.4 (2026-02-19)
- Make encryption passphrase required to setup fixing a bug where you would not be able to setup a passphrase in the case you did not set one up initially.
v0.3.3 (2026-02-18)
- Fixed sorting and filters resetting when refreshing or creating a folder
v0.3.2 (2026-02-16)
- Added keyboard navigation for the file browser (Arrow Up/Down to browse, Enter to open, Escape to deselect)
- Added keyboard shortcuts for refresh (F5, Ctrl/Cmd+R) and delete (Delete/Backspace)
- Fixed a crash when triggering multiple downloads simultaneously
- Delete now shows a confirmation dialog before removing files or folders
- Single click selects a file, double click opens/downloads
v0.3.1 (2026-02-15)
- Fix release versioning
v0.3.0 (2026-02-15)
- Add filtering options to filter by type, encryption status and more.
- Add sorting option (folders will be at the top)
- Performance increases
v0.2.12 (2026-02-15)
- Update some dependencies which introduce performance benefits
v0.2.11 (2026-02-15)
- Adds file searching functionality
v0.2.10 (2026-02-15)
- Fix upload panel re-rendering entire list on every progress event
v0.2.9 (2026-02-15)
- Fix a small typo
v0.2.8 (2026-02-15)
- Fixes some part of the release workflow.
v0.2.7 (2026-02-15)
- Fixed release notes extraction on Windows
v0.2.6 (2026-02-15)
- Does not allow for files to be encrypted without a passphrase
v0.2.5 (2026-02-15)
- Simplify release process
License
Crabdrop is released under the MIT License.
MIT License
Copyright (c) 2025 Felix
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
What This Means
- You can use Crabdrop for any purpose (personal, commercial, etc.)
- You can modify and distribute it
- You must include the copyright notice and license text
- The software is provided “as is” — no warranty