Zero-Knowledge Architecture

Encrypted by design.
Private by default.

A self-hosted password manager where your master password never leaves your device. All encryption happens client-side — not even the server can read your data.

Self-Host for Free How It Works
Keyphra Vault
Gmail henry@example.com
••••••••••••
AWS Console admin@company.io
••••••••••••
GitHub henry
••••••••••••
AES-256-GCM encrypted · Zero-knowledge
AES-256 Encryption
100k PBKDF2 Rounds
Zero Knowledge
100% Open Source
Simplicity

Secure doesn't mean
complicated.

Keyphra is designed to get out of your way. Install it, deploy it, forget about it.

1

Easy to install

Clone the repo, run npm install, and you're ready. No complex toolchains, no hidden dependencies, no surprises.

2

Easy to deploy

A single docker compose up gets you a production-ready instance. Self-host on any server, VPS, or even a Raspberry Pi.

3

Easy to manage

No admin panels to babysit, no cron jobs to configure. It just works. Updates are a single pull-and-restart.

Features

Everything you need.
Nothing you don't.

Built for engineers and teams who take security seriously. No cloud lock-in, no subscription, no compromise.

Zero-Knowledge Encryption

Your master password never leaves your device. All encryption and decryption happens entirely client-side using the Web Crypto API. The server stores only encrypted blobs it can never read.

PBKDF2 Key Derivation

100,000 iterations of PBKDF2-SHA256 transform your password into an unbreakable encryption key, using your email as a unique salt.

TOTP Two-Factor Auth

Add a second layer of protection with time-based one-time passwords. Works with Google Authenticator, Authy, and any TOTP app.

Browser Extension

Chrome/Chromium extension with Manifest V3, auto-fill detection, smart domain matching, and configurable auto-lock timeout.

Self-Hosted & Free

Run on your own server with full control. No cloud dependency, no monthly fees. Your data stays exactly where you put it.

Organize & Search

Folders, favorites, full-text search across names, usernames, and URLs. Everything you need to manage hundreds of credentials.

How It Works

Your password, your rules.

The server is designed to be untrusted. Even if every byte of server data were leaked, your passwords remain cryptographically secure.

1

Enter Master Password

You enter your master password on your device. It is never transmitted over the network.

2

Derive Encryption Key

PBKDF2 with 100k iterations and your email as salt creates an AES-256-GCM key locally.

3

Encrypt Client-Side

Every vault entry is encrypted in your browser before it ever touches the network or the server.

4

Store Encrypted Blobs

The server only ever sees ciphertext. No plaintext data, no master password, no encryption key.

Key Derivation Flow
Master Password + Email (salt)
PBKDF2 100k iterations
AES-256 Key Encrypt / Decrypt
Tech Stack

Modern tools.
Battle-tested crypto.

Built with technologies you already know and trust, backed by browser-native cryptographic primitives.

Frontend
  • React 18TypeScript
  • ViteBuild tool
  • Tailwind CSSStyling
  • Shadcn/UIComponents
  • Web Crypto APIEncryption
Backend
  • Node.jsRuntime
  • Express.jsFramework
  • MySQLDatabase
  • JWTAuth tokens
  • bcryptHashing
Extension
  • Manifest V3Chrome
  • Service WorkerBackground
  • Content ScriptAuto-fill
  • Chrome StoragePersistence
  • Alarms APIAuto-lock

Ready to own your
security?

Clone the repo, run three commands, and you have a production-ready password manager running on your own infrastructure.

# Clone and start
git clone https://github.com/ganry/keyphra.git
cd keyphra
docker compose up -d

# Your vault is live at localhost:5173
Get Started on GitHub