VuVault · Zero-knowledge password manager · 2030 stack Zero-knowledge password manager
Your passwords. Untouchable. Mathematical privacy.
Not policy.
Touch ID unlocks your vault. Nothing else needed. Your stuff stays on your device. We never see it. Not even with a court order. Not even in 2032. Touch ID unlocks your vault. Local-only. We never see it. OPAQUE authentication. ML-KEM-1024 hybrid envelopes. WebAuthn PRF unlock. Sigstore + Rekor on every release. The cryptography your incumbents have not shipped. OPAQUE · ML-KEM-1024 · WebAuthn PRF · Sigstore Rekor. Cryptography incumbents skipped.
Same-origin only · no third-party hosts Same-origin only No analytics tags shipped Zero analytics Crypto runs in your browser, not ours Local-only crypto
Production builds require WebAuthn PRF · demo mode is dev-only and
gated behind an explicit env flag.
Scroll
The 2025 password manager won't survive 2030
The threat model changed.
The architecture didn't.
Every mainstream password manager you know was designed in the 2017 threat model. None of them ship the cryptography that 2026 actually requires. The numbers are not subtle. The 2017 threat model. None ship the cryptography 2026 requires.
16billion
passwords leaked in a single 2025 breach affecting Google, Apple, and
Facebook accounts. passwords leaked in a single 2025 breach.
Fox News · June 2025
11/11
major password managers vulnerable to clickjacking autofill theft at DEF
CON 33. password managers vulnerable to clickjacking at DEF CON 33.
Tóth · DEF CON 33 · Aug 2025
0
mainstream password managers ship post-quantum encryption. Your vault
stolen today is decryptable in 2032. mainstream managers ship post-quantum. Stolen today, decrypted 2032.
FIPS 203 · NIST · Aug 2024
VuVault is the architecture they have not shipped. Built from primitives standardized in the last 18 months — OPAQUE, ML-KEM, WebAuthn PRF — with FROST and AKD on the Tier 2/3 roadmap.
What VuVault gives you What VuVault ships that they can't claim
Three things, no asterisks. Three sentences, all defensible.
01 / 03
Touch ID is enough.
No master password to memorize. Your fingerprint or Face ID unlocks the
vault directly. The same passkey that proves who you are also unlocks what
you have. No master password. Your fingerprint unlocks the vault directly.
webauthn-prf · zero passwords typed
02 / 03
Architecturally untouchable.
Your vault is encrypted on your device. The server only ever sees an
opaque blob. Nobody can read it — not us, not a court order, not a future
quantum computer in 2032. Mathematical, not promised. Encrypted on your device. The server sees only an opaque blob — even in
2032.
level 0 · zero-knowledge by construction
03 / 03
$25.60 a year. All in.
One flat price. Every device. Every feature. No per-user multipliers. No
tiers. Compare 1Password $35.88, Dashlane $59.88, Proton Pass $47.88 — and
most charge per seat. We don't. One price. Every device. Every feature. No tiers. No per-seat.
256 bits × $0.10 = honest math
01 / 03
Server never sees your password.
Authentication via OPAQUE (RFC 9807, July 2025). The server learns no
information about the password — not plaintext, not a hash, not even
during registration. Mathematically proven against pre-computation attacks
upon server compromise. OPAQUE (RFC 9807). Server learns nothing — no plaintext, no hash, ever.
RFC 9807 · OPAQUE-3DH · Argon2id KDF
02 / 03
Hybrid post-quantum envelope.
Vault encrypted under
ML-KEM-1024 + X25519 hybrid KEM with AES-256-GCM. Resistant to harvest-now-decrypt-later by
construction. Sub-millisecond cryptographic overhead — matches X25519
performance, no perceptible cost. ML-KEM-1024 + X25519 hybrid + AES-256-GCM.
Sub-ms overhead.FIPS 203 · ML-KEM-1024 · 256-bit security
03 / 03
PRF unlock + 256-bit Secret Key.
Vault key =
HKDF(WebAuthn-PRF(passkey, salt) ‖ SecretKey).
The Secret Key is 256 bits of true random, generated client-side, never
transmitted. Even with a complete server compromise + Argon2id break,
attackers face 256 unbreakable bits. Vault key = HKDF(PRF ‖ SecretKey). 256 bits, never
transmitted.webauthn-prf · hkdf-sha512 · x25519 + ml-kem-1024 · aes-256-gcm
The credential vault UI rendered from real product code
Your credentials,
masked by default. No screenshots. No DOM secrets.
V VuVault
Search the vault… ⌘K
UNLOCKED
Logins31
G
github.com
rlopez
N
Notion
L
Linear
rl
S
Stripe
LOGIN
Fastmail
Personal · synced today
Website
fastmail.com
Username
Password
••••••••••••••••
Auto-hides in 30 seconds
2FA · TOTP
748 219 19s
ZK active vault.local · 42 items · 1.2 MB · ML-KEM-1024 · AES-256-GCM a3f8…e2c1
01
Credentials first Login · TOTP · SSH · seeds
Logins, secure notes, identities, SSH keys, crypto seeds — every
kind of secret lives in the same encrypted bucket. One unlock,
one keyring, one place to look. Logins, notes, SSH keys, seeds — one encrypted vault. Seven discriminated
ItemKind variants share the
same hybrid envelope. Field-level masking is enforced before
render — secret strings never appear in the DOM until you tap
reveal. Seven ItemKind variants · one envelope · masked-before-render.02
Reveal only on purpose. 30s reveal TTL · 60s clipboard clear
Passwords stay masked. Tap the eye to read for 30 seconds, then
the field re-hides on its own. Copy and we wipe the clipboard 60
seconds later — no shoulder surfing, no lingering paste
buffers. Reveal for 30s, then auto-hide. Clipboard wipes 60s after copy.
REVEAL_TTL_MS = 30_000 in VaultDetail.svelte; clipboard auto-clears via setTimeout(60_000) regardless of clipboard-read permission. Every reveal is
audit-logged locally. REVEAL_TTL_MS = 30_000 · unconditional 60s clipboard clear.03
Safety you can read. Local health · opaque sync state
The vault calls out weak and reused passwords before anyone
else sees them. The check runs entirely on your device — your
passwords never leave it to be graded. Weak and reused checks run on-device. Nothing leaves.
password-health.ts scores entropy and reuse
in-memory; the server only ever observes opaque ciphertext under a random blob UUID — no device
id, no account-linked clock. Footer surfaces ZK state, suite,
and build hash — proof, not policy. In-memory entropy/reuse check · server sees only opaque ciphertext. Inside the vault UI rendered from a real session
The most polished vault
you've ever used. No screenshots. Live SVG.
01
Photoreal cards Hyperreal SVG card mocks
Your saved cards look like the real thing — chip, contactless,
full colors. Tap to flip and see the CVC for 30 seconds, then it
auto-hides. Photoreal cards. Tap to reveal the CVC for 30s, then it
auto-hides. Each card is a parametric SVG with network-specific gradients
(Visa navy, Amex platinum), ISO 7816 chip detail, contactless
mark, and emboss-shadowed JetBrains Mono numerals. Parametric SVG · network gradients · ISO 7816 chip detail.
02
Three-pane by design No page-level scroll · Cardinal Rule
Categories on the left, items in the middle, details on the
right. Everything is one click away. No menus, no hidden flows. Categories, items, details. One click each. No hidden menus. Viewport-locked layout,
100dvh root, no body scroll.
Every panel sized to fit; only the item list scrolls internally. 100dvh root · no body scroll · only the list
scrolls.03
Status you can read. Audit-feed pinned to footer
The footer always tells you what's happening. Local-only today,
sync arrives in Tier 2. No mystery. The footer always tells you what's happening. No mystery. Persistent audit-feed: vault size, ZK status (active / sealed),
active crypto suite, build hash. The byte counter wires up once the
Tier 2 sync server ships — until then the footer reads
Local-only. Audit-feed: vault size · ZK status · suite · build hash. Built for your pocket first PWA · 100dvh · safe-area inset
Touch ID, then done. Native-grade UX, web-grade reach.
Touch ID unlocks instantly WebAuthn PRF on platform authenticator
Your fingerprint or Face ID opens the vault. No master password
to type. No password to forget. Fingerprint or Face ID. No master password to type or forget. PRF returns 32 bytes deterministically bound to your passkey.
HKDF-SHA512 derives the vault key without round-trip to a server. PRF · 32 bytes · HKDF-SHA512 vault-key. No server round-trip.
Tier 2 · 2027 Same vault, every device CRDT sync across paired devices
Tier 2 design: edit on your laptop, see it on your phone.
Offline edits will merge automatically when you reconnect — no
conflicts, no lost changes. Today the vault is local-only. Tier 2: edits merge automatically across devices. Today
local-only. Tier 2 design: encrypted CRDT operations under hybrid X25519 +
ML-KEM-1024 envelopes. Server holds opaque blobs only. Padding
to hide which item changed is in the Tier 2 spec, not yet
implemented in
vault-codec.ts. Encrypted CRDT ops · hybrid envelope. Server holds opaque
blobs.TOTP codes built in RFC 6238 with auto-fill bridge
Two-factor codes live next to your passwords. Tap to copy, watch the
countdown ring fill, ship it before it expires. Live TOTP per item with 30s countdown ring. iOS/Android autofill bridge
delivers code without exposing seed to the OS keystore.
Audit feed always visible Pinned audit-feed footer · always-on
Bottom of every screen tells you what's happening: vault size, the
crypto suite in use, and whether the vault is sealed or unlocked.
No mystery, no surprises. Pinned footer surfaces vault size, ZK status (active / sealed),
active cipher suite, and bundle build hash. The byte counter wires
up once the Tier 2 sync server ships; until then it reads
Local-only. Tier 2 · 2027 Beyond passwords · the ultimate digital vault PDF, image, and document storage · same crypto stack
Beyond file shares.
Beyond cloud backups. Every byte ciphertext.
No exceptions.
Property deeds, car titles, contracts, medical records — the
documents you actually can't afford to lose or have leaked. Each file is sealed
in your browser with the active vault key before it ever touches
local storage or the sync server. Padding to bucketed sizes lands
with the Tier 2 CRDT sync server. Deeds, titles, contracts, records — sealed in your browser, server
holds opaque ciphertext only. Per-document AES-256-GCM under the active session AES key with a
document-scoped AAD (
vuvault-doc-aad-v1) bound to the
document UUID, device salt, and credential id. Encrypted bytes
persist to a separate Dexie table; sync uploads opaque ciphertext to vaults/<accountId>/documents/<blobId>.bin in
R2. Bucketed padding ships with Tier 2 CRDT sync. Per-doc AES-GCM · document-scoped AAD · opaque ciphertext server-side.Tier 2 Dropbox can read your stuff. We literally can't. Architectural privacy, not policy privacy
Cloud storage providers promise they won't look at your files.
We've shipped something stronger — a system where we
mathematically cannot. Encrypted document storage is wired
through the same M3 ciphertext sync path that powers password
sync. Documents encrypted client-side before upload; the server
holds opaque blobs and subpoenaing the M3 sync storage yields
ciphertext nobody can decrypt — including us. The handler
lives in
src/routes/api/v2/blobs/[uuid]/+server.ts and refuses anything but base64-encoded sealed bytes.Tier 3 Sign in place. Verify forever. In-vault signing · transparency log entry
Tier 3 design: sign contracts directly inside the vault. Every
signature timestamped and recorded in the public transparency log
— without revealing what you signed. Targets 2028 alongside the
CONIKS-style key directory. Tier 3 design: Ed25519 signature over document hash, anchored
in an append-only Merkle log via VRF. Document content stays
opaque; only existence provable. Lives in the L08 / L11 spec
(
docs/ARCHITECTURE.md).Tier 4 Time-lock for inheritance. drand timelock encryption
Tier 4 design: encrypt your will or instructions to release on
a future date. Nobody — including you — can decrypt early.
Beats a notary, a safe deposit box, and a custodian combined.
Targets 2029+. Tier 4 design: tlock over BLS12-381 threshold network.
Encrypts to a future drand round; decryption physically
impossible until the threshold network publishes that round.
Not yet in any code path.
Property deeds Vehicle titles Contracts Medical records Tax returns Wills Passport scans SSN / IDs Insurance policies Crypto seed phrases
How VuVault works The cryptographic stack
Four steps. Nothing else needed. Ten layers. Each defensible.
01
You sign up
Pick a Secret Key. Touch your authenticator. No master password to memorize.
02
Your device generates keys
A 256-bit Secret Key + WebAuthn PRF derive your vault key locally. The server never sees them.
03
Vault encrypts itself
Hybrid X25519 + ML-KEM-1024 envelope encrypts your data before any byte leaves the device.
04
Sync without trust
Encrypted blobs travel through the cloud. The provider holds opaque ciphertext only.
01
OPAQUEaPAKE — server never sees password equivalents
RFC 9807
Shipped · D1-backed
02
PRF + Secret KeyWebAuthn-PRF ‖ Secret Key ‖ deviceSalt → HKDF-SHA512
WebAuthn L3 · RFC 5869
Shipped
03
Hybrid envelopeX25519 + ML-KEM-1024 KEM, AES-256-GCM AEAD
FIPS 203 · RFC 7748
KAT-locked
04
XMSS release signaturesStateful hash-based signatures over release artifacts
NIST SP 800-208
Build pipeline
05
Reproducible builds + SigstoreSHA-384 manifest verified in-page; Rekor entry per release
SLSA L3 · Sigstore
Shipped · Rekor keyless
06
MLS sharingGroup encryption with forward secrecy
RFC 9420 / 9750
Tier 2 spec
07
CRDT syncEncrypted blob diffs over hybrid PQ envelope
Yjs · HPKE · ML-KEM-768
Tier 2 spec
08
WebRTC + ECDH pairingLocal-first device pairing without server intermediation
WebRTC · X25519
Tier 2 spec
09
CONIKS / AKDAuthenticated key directory with verifiable transparency
CONIKS · WhatsApp AKD
Tier 2 spec
10
PIR + PSI breach checksServer learns nothing about which password you queried
RFC 9497 VOPRF · OPRF-PSI
Tier 2 spec
vs. the incumbents
We did the homework.
Here's the receipt.
| VuVault | 1Password | Bitwarden | Proton Pass | Apple Passwords | |
|---|---|---|---|---|---|
| Server cannot see master passwordOPAQUE / aPAKE · D1-backed · shipped M3 | |||||
| Post-quantum vault encryptionML-KEM-1024 hybrid (FIPS 203, KAT-locked) | |||||
| Master-password-free unlockWebAuthn PRF | |||||
| Verifiable transparency logCONIKS-style key log — Tier 2 | Tier 2 | ||||
| Private breach checkPIR — server learns zero — Tier 2 | Tier 2 | ||||
| Threshold-recovery without serverFROST t-of-n — Tier 3 | Tier 3 | ||||
| Reproducible builds + transparencySHA-384 manifest + Sigstore Rekor on every release | |||||
| Self-hosting / BYO storagePoint at your own R2 / S3 — Tier 2 | Tier 2 | ||||
| Open sourceApache 2.0, fully forkable | |||||
| Lifetime priceOne time, no subscription | $25.60/yr | $35.88 | $19.80 | $23.88 | free |
prices verified May 2026 · sources: vendor pricing pages
Tier 2 capabilities build on the shipped M3 ciphertext
sync path but still need field-level CRDT sync, sharing, and device
transparency before they are product-ready. Tier 3 capabilities (threshold recovery and stronger metadata operations)
target 2028. Today, cells marked tier-2/tier-3 remain roadmap items.
Honest pricing
$25.60. A year.
Every device. Every feature.
$25.60/year
256 bits of entropy × $0.10 = honest math
One flat price. Every feature. Multi-device sync on the Tier 2 roadmap.
No per-user pricing. No tier games. Cancel any time.
No per-user pricing. No tier games. Cancel any time.
$2.13/mobilled yearly
∞devices · Tier 2
∞updates
1Password $35.88/yr · Dashlane $59.88/yr · Proton Pass $47.88/yr · NordPass $26.85/yr · VuVault $25.60/yr Cheapest among 1Password, Dashlane, Proton — see the table.
Verify, don't trust
Don't take our word.
Take our hashes.
Three independent ways to verify what's running on your device matches what we say is running. No incumbent ships any of these.
METHOD 01
Reproducible builds
Every release builds byte-for-byte identically from public source. The
bundle hash appears in your unlock screen. Compare it to the GitHub
release hash. Bundle hash on every unlock screen. Compare to the GitHub release hash.
SHA-384
5337b04a ea841a68 be674b44
a316a10d f9b3d13d 4af3fb34
a1a5b28c 87cdd637 d09d23c7
64509bd3 33290699 8a65729b
✓ matches release v0.1.21
5337b04a ea841a68 be674b44
a316a10d f9b3d13d 4af3fb34
a1a5b28c 87cdd637 d09d23c7
64509bd3 33290699 8a65729b
✓ matches release v0.1.21
METHOD 02
Sigstore transparency log
Every release is signed and the signature is recorded in Rekor, a
public append-only log. We cannot ship a backdoored release without it
being publicly recorded — forever. Every release signed in a public append-only Rekor log. Backdoors are
permanently visible.
rekor entry 5337…729b
signed by github-actions OIDC
✓ keyless · Sigstore Fulcio + Rekor
signed by github-actions OIDC
✓ keyless · Sigstore Fulcio + Rekor
METHOD 03
Self-host the entire stack Tier 2 spec
The sync server is the SvelteKit Worker + D1 + R2 you already see in
this repo. Tier 1 deploys it as a single Cloudflare project. Bring-
your-own-bucket is on the Tier 2 roadmap — until then, the Worker
code is reproducible and signed end-to-end. Worker + D1 + R2. BYO bucket on the Tier 2 roadmap; reproducible
today.
$ wrangler pages deploy
✓ sigstore + rekor on every release
✓ reproducible from git checkout v0.1.21
bundle: 5337b04a
✓ sigstore + rekor on every release
✓ reproducible from git checkout v0.1.21
bundle: 5337b04a
Ready when you are
Your data. Your device.
Your control. Untouchable by construction.
Verifiable by
anyone.
Get the password manager that 2030 actually needs. Today, for $25.60/year. The password manager 2030 needs. $25.60/year. Read the blueprint, audit the source, deploy the server. Or just use it — $25.60/year. Read it, audit it, deploy it. Or use it — $25.60/year.