๐Ÿ›ก๏ธ AES-GCM 256-bit ยท Browser-only

Password Vault Lite

โœ“ Processed entirely in your browser  ยท  0 bytes sent  ยท  Verify in DevTools

A zero-knowledge password vault that runs entirely in your browser. Your master passphrase derives the encryption key; we never see it. Your entries are stored locally in this browser, encrypted with your passphrase.

Create or unlock your vault

Pick a passphrase you'll remember. We can't recover it โ€” if you forget it, your data is unrecoverable. That's the price of zero-knowledge encryption.

How the Vault Works

Your master passphrase is fed through PBKDF2 (250,000 SHA-256 iterations) to derive a 256-bit AES-GCM key. Every entry is encrypted with a fresh random IV. The ciphertext lives in your browser's localStorage and never leaves your device.

key = PBKDF2(passphrase, salt, 250k iter, SHA-256, 256 bit)
ciphertext = AES-GCM(key, iv, plaintext)

stored: { iv, ciphertext } โ† never the passphrase

What this tool does

This is a password vault that runs entirely in your browser. You set one master passphrase, and the tool derives an encryption key from it (PBKDF2) and encrypts every entry with AES-GCM before storing it in your browser's local storage. Without your passphrase the stored data is just unreadable ciphertext.

How to use it

  1. Choose a strong master passphrase you'll remember โ€” it's the one key to everything inside.
  2. Add your entries; each is encrypted locally as you save it.
  3. Lock the vault when you step away, and use the encrypted export to keep a backup somewhere safe.

Local-only: the trade-off worth understanding

Because everything is encrypted and stored on your own device, nothing is ever uploaded โ€” there's no server holding your passwords, and so no company that can be breached to leak them. The flip side is the honest part: the vault lives in this browser on this device. There is no cross-device sync and no cloud backup. If you clear your browser storage or lose the device without an export, the vault is gone โ€” we can't recover it, because we never had it. That's exactly why the encrypted export exists: use it.

Twenty years in IT support taught me how people really store passwords when no one is looking, and it isn't a password manager. It was a spreadsheet literally named passwords.xlsx, or a phone note, or a sticky pad under the keyboard โ€” all in plain text, all one lost laptop away from disaster. A cloud password manager fixes that but asks you to trust a third party with the lot. A local encrypted vault like this sits at the other end of that trade-off: nobody else holds your data, but you're responsible for the backup. Neither is "right" for everyone โ€” what's never right is the plain-text spreadsheet.

โ€” Hill, 20 years in IT support

Encryption happens in your browser, and your master passphrase is never stored and never leaves your device. The data stays local โ€” there is no sync and no upload.

Frequently asked questions

Where is my vault stored?

Encrypted, in this browser's local storage on this device. It's never uploaded โ€” there's no server copy of your passwords.

Can you recover my master passphrase?

No. We never see or store it, so we can't reset or recover it. If you forget it, the encrypted data can't be unlocked โ€” choose a passphrase you'll remember and keep a backup.

Does the vault sync to my other devices?

No. It's local to this browser and device, with no cloud sync. To use it elsewhere or guard against losing the device, use the encrypted export to move or back up your vault.

Is this safer than a cloud password manager?

It's a different trade-off. Local-only means no third party holds your data and there's nothing central to breach โ€” but you're responsible for backups, and there's no sync. A reputable cloud manager adds convenience and sync at the cost of trusting a provider. Both beat a plain-text file.

More Privacy Tools

๐Ÿ”‘

Password Checker

Test before you save.

๐Ÿ”

Data Leak Checker

Has your email been in a breach?

๐Ÿ›ก๏ธ

Privacy Dashboard

Vault health + risk score.