A privacy-first, self-hosted password manager built on true zero-knowledge principles.
Your vault lives on your server. Your key never leaves your device. Your secrets stay yours.
Every major password manager β LastPass, 1Password, Bitwarden Cloud β ultimately stores your vault on someone else's server. "Zero-knowledge" in their marketing means they claim not to read your data. It doesn't mean they can't.
Zero Password Manager takes a different position: the server that holds your vault is one you run yourself. On your home server, your VPS, your Raspberry Pi. The encrypted vault sits on hardware you physically control.
Combined with client-side encryption that ensures the server is cryptographically blind to all vault contents, this is privacy that doesn't require trusting anyone.
No cloud subscription. No vendor lock-in. No breach notifications from a company you forgot you trusted.
Detailed material for both users and security-conscious developers:
- Feature Guide β Polished tour of security, organization, and platform capabilities.
- Technical Core (How it Works) β Deep technical dive into the encryption architecture, data flow, and security model.
|
π Security & Privacy
|
βοΈ Vault & Usability
|
This section exists because password managers live or die by the honesty and clarity of their security claims. Here is exactly how Zero Password Manager protects your data β nothing hidden.
Passwords are encrypted on your device before a single byte reaches the network.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β YOUR DEVICE β
β β
β Master Password + Salt β
β β β
β βΌ β
β PBKDF2-SHA256 β
β (600,000 iterations default Β· 256-bit output; legacy 100k) β
β β β
β ββββΊ Vault Key βββΊ AES-256-GCM βββΊ Encrypted Blob β
β β (12-byte nonce Β· 16-byte auth tag) β
β β β
β ββββΊ HMAC-SHA256(site_url) βββΊ Site Hash (lookup key) β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β NETWORK β Only encrypted blob + site hash ever transmitted β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β YOUR SERVER β
β β
β Stores: [ site_hash ][ encrypted_blob ][ argon2id_login_hash ] β
β Knows: Nothing. Cryptographically blind. β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Data | Server Stores | Server Can Read |
|---|---|---|
| Your master password | β Never | β Never |
| Site URLs | HMAC-SHA256 hash only | β Hash is one-way |
| Usernames | AES-256-GCM ciphertext | β No key |
| Passwords | AES-256-GCM ciphertext | β No key |
| Notes / metadata | AES-256-GCM ciphertext | β No key |
| Your login credential | Argon2id hash + salt | β One-way |
Blind site hashing is a standout feature: even site URLs are stored as HMAC-SHA256 hashes. An attacker who compromises your database cannot determine which websites you have credentials for.
- TOTP 2FA is mandatory β enforced on account creation, cannot be disabled
- Per-operation OTP gating β configurable requirement for a fresh OTP on every vault read or write
- Single-use time codes β each TOTP code is invalidated after first use within its window
- JWT access tokens (15-min TTL) + refresh tokens (7-day TTL) with server-side revocation
- Rate limiting on all auth endpoints β 5 OTP attempts/minute, 10 login attempts/minute
- Security headers β HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options
- SSRF protection on internal HTTP proxy (favicon fetcher)
Every vault operation β read, write, delete, login, logout β is logged with timestamp, IP address, and user agent. The audit log is append-only and visible only to the account owner.
βββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββ
β Flutter Client β β FastAPI Server β
β (Android / iOS / Web / Desktop) β β (your server/VPS) β
β β β β
β βββββββββββββββββββββββββββββββ β β ββββββββββββββββββββββββββββββββ β
β β UI Screens (15) β β β β Auth Module (JWT+2FA) β β
β ββββββββββββββββ¬βββββββββββββββ β β ββββββββββββββββββββββββββββββββ€ β
β β β β β Passwords Module (CRUD) β β
β ββββββββββββββββΌβββββββββββββββ β β ββββββββββββββββββββββββββββββββ€ β
β β Services Layer β β β β Folders Module β β
β β β’ CryptoService (E2E enc) β β β ββββββββββββββββββββββββββββββββ€ β
β β β’ VaultService βββββΌβββββΌββΊβ Audit Module β β
β β β’ SharingService β β β ββββββββββββββββββββββββββββββββ€ β
β β β’ EmergencyService β β β β WebAuthn Module (FIDO2) β β
β β β’ RotationService β β β ββββββββββββββββ¬ββββββββββββββββ β
β ββββββββββββββββ¬βββββββββββββββ β β β β
β β β β ββββββββββββββββΌββββββββββββββββ β
β ββββββββββββββββΌβββββββββββββββ β β β SQLite (SQLAlchemy 2.0) β β
β β Local Secure Storage β β β β Encrypted blobs + hashes β β
β β (flutter_secure_storage + β β β ββββββββββββββββββββββββββββββββ β
β β Hive encrypted cache) β β β β
β βββββββββββββββββββββββββββββββ β βββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββ
Encrypted over HTTPS only. No plaintext ever on wire.
5-minute setup. You need Python 3.10+ and Flutter 3.x.
git clone https://github.com/SoulNaturalist/zero_password_manager.git
cd zero_password_manager/server
# Install dependencies
pip install -r requirements.txt
# Configure environment
cp ../example.env .envOpen .env and set the two required values:
# Generate with: python -c "import secrets; print(secrets.token_hex(32))"
JWT_SECRET_KEY=your-64-character-hex-secret-here
# Your server's accessible address
ALLOWED_ORIGINS=http://YOUR_SERVER_IP:3000Start the API server:
python -m uvicorn main:app --host 0.0.0.0 --port 3000API is live at http://YOUR_SERVER_IP:3000 Β· Interactive docs at /docs
cd .. # back to the project root
cp example.env env.prodEdit env.prod:
API_BASE_URL=http://YOUR_SERVER_IP:3000
ENVIRONMENT=productionAndroid (release APK):
flutter pub get
flutter build apk --release --dart-define=ENVIRONMENT=production
# β build/app/outputs/flutter-apk/app-release.apkRun on connected device / emulator:
flutter run --dart-define=ENVIRONMENT=productionWeb:
flutter build web --release --dart-define=ENVIRONMENT=productioniOS (requires macOS + Xcode):
flutter build ios --release --dart-define=ENVIRONMENT=productionPre-built Android APKs are available from GitHub Releases.
1. Download zero-password-manager-vX.X.X.apk
2. Enable "Install from unknown sources" on your device
3. Install and open the app
4. Enter your server address on the settings screen
iOS and Desktop: build from source using the instructions above.
zero_password_manager/
β
βββ lib/ # Flutter application (Dart)
β βββ main.dart # App entry point
β βββ config/
β β βββ app_config.dart # Server URL + environment config
β βββ screens/ # 15 UI screens
β β βββ login_screen.dart
β β βββ signup_screen.dart
β β βββ pin_screen.dart
β β βββ passwords_screen.dart # Main vault view
β β βββ add_password_screen.dart
β β βββ edit_password_screen.dart
β β βββ password_history_screen.dart
β β βββ folders_screen.dart
β β βββ settings_screen.dart
β β βββ sharing_screen.dart
β β βββ emergency_screen.dart
β β βββ telegram_binding_screen.dart
β βββ services/ # Core business logic
β β βββ crypto_service.dart # AES-256-GCM + PBKDF2 + HMAC-SHA256
β β βββ vault_service.dart # Vault CRUD operations
β β βββ sharing_service.dart # Secure credential sharing
β β βββ rotation_service.dart # Password rotation tracking
β β βββ emergency_service.dart # Emergency access grants
β β βββ cache_service.dart # Encrypted local cache (Hive)
β βββ widgets/ # Reusable UI components
β βββ theme/
β βββ colors.dart # Midnight Dark Β· Cyberpunk Β· Glassmorphism
β
βββ server/ # FastAPI backend (Python)
β βββ main.py # Application factory + middleware
β βββ auth/ # JWT auth + WebAuthn/FIDO2
β βββ passwords/ # Encrypted vault CRUD
β βββ folders/ # Folder management
β βββ audit/ # Immutable audit log
β βββ models.py # SQLAlchemy ORM models
β βββ schemas.py # Pydantic request/response schemas
β βββ crud.py # Database operations
β βββ requirements.txt
β
βββ assets/
β βββ demo.gif # Demo animation
β βββ images/backgrounds/ # Theme background images
β
βββ .github/workflows/
β βββ release-apk.yml # Automated APK build + GitHub Release
β
βββ env.example # Environment config template
βββ pubspec.yaml # Flutter package manifest (v0.2.1)
βββ README.md
| Layer | Technology | Purpose |
|---|---|---|
| Mobile / Desktop / Web | Flutter 3.x + Dart | Cross-platform UI |
| Backend API | FastAPI + Uvicorn | REST API server |
| Database | SQLite + SQLAlchemy 2.0 | Encrypted vault storage |
| Vault encryption | AES-256-GCM | Symmetric authenticated encryption |
| Login KDF | Argon2id (server-side) | Password hashing for login |
| Vault KDF | PBKDF2-SHA256 (600k iter, min 100k) | Vault key derivation on device |
| Site obfuscation | HMAC-SHA256 | Blind site URL hashing |
| Authentication | JWT HS256 (access + refresh) | Stateless session management |
| Two-factor auth | TOTP (pyotp) |
Time-based one-time passwords |
| Passkeys | WebAuthn (py_webauthn) |
FIDO2 passwordless authentication |
| Rate limiting | slowapi |
Brute-force protection |
| Local secure storage | flutter_secure_storage |
Platform keychain integration |
| Local cache | Hive (encrypted) | Offline-capable vault cache |
| Biometrics | flutter_locker |
Fingerprint + Face ID unlock |
| Zero PM | Bitwarden Cloud | LastPass | 1Password | |
|---|---|---|---|---|
| Server you control | β | β | β | β |
| No third-party cloud | β | β | β | β |
| Fully open source | β | β | β | β |
| Free, no subscription | β | partial | β | β |
| Works fully offline | β | β | β | β |
| Blind URL hashing | β | β | β | β |
| Audit log (free tier) | β | enterprise | enterprise | β |
| Password rotation | β | β | β | β |
| Emergency access | β | β | β | β |
| Custom themes | β (3) | β | β | β |
| Mandatory 2FA | β | optional | optional | optional |
Bitwarden is excellent software and the recommended choice if you want hosted simplicity. Zero Password Manager is for users who need total control over their data infrastructure.
v0.3
- β Docker Compose for one-command server deployment
- Browser extension (Chrome / Firefox)
- Improved onboarding flow
v0.4
- Built-in TOTP authenticator (store 2FA seeds in vault)
- Secure notes with Markdown rendering
- Custom fields per credential
v0.5
- PBKDF2 iteration count configuration UI
- Multi-vault support (personal / work)
- Encrypted backup export (
.zpmbak)
Future
- iOS App Store build pipeline
- Hardware security key support (YubiKey / FIDO2 token)
- Self-hosted auto-update server
- Passphrase generator with wordlist selection
Zero Password Manager is open to contributions. Security-focused projects particularly benefit from fresh eyes.
# 1. Fork the repository on GitHub
# 2. Clone your fork
git clone https://github.com/YOUR_USERNAME/zero_password_manager.git
# 3. Create a feature branch
git checkout -b feature/your-feature-name
# 4. Make your changes, then commit
git commit -m "feat: describe your change clearly"
# 5. Push and open a Pull Request targeting main
git push origin feature/your-feature-nameGood first issues:
| Area | Examples |
|---|---|
| π Bug fixes | UI edge cases, error handling improvements |
| π Documentation | Clearer setup guides, architecture docs |
| π Translations | i18n for new languages (app is currently EN/RU) |
| π¨ UI / UX | Accessibility improvements, new theme ideas |
| π§ͺ Tests | Unit tests for crypto_service.dart, integration tests |
| π Security | Audit, threat modelling, dependency review |
Please check open Issues before starting significant work, and open a discussion first for large feature additions.
Licensed under the PolyForm Noncommercial License 1.0.0.
| β Permitted | β Prohibited |
|---|---|
| Personal use and self-hosting | Commercial use or SaaS deployments |
| Research and academic use | Revenue-generating services built on this code |
| Hobby projects and tinkering | Sublicensing under different terms |
| Forking and modifying | Removing license or attribution |
If you need a commercial license, open an issue to discuss.
π Zero Password Manager
Private Β· Encrypted Β· Self-hosted Β· Open Source
If this project is useful to you, consider giving it a β β it helps others find it.
Suggested repository description:
Self-hosted, open-source password manager with AES-256-GCM client-side encryption, mandatory TOTP 2FA, blind URL hashing, biometric unlock, and a Flutter UI. No cloud. No subscriptions. No trust required.
Suggested GitHub topics:
password-manager self-hosted flutter fastapi open-source privacy security aes-256 zero-knowledge totp 2fa encrypted-vault dart biometric end-to-end-encryption