Secluso is an open-source, self-hosted home security camera system that encrypts video on the device before it ever reaches a relay server. Co-founded by UC Irvine security researcher Ardalan Amiri Sani, it targets the specific threat that Ring and Nest cannot address: the cloud vendor itself. The relay that forwards your footage cannot decrypt it, because the keys never leave your devices. That is a concrete security property. It is also not the whole story.
What Secluso is and who built it
Secluso runs on a Raspberry Pi Zero 2W, licensed GPLv3, with a Rust codebase and reproducible build artifacts. The project ships three components: a camera hub that captures and encrypts, a mobile app (iOS and Android) that decrypts and displays, and a relay server that forwards only ciphertext. The relay is explicitly outside the trust boundary.
Amiri Sani is a computer security and privacy professor at UC Irvine. Co-founder John Kaczman is described as an open-source and privacy advocate. Secluso, Inc. is based in Irvine, CA. The project’s own disclaimer is blunt: “Use at your own risk. The project authors provide no guarantees of privacy or home security.” Credit for honesty, but it means operators need to evaluate the system on its architecture, not its marketing.
How the encryption architecture works
The data path is straightforward: the Pi camera captures frames, encrypts them on-device, and pushes ciphertext to the relay. The mobile app holds the private key and decrypts on display. The relay sees only encrypted blobs. According to the project’s README, the system implements forward secrecy and post-compromise security, documented in a WHITE_PAPER.md.
Setup uses a tool called Secluso Deploy, which generates a personalized OS image and a camera-secret QR code locally on the user’s machine, then provisions the relay over SSH to a user-owned Linux VPS. As of June 2026, the project offers free relay hosting during its beta period. After the beta, you provision your own infrastructure.
The threat model: what E2EE actually protects against
This is where the pitch meets the architecture. Secluso’s E2EE removes two specific threats from your threat model:
- Vendor subpoena. Ring and Nest footage is stored on vendor servers and accessible to the vendor under legal process. Amazon handed Ring footage to law enforcement without user consent in at least one documented case. Secluso’s relay operator (you) cannot decrypt footage even if compelled, because the keys are not on the relay.
- Cloud breach. If Ring or Nest suffers a server-side breach, stored footage is potentially exposed. A Secluso relay breach yields only ciphertext.
These are real threats. They are also not the only threats a home camera system faces. Here is what Secluso does not protect against:
- LAN attacker. If someone is on your local network, the Pi’s plaintext video stream is accessible before encryption. The threat model assumes the camera itself is in a trusted environment.
- Lost or compromised phone. If the device holding your private key is compromised, the attacker has your footage. Key recovery and revocation mechanisms are not detailed in the available sources.
- SD-card failure on the Pi. Local storage reliability is the operator’s problem.
- Physical tampering with the camera. The Pi Zero 2W is not a hardened device.
On-device AI and the Pi Zero 2W hardware question
Secluso runs motion, person, pet, and vehicle detection on the Pi itself rather than sending frames to a cloud inference endpoint. This is architecturally consistent with the no-cloud-trust model: if you send frames to a cloud AI service, you have re-introduced the vendor into the trust boundary.
The tradeoff is compute. The Pi Zero 2W has a 1 GHz quad-core ARM Cortex-A53. Running person and vehicle detection models on that hardware will have latency and accuracy costs compared to cloud-based inference or a dedicated Coral TPU. The project does not publish benchmarks for detection speed, accuracy, or false-positive rates as of 2026-06-02. If you are coming from Frigate with a Coral accelerator, expect a step down in detection performance.
Reproducible builds
All released artifacts (the Secluso OS image, runtime binaries, deploy tool, and Android app) are reproducible. Users can rebuild from source and verify the distributed binaries match. This is a genuine security property: it means a compromised build server cannot silently insert a backdoor without the diff being detectable. Few consumer camera systems offer this, and it matters more than most users realize until the first supply-chain attack hits a device they trusted.
The implementation being Rust-based is also relevant: memory safety by default eliminates entire classes of buffer-overflow vulnerabilities that C-based camera firmware routinely ships with.
Secluso vs. Ring/Nest vs. Frigate
No single option wins across all axes. The right choice depends on which threats you care about and how much operational overhead you are willing to carry.
| Secluso | Ring/Nest | Frigate | |
|---|---|---|---|
| E2EE | Yes (on-device) | No | No (default) |
| Vendor in trust boundary | No | Yes (full access) | No (self-hosted NVR) |
| AI detection | On-device (Pi Zero 2W) | Cloud | Local (Coral/GPU recommended) |
| Setup difficulty | High (VPS, keys, Pi provisioning) | Low (plug in, create account) | Medium (Docker, config YAML, optional Coral) |
| Key management | Your problem | Vendor-managed | N/A (no E2EE) |
| Cost | Pi + VPS + time | Subscription | Pi/PC + camera + optional Coral |
| Auditability | Full (GPLv3, reproducible) | Closed source | Open source |
Frigate is the closer comparison than Ring. Both are self-hosted, both run on Pi hardware, both avoid sending footage to a vendor. The difference is that Frigate prioritizes NVR features (recording, scrubbing, zone-based detection with Coral acceleration) while Secluso prioritizes cryptographic confidentiality of the footage itself. If your threat model includes “the server admin can read my camera feeds,” Frigate does not help and Secluso does. If your threat model is “I want reliable motion detection with low false positives and a web UI for reviewing footage,” Frigate is the more mature tool.
Ring and Nest, conversely, trade all cryptographic guarantees for convenience. You plug them in, create an account, and they work. The vendor can see your footage, law enforcement can subpoena it, and a breach can expose it. For many people that is an acceptable trade. For people who have thought about it and decided it is not, Secluso is one of the few options that actually removes the vendor from the loop rather than just promising to.
What to verify before deploying
The research brief identifies gaps that matter for a production deployment:
- The white paper documenting forward secrecy and post-compromise security was not available for independent review as of 2026-06-02. Read it before trusting the cryptographic claims.
- As of June 2026, no benchmarks exist for on-device AI detection latency or accuracy on the Pi Zero 2W. Test with your specific camera placement and lighting conditions.
- Key recovery, key rotation, and multi-device key distribution are not detailed in the available sources. If you lose the phone with your private key, the recovery path is unclear.
- The beta free relay hosting will end. Plan for self-hosting on a VPS, including the ongoing maintenance that implies.
Secluso solves a real problem that the major camera vendors have no incentive to solve. Whether it solves your problem depends on whether the threats it addresses are the ones you actually face, and whether you are prepared to absorb the operational costs it shifts onto you.
Frequently Asked Questions
Can Secluso work with existing IP cameras, or only Pi camera modules?
Secluso is built around the Raspberry Pi camera ecosystem and the Pi Zero 2W specifically. Unlike Frigate, which accepts any RTSP stream from off-the-shelf IP cameras, Secluso’s encryption layer is tightly coupled to its on-device capture pipeline. Each camera requires its own Pi Zero 2W (roughly $15) and a compatible sensor module, so a multi-camera deployment means multiple Pi units all pushing ciphertext through your relay.
What does forward secrecy actually protect if the Pi is physically stolen?
Forward secrecy ensures that compromising current keys does not expose previously captured footage. Steal the Pi and you get keys going forward, not backward. The catch is that the Pi Zero 2W has no secure enclave or tamper-resistant storage: the current keys live on the SD card in plaintext. Post-compromise security, also claimed in the white paper, would rotate keys after such a breach, but the rotation mechanism is not documented in the available sources.
How does relay bandwidth scale with multiple cameras?
The relay forwards only ciphertext and never decrypts, so its load is purely a bandwidth problem. Each Pi pushes encrypted frames proportional to the configured resolution and framerate. A budget VPS at $3-5/month can handle a few standard-definition streams, but 1080p from multiple cameras will saturate a low-end uplink. No throughput benchmarks have been published, so operators need to load-test with their actual camera count before committing to a hosting plan.
What does a three-camera Secluso deployment cost versus Ring after the beta?
Hardware runs $25-40 per camera (Pi Zero 2W plus sensor), plus a VPS at $3-5/month once free relay hosting ends. Year one for three cameras: roughly $90-120 in hardware plus $36-60 in VPS fees. Ring Protect runs $20/year per camera ($60/year for three) on top of hardware. Secluso becomes cheaper on a multi-year basis but shifts VPS maintenance, OS image updates, and key backup onto the operator.
Is there a web dashboard for reviewing footage, or only the mobile app?
The available sources describe only iOS and Android mobile apps for decryption and viewing. Frigate provides a full browser-based NVR with timeline scrubbing, event filtering, and zone-based review. Operators who need continuous recording with desktop search will find Secluso’s mobile-only interface limiting, because the project has prioritized cryptographic confidentiality over NVR-style playback features.