28 Apr 2026

Welcome to SecureVault

A short note on why this exists and how it's different from the password manager you already use.

I built SecureVault as the password manager I wished existed: small, auditable, and fully under my control.

What’s special

The encryption is client-side. Your master password derives an AES-256 key on your device using PBKDF2-SHA256 with 600,000 iterations (the OWASP 2023 minimum). The server stores only:

  1. A bcrypt hash of your master password — used to authenticate, can’t decrypt anything
  2. Your PBKDF2 salt — not secret, just needed to re-derive the key
  3. Encrypted ciphertext of your vault entries

If the server is compromised, attackers walk away with blobs they can’t read.

Why “self-hosted” matters

Most password managers ship a SaaS account model. Even ones with E2E encryption are still operationally trusting their CDN, their build pipeline, and their runtime. SecureVault flips that: the binary you run is the source you read, on hardware you control.

What’s next

  • Native iOS app
  • Browser extension (autofill + capture)
  • Bulk import from Bitwarden / 1Password / KeePass
  • True offline-first with cross-device sync
  • Breach detection (Have I Been Pwned k-anonymity API)

If you want to follow along, the code is on GitHub.