Vaulty
Checking status…

The last place you'll keep
your secrets

A self-hosted password manager + OTP vault + lightweight CRM. Encrypted client-side with your master password — the server stores opaque bytes and nothing else.

Open your vaultSee it work
No subscription No tracking Open primitives Your server
vaulty.online/vaulty E2E
⌘K

0

PBKDF2 · iterations

0-bit

AES-256 · GCM cipher

0 MiB

Argon2id · memory cost

0/yr

Backups · Age-encrypted

Who it's for

One vault, three kinds of people

Vaulty was built to scratch one freelancer's itch — and turned out to fit a lot more.

All your clients in one vault

Photo deliverables, contract PDFs, Stripe API keys, client logins — organized by folder, never mixed with personal stuff.

  • Per-client folders
  • Contract attachments
  • Revenue + retainer tracking

What's inside

Built for the way you actually work

One vault for credentials, finance, identity, and client work — without the monthly subscription.

Password Manager

Logins, cards, identities, SSH keys, secure notes — all encrypted client-side before they leave the browser.

  • 11 entry types (login, card, identity, SSH, WiFi, API key, license, bank, membership, OTP, note)
  • Per-entry password expiry + breach detection (HIBP via k-anonymity)
  • Custom fields, tags, folders
  • Bulk operations & advanced search

See the encryption

What the server actually sees

Type anything below. Watch it transform into opaque ciphertext before it ever leaves your browser.

Your input · plaintext

in memory

UTF-8 bytes

54 72 30 75 62 34 64 6f 72 26 33 5f 78 4b 65 79

After AES-256-GCM · what the server stores

sealed

4323e99442c252072f2bc8b5b7b4030ee8ab7aa2e201cf871520e696f6db0bd7ecc9a338673aa41fde36e64d5b8b617c

AlgorithmAES-256-GCM
IV (random)4323e99442c252072f2bc8b5
Auth tagverified ✓
Server reads∅ nothing

This demo uses a deterministic placeholder cipher for visualization. The real vault uses WebCrypto AES-256-GCM with a random 12-byte IV per entry.

How it works

Encryption that you actually control

01

Type

Master password

Stays in memory only — never transmitted, never logged.

02

Derive

PBKDF2-SHA512 × 600,000

256-bit AES key derived locally. ~400 ms on a modern Mac.

03

Encrypt

AES-256-GCM + 12-byte IV

Every entry sealed individually with authentication tag.

04

Sync

Opaque bytes → Postgres

Server stores ciphertext. Decryption only on devices you own.

Security

The crypto is the product

No marketing fluff. Here's exactly what protects your data.

AES-256-GCM

Each entry encrypted with a unique 12-byte IV. Auth tag verified on decrypt — tamper detection built in.

PBKDF2-HMAC-SHA512

600,000 iterations — well beyond OWASP 2023 guidance. Brute-force takes centuries on a single GPU.

Audit log + IP hashing

Every login, export, and rekey is logged. IP addresses stored as SHA-256 hashes — never plaintext.

Encrypted offsite backups

Daily Postgres dumps encrypted with Age, synced to your Mac and iCloud. Private key never lives on the server.

Self-hosted by default

You own the VPS, you own the data. No third party between you and your vault.

Open primitives

No homegrown crypto. We use the same building blocks 1Password and Bitwarden use.

Compared

How Vaulty stacks up

Feature Vaulty1PasswordBitwarden
Zero-knowledge encryption
Self-hosted (own your data)
Built-in TOTP authenticator
Auto-detect email OTPs
Lightweight CRM included
File attachments2 MB1 GB500 MB (paid)
Recovery codes (PDF)
Touch ID / biometric
Monthly cost$0$2.99+$0 / $10+

Last verified 2026-05 — features and pricing change; check vendor sites for current details.

What's next

The roadmap, on the wall

No locked-room planning. Here's what's shipped, what's being worked on, and what's coming.

Shipped

Gmail OTP auto-detect

OAuth-based polling that surfaces verification codes next to the matching entry.

Shipped

File attachments (2 MB)

Encrypted name + bytes packed into a single blob, drag-drop into any entry.

Shipped

Trash with 30-day retention

Soft-delete with restore. Rekey refuses if trash isn't empty — no orphaned ciphertext.

In progress

Browser extension

Chrome/Edge/Brave MV3 with autofill + save-on-submit. Shared crypto-core with the web app.

Planned

YubiKey / FIDO2

Hardware security key as a second factor on top of the master password.

Planned

iOS native app

Capacitor wrapper with Face ID. Scaffold is already in /mobile-app — waiting on signing.

Planned

Encrypted vault export

Export the whole vault to a .vault file sealed with a separate passphrase.

Exploring

Light mode

CSS variable refactor + Settings toggle. Optional.

Questions

Things people ask

You can restore the vault using one of your ten recovery codes (printed during setup). If you lose both, there is no backdoor — the server cannot decrypt your data. This is the trade-off of zero-knowledge.

Detected: your platform

Start using Vaulty right now

Native desktop window, Touch ID unlock, same vault as the web. Or just open the PWA.

Open the web appUse the web app

Full-featured PWA — works in any modern browser

~30s setup No account creation friction 47 entries already protected