How Plum Box Works: A Technical Deep Dive

We've received a lot of great technical questions from our community about how Plum Box actually works under the hood. In this post we break down the architecture: how remote access is established, what happens to your data if Plum disappears, and exactly how your files are stored on the SSD.

Plum Box connects to your local network and provides access to your files from anywhere in the world. When you open the Plum app outside your home network, the connection happens in three phases.

• Signaling: the client initiates a connection request through the signal server, and the two peers exchange connection metadata.
• Discovery: ICE works out the optimal path while a STUN server discovers the public IP and NAT type of both devices.
• Connection: a direct peer-to-peer connection is attempted via UDP hole punching. On success an encrypted WireGuard tunnel carries your data; if P2P fails, the connection routes through the TURN relay automatically.

For most users, Plum Relay handles connectivity automatically with zero configuration. Three lightweight services make it work:

• Signal server: facilitates peer discovery and exchanges connection metadata. No user data passes through it.
• STUN server: discovers your public IP address and NAT type for P2P negotiation.
• TURN relay: a fallback used only when a direct P2P connection isn't possible, such as behind symmetric or carrier-grade NAT.

• P2P first: the system always attempts a direct peer-to-peer connection. The relay is only ever a fallback.
• End-to-end encryption: all traffic runs through a WireGuard tunnel (ChaCha20-Poly1305). Even when relayed, Plum's servers cannot decrypt your data.
• No port forwarding required: it works behind any NAT or firewall.

For users who want complete independence from Plum's infrastructure, port forwarding with a static IP or DDNS gives you a direct connection.

• Requirements: a static IP or Dynamic DNS service, a router that supports port forwarding, and your Plum Box's local IP.
• Configuration: forward external port 443 (or a custom port) to your Plum Box's local IP on internal port 443, over TCP/UDP.
• Advantages: zero dependency on Plum servers, the lowest possible latency, and full operational independence.

A detailed port-forwarding setup tutorial will be published before shipping starts in 2026.

This is one of the most common concerns we hear. Plum Box is built on local-first principles: your data never leaves your device unless you explicitly access it remotely.

• Plum servers online: local and remote access both work, and your data is intact.
• Plum servers offline: local access still works, and remote access keeps working through port forwarding.
• Internet outage: local access works; remote access waits until you're back online.
• Plum Box hardware failure: the device is offline, but the SSD is removable, so your data comes with you.

The key takeaway: your data exists only on your SSD. Plum servers handle connection routing, not data storage. Local backup and local file access never require a Plum server at all.

Plum Box formats your SSD with exFAT for maximum cross-platform compatibility. exFAT reads and writes natively on Windows, macOS, and Linux with no extra drivers, and it has no practical file-size limit for large video. Pull the SSD out and you can read your files on any computer immediately.

The directory structure in the Plum app mirrors exactly what's on the SSD. What you see in the app is what you get on disk.

• /Photos: photo and video backups, organized in a year and month hierarchy.
• /Files: your uploaded files, in folders you define.

Plum Box offers optional full-disk encryption for users who want extra security. With encryption off, files are visible the moment you plug the SSD into a PC. With it on, you read them through the Plum Decryption Tool, a standalone app for Windows, macOS, and Linux that works independently of Plum Box or Plum servers, and that we'll archive permanently.

Plum Box has a single M.2 NVMe SSD slot (M-key), which keeps the device compact, affordable, and simple.

• Supported drives: M.2 NVMe (M-key).
• When storage fills up: swap the SSD inside your Plum Box, or read the old drive through an external enclosure.
• Accessing old drives: re-insert into Plum Box for quick browsing, use a $10-15 M.2 USB enclosure to read on any PC, or plug into a motherboard M.2 slot for the fastest transfer.

If encryption is enabled, you'll need the Plum Decryption Tool regardless of how you access the drive.

Remote RAID is on the way. It binds several Plum Boxes linked to the same account into a single RAID, expanding your storage while protecting against data loss from a physically damaged SSD. It's in active development, and we'll share news the moment it's ready.

• Remote access: peer-to-peer first, with an encrypted relay fallback.
• Transit encryption: end-to-end encrypted.
• Storage encryption: optional, with a standalone decryption tool.
• File system: exFAT, with native cross-platform support.
• Directory structure: /Photos and /Files, mirroring the app UI.
• Server dependency: none for local access; relay or port forwarding for remote.
• Storage expansion: swap the SSD, or read old drives via an enclosure.

Plum Box is built on three principles:

• Your data stays yours: 100% local storage, no cloud dependency.
• No lock-in: a standard file system, a removable SSD, and open protocols.
• Graceful degradation: if Plum disappears, your data and your access remain.