# Ente — End-to-End Encrypted Photo Storage & 2FA

> Ente provides end-to-end encrypted photo backup and 2FA authenticator. Zero-knowledge architecture — only you can see your data, even Ente cannot access it.

## Install

Save the content below to `.claude/skills/` or append to your `CLAUDE.md`:

## Quick Use

### Self-Host (Server)

```bash
git clone https://github.com/ente-io/ente.git
cd ente/server
docker compose up -d
```

Then install the Ente Photos app (iOS/Android/Desktop) and point it to your self-hosted server.

## Intro

**Ente** is an end-to-end encrypted cloud platform providing two core products: **Ente Photos** (Google Photos alternative) and **Ente Auth** (Authy/Google Authenticator alternative). Built with a zero-knowledge architecture, Ente ensures that only you can access your photos and 2FA tokens — not even Ente's servers can decrypt your data.

With 25.9K+ GitHub stars and AGPL-3.0 license, Ente has become the go-to choice for privacy-conscious users who want cloud backup with genuine end-to-end encryption, not just at-rest encryption.

## What Ente Does

### Ente Photos
- **E2E Encrypted Backup**: All photos and videos encrypted before leaving your device
- **Cross-Platform**: Native apps for iOS, Android, macOS, Windows, Linux, and web
- **AI Search**: On-device ML for face recognition and object search (runs locally, not on server)
- **Shared Albums**: Share albums with family with E2E encryption maintained
- **Memories**: "On this day" flashbacks
- **Archive & Trash**: 30-day trash with recovery
- **Map View**: View photos by location
- **Deduplication**: Automatic duplicate detection

### Ente Auth (2FA)
- **E2E Encrypted 2FA**: TOTP tokens encrypted and synced across devices
- **Import**: From Google Authenticator, Authy, Bitwarden, and more
- **Offline Access**: Works without internet once synced
- **Cross-Platform**: iOS, Android, macOS, Windows, Linux, web

## Architecture

```
┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│ Client Apps  │────▶│  Ente Server │────▶│  PostgreSQL  │
│ (Flutter/Web)│     │  (Go)        │     │  (Metadata)  │
│ E2E Encrypt  │     └──────┬───────┘     └──────────────┘
│ on device    │            │
└──────────────┘     ┌──────┴───────┐
                     │  MinIO / S3  │
                     │  (Encrypted  │
                     │   Blobs)     │
                     └──────────────┘
```

Key: Encryption/decryption happens entirely on the client. The server only stores encrypted blobs it cannot read.

## Self-Hosting

### Docker Compose

```yaml
services:
  museum:
    image: ghcr.io/ente-io/server:latest
    ports:
      - "8080:8080"
    environment:
      ENTE_DB_HOST: postgres
      ENTE_DB_PORT: 5432
      ENTE_DB_NAME: ente
      ENTE_DB_USER: ente
      ENTE_DB_PASSWORD: ente
    depends_on:
      - postgres
      - minio
    volumes:
      - ./museum.yaml:/museum.yaml:ro

  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: ente
      POSTGRES_PASSWORD: ente
      POSTGRES_DB: ente
    volumes:
      - pg-data:/var/lib/postgresql/data

  minio:
    image: minio/minio
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    volumes:
      - minio-data:/data

volumes:
  pg-data:
  minio-data:
```

## Zero-Knowledge Encryption

```
Your Device                      Server
─────────                        ──────
Generate key from password
        │
Encrypt photos with key
        │
Upload encrypted blob ──────▶ Store encrypted blob
                               (cannot decrypt)
        │
Download encrypted blob ◀────── Send encrypted blob
        │
Decrypt with key
        │
View photos
```

- Master key derived from your password (never transmitted)
- Each file encrypted with unique key
- File keys encrypted with master key
- Server stores only ciphertext

## Ente vs Alternatives

| Feature | Ente | Google Photos | iCloud | Immich |
|---------|------|--------------|--------|--------|
| E2E Encrypted | Yes (zero-knowledge) | No | Advanced Data Protection | No |
| Open Source | Yes (AGPL-3.0) | No | No | Yes (AGPL) |
| Self-hosted | Yes | No | No | Yes |
| 2FA App | Built-in (Ente Auth) | No | No | No |
| On-device ML | Yes | Server-side | Server-side | Server-side |
| Cross-platform | All platforms | All platforms | Apple only | All platforms |

## FAQ

**Q: Ente or Immich?**
A: If privacy and encryption matter most, choose Ente (end-to-end encrypted — even a compromised server can't read your photos). If you care more about feature richness and AI search, choose Immich (more powerful server-side ML search, but you must trust the server).

**Q: Can self-hosted Ente Auth replace Google Authenticator?**
A: Absolutely. Ente Auth imports from Google Authenticator and provides encrypted cloud backup and multi-device sync — features Google Authenticator lacks.

**Q: Self-hosted storage costs?**
A: Storage capacity in the self-hosted version depends on your MinIO/S3 setup. You can use local disks or any S3-compatible object store. The official cloud service starts at $1.99/month for 10GB.

## Source & Thanks

- GitHub: [ente-io/ente](https://github.com/ente-io/ente) — 25.9K+ ⭐ | AGPL-3.0
- Website: [ente.io](https://ente.io)

---
Source: https://tokrepo.com/en/workflows/ente-end-end-encrypted-photo-storage-2fa-fc51cc31
Author: AI Open Source