How to Install Seafile with Docker
Table of contents
- Key takeaways
- What is Seafile and how is it different from Nextcloud?
- What do you need and which components form it?
- The Seafile docker-compose.yml
- Environment variables and first boot
- How do you encrypt a library?
- How do you publish it over HTTPS?
- Frequently asked questions
- Is Seafile better than Nextcloud?
- Can I recover an encrypted library if I forget the password?
- Why should I not use the image's latest tag?
- Conclusion
- Sources
Seafile is an open-source file sync and storage platform that keeps data in blocks, Git style, which makes it very fast when you handle lots of files. With Docker it comes up in four containers (server, a MariaDB database, a Redis cache and a Caddy proxy) from a single docker-compose.yml file.
Seafile is a private file cloud focused on synchronisation, and with Docker you have it running in a few minutes. In this guide you bring up the server alongside a MariaDB database, a Redis cache and a Caddy proxy using a single docker-compose.yml file, learn how to configure it on first boot, how to encrypt your libraries and how to publish it over HTTPS. The same explanation is available in Spanish.
Key takeaways
- Seafile is an open-source platform to sync and share files that you host on your own server, with desktop, mobile and web clients.
- Unlike Nextcloud, it stores data in deduplicated blocks versioned Git style, a model that syncs folders with many files very fast.
- The version 13 setup uses four containers: the server (the
seafileltd/seafile-mcimage), a MariaDB database, a Redis cache and the Caddy proxy, which handles automatic HTTPS. - Pin a specific image version (for example
seafileltd/seafile-mc:13.0.25) instead of:latest; that way you decide when you move to a new version. - Encrypted libraries are protected on the client with AES-256; the password is not stored on the server, so nobody (not even you) can recover the data if you forget it.
What is Seafile and how is it different from Nextcloud?
Seafile is an open-source file sync and storage platform, developed by the Haiwen company since 2012. Like Nextcloud, it lets you run your own replacement for Google Drive or Dropbox, with desktop clients, mobile apps and a web interface called Seahub.
The difference is in the storage engine. Nextcloud stores each file as-is on the filesystem; Seafile instead splits each file into blocks of roughly 1 MB, deduplicates them and versions them like Git commits. That design makes syncing folders with thousands of small files or with very large files noticeably faster and lighter on bandwidth, because only the blocks that changed travel across the wire.
In exchange, Seafile is more specialised: it shines at syncing and sharing, but it does not bring Nextcloud’s ecosystem of apps (calendar, contacts, mail, integrated office suite). If what you want is fast, solid file sync, Seafile is an excellent option; if you want a complete collaboration suite, Nextcloud may fit you better.
What do you need and which components form it?
You need a Linux machine with Docker and the Compose plugin already installed. If you do not have it yet, follow the guide to install Docker on Ubuntu 24.04 first. For home or small-team use, 2 GB of RAM and a couple of cores are enough.
Since version 12, Seafile reorganised its Docker deployment around environment variables and several containers, each with one clear responsibility:
- Seafile server (
seafileltd/seafile-mc): the core, which brings together the file engine and the Seahub web interface. Themcin the name comes from the image historically bundling memcached. - MariaDB database: stores users, permissions and library metadata.
- Redis cache: in version 13 it replaces memcached as the default cache.
- Caddy proxy: terminates TLS and obtains Let’s Encrypt certificates automatically.
In this tutorial we define all four inside the same docker-compose.yml, so there is no need to install them separately.
The Seafile docker-compose.yml
Create a folder for the project and save this docker-compose.yml inside it. Replace each cambia_esta_clave... value with your own strong password, and set SEAFILE_SERVER_HOSTNAME to your domain or the server IP before starting:
services:
db:
image: mariadb:10.11
container_name: seafile-mysql
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: change_this_root_key
MYSQL_LOG_CONSOLE: "true"
MARIADB_AUTO_UPGRADE: "1"
volumes:
- db_data:/var/lib/mysql
healthcheck:
test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
interval: 20s
timeout: 5s
retries: 5
networks:
- seafile-net
redis:
image: redis:7.4
container_name: seafile-redis
restart: unless-stopped
networks:
- seafile-net
seafile:
image: seafileltd/seafile-mc:13.0.25
container_name: seafile
restart: unless-stopped
ports:
- "80:80"
volumes:
- seafile_data:/shared
environment:
SEAFILE_MYSQL_DB_HOST: db
SEAFILE_MYSQL_DB_USER: seafile
SEAFILE_MYSQL_DB_PASSWORD: change_this_db_key
INIT_SEAFILE_MYSQL_ROOT_PASSWORD: change_this_root_key
JWT_PRIVATE_KEY: change_this_jwt_key_of_32_or_more_chars
SEAFILE_SERVER_HOSTNAME: seafile.mydomain.com
SEAFILE_SERVER_PROTOCOL: http
CACHE_PROVIDER: redis
REDIS_HOST: redis
REDIS_PORT: 6379
TIME_ZONE: Europe/Madrid
INIT_SEAFILE_ADMIN_EMAIL: admin@mydomain.com
INIT_SEAFILE_ADMIN_PASSWORD: change_this_admin_key
depends_on:
db:
condition: service_healthy
redis:
condition: service_started
networks:
- seafile-net
volumes:
db_data:
seafile_data:
networks:
seafile-net:
Notice a couple of details. The server does not start until MariaDB passes its healthcheck, thanks to depends_on with the service_healthy condition. The JWT_PRIVATE_KEY key has been mandatory since version 12 and must be at least 32 characters long; generate one with openssl rand -hex 32. And all the important state (databases, configuration and the blocks of your files) lives in the db_data and seafile_data volumes, the latter mounted at /shared.
Environment variables and first boot
With the file ready, start the stack in the background and follow the server log while it installs:
docker compose up -d
docker compose ps
docker compose logs -f seafile
The first time, the image creates the three databases (ccnet_db, seafile_db and seahub_db), applies the schema and registers the admin account you defined in INIT_SEAFILE_ADMIN_EMAIL and INIT_SEAFILE_ADMIN_PASSWORD, so the boot takes a little longer than usual. When the log stops moving, open http://seafile.mydomain.com (or the server IP) and sign in with those credentials.
It is worth understanding what each key Compose variable does:
SEAFILE_SERVER_HOSTNAMEsets the domain used to generate links; if you change it later, you will have to edit it and recreate the container.SEAFILE_SERVER_PROTOCOLstarts ashttpfor the first test; you will switch it tohttpswhen you add the proxy.CACHE_PROVIDER: redisselects Redis as the cache, the default in version 13.INIT_SEAFILE_*are only used on the first boot; afterwards, you manage users and passwords from the Seahub administration panel.
How do you encrypt a library?
In Seafile, each top-level folder is a library. When you create one, you can tick the Encrypt box and set a password. From then on, files are encrypted and decrypted on your device with AES-256 in CBC mode: only already-encrypted blocks reach the server.
The important thing is that the library password is not stored on the server. Seafile only keeps a verification value ("magic") that lets it check the password is correct, but never the key itself. This has two consequences. The first, good one: even if someone steals the server disk, they cannot read the contents of an encrypted library. The second, delicate one: if you forget the password, the data is unrecoverable, so write it down in your password manager.
Bear in mind a nuance: when you open an encrypted library from the browser, the password travels to the server to decrypt the blocks in memory during the session. You get true end-to-end encryption with the desktop client, which does all the work on your own machine. For very sensitive data, use the client instead of the web interface.
How do you publish it over HTTPS?
Serving Seafile over plain HTTP is only fine for the first test on your local network: passwords and files would travel unencrypted. Version 13 ships Caddy as the official reverse proxy, which requests and renews the Let’s Encrypt certificate with nothing for you to touch. Add this service to the Compose file, remove the ports section from the seafile service, change SEAFILE_SERVER_PROTOCOL to https and add the proxy labels to the server:
caddy:
image: lucaslorentz/caddy-docker-proxy:2.12-alpine
container_name: seafile-caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- caddy_data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- seafile-net
labels:
caddy: https://seafile.mydomain.com
caddy.reverse_proxy: "{{upstreams 80}}"
Remember to also declare the caddy_data: volume in the volumes: section. If you prefer to reuse the series’ proxy instead of Caddy, you can equally put it behind Traefik: the principle is the same, pointing the proxy at port 80 of the seafile container.
Frequently asked questions
Is Seafile better than Nextcloud?
It depends on what for. Seafile wins on speed and sync efficiency, especially with many files, thanks to its block storage. Nextcloud wins on breadth: beyond files, it offers calendar, contacts, online office and hundreds of apps. If you want fast, simple sync, choose Seafile; if you want a complete collaboration suite, Nextcloud. You can try both, because each comes up with Docker in minutes.
Can I recover an encrypted library if I forget the password?
No. The password of an encrypted library is not stored on the server, so nobody can reset it or decrypt the blocks for you. That is the price of real encryption: security depends on you being the only one with the key. Keep it in a password manager and consider writing a recovery hint in a safe place before you upload important data.
Why should I not use the image’s latest tag?
Because :latest (or the rolling 13.0-latest tag) changes without warning and can drag you into a new version during a simple restart, right when major Seafile updates require migration steps. By pinning seafileltd/seafile-mc:13.0.25 you decide when you update, read the release notes first and avoid surprises with the database.
Conclusion
With a single docker-compose.yml you have a private file cloud that is fast and whose data never leaves your server: server, database, cache and a proxy with automatic HTTPS. The logical next step is to create your first libraries (some encrypted), install the desktop client and schedule backups of the volumes. If you also want to sync folders between machines with no central server, take a look at Syncthing, which solves a similar problem with a different approach.