Zero-knowledge · open architecture

Your secrets, encrypted before they leave your device

A password & key manager where the server only ever stores ciphertext. Generate passwords, SSH/TLS keys, share via one-time links or end-to-end with other users — and grant scoped, confirmable API access to external systems.

Create free vault API documentation

Self-hosted · master password never leaves your browser

Everything in one encrypted place

Zero-knowledge

Argon2id derives your key in-browser; the server sees only XChaCha20-Poly1305 ciphertext. A breach exposes nothing.

Generators

Strong passwords, EFF diceware passphrases, Ed25519 SSH keys (OpenSSH), self-signed TLS certificates — all client-side.

Built-in 2FA

Store TOTP secrets and get live rotating codes right next to your logins. It’s a vault and an authenticator.

Safe sharing

One-time burn-after-read links (key in the URL fragment), or end-to-end sealed-box sharing to other users.

Integration API

Scoped API tokens let integrations read only chosen secrets — each access confirmable in-app or via Telegram, fully audited.

Security audit

Find weak, reused and stale passwords, and logins without 2FA — computed locally, nothing leaves the browser.

Built for real secret-handling

Concrete workflows storage-p was made for — every one of them stays zero-knowledge.

Infrastructure credentials in one vault

Keep SSH keys, TLS certificates, API keys and server passwords together. Generate Ed25519 keys and self-signed certs in the browser, or upload existing key files — everything is encrypted before it touches the server.

Shared project secrets, still zero-knowledge

Group secrets into a project folder and grant teammates read or write access. The project key is sealed to each member’s key, so the server never holds a readable copy — and you can revoke access at any time.

Scoped, confirmable access for integrations

Issue an API token that can read only the items you whitelist. Require tap-to-approve confirmation — in-app or via Telegram — on every read, with rate limits and an expiry. Each access is logged.

Passwords and 2FA in one place

Store logins with their TOTP secrets and read the rotating codes right beside them. The built-in audit flags weak, reused and stale passwords — all computed on your device.

Move in from Bitwarden or KeePass

Import a Bitwarden JSON or KeePass/CSV export. Parsing and encryption happen locally, so your passwords are re-encrypted under your key and never uploaded in the clear.

Hand over a secret exactly once

Create a burn-after-read link whose decryption key lives only in the URL fragment — it never reaches the server, and the link stops working after the first open.

Security you can verify

Master password never transmitted — only an Argon2id auth-hash is.
XChaCha20-Poly1305 for items, sealed-box (X25519) for user sharing.
Auto-lock wipes the vault key from memory; unlock re-derives it locally.
Strict CSP, HSTS, no third-party scripts, self-hostable.
If you forget the master password, data is unrecoverable — that’s the point.

Frequently asked questions

What if I forget my master password?

Nothing can recover it. Your vault key is derived from the master password with Argon2id and never leaves your browser, so there is no reset and no backdoor — that is what zero-knowledge means. Keep an encrypted backup export if you want a safety net.

Can the server read my data?

No. Items are encrypted on your device with XChaCha20-Poly1305 before upload; the server only ever stores and returns ciphertext. A server or database breach exposes nothing readable.

Is the database encrypted at rest too?

Yes. On top of the client-side zero-knowledge encryption, the server database is encrypted at rest with SQLCipher. There are no third-party scripts, and the app ships a strict CSP and HSTS.

Can I self-host it?

Yes. It runs as a Docker container behind Caddy on your own server and domain — the self-hosting guide is in the documentation.

How is this different from a normal password manager?

It stores more than passwords — SSH/TLS keys, API keys and TOTP secrets — generates keys client-side, and gives external systems scoped, confirmable API access instead of all-or-nothing exports.

Is it safe to store SSH and API keys here?

Yes. They are encrypted in your browser like everything else and never stored in plaintext. You can also generate Ed25519 SSH keys and self-signed TLS certificates locally, so the private key is born encrypted.

Take back control of your secrets

Free, self-hostable, zero-knowledge.

Create your vault