I built a zero-knowledge encrypted secrets manager as a solo developer — launching next week

CryptVault — Sun, 29 Mar 2026 06:11:25 +0000

Hey IH! I'm Ali, a solo developer, and I just finished building CryptVault — an end-to-end encrypted secrets manager where no one (not even me) can access your data.

Why I built this

I've been using password managers for years, but something always bothered me:

Most popular ones had data breaches (LastPass, anyone?)
The "trust us, your data is safe" model felt wrong
Affordable options were either too basic or not truly encrypted
None of them let me control where my encrypted data is stored

So I decided to build one myself — with zero-knowledge architecture from day one. The server never sees your plaintext data. Period.

The tech behind it

This was the most fun (and challenging) part:

RSA-4096 for key wrapping — each user gets a unique keypair
AES-256-GCM for encrypting actual secrets — fast and authenticated
Argon2id for key derivation from your Master Password — resistant to GPU/ASIC attacks
Two-layer authentication: Account login (email + password → JWT) and Vault unlock (Master Password → decrypts your private key in memory)

Your Master Password never leaves your device. It derives the key that decrypts your RSA private key, which then decrypts your secrets. If you forget it, even I can't help you — that's the point.

For recovery, I implemented a 13-word BIP-39 mnemonic (similar to crypto wallets). You get it once when you create your vault.

What it does

Store passwords, API keys, SSH keys, notes, cards, emails
Built-in TOTP Authenticator — no separate 2FA app needed
Password Health Analysis — flags weak, reused, and aging passwords
Dark Web Monitoring — alerts when your credentials appear in breaches
Bring-Your-Own-Storage (BYOS) — connect your Google Drive for encrypted backups you control
Full English + Arabic support with RTL layout

Stack

Frontend: React 19 + Vite 7 + Tailwind CSS
Backend: Express 5 + Prisma 7 + PostgreSQL
Deployment: Docker on a VPS, Cloudflare for DNS/CDN
Payments: Stripe Billing

Business model

Simple and transparent:

Free: 20 secrets, 5 categories, built-in TOTP
PRO: $1.99/mo — unlimited secrets, dark web monitoring, BYOS, export/import

I wanted PRO to be affordable enough that it's a no-brainer if you use the free tier and want more.

Challenges I faced

Encryption complexity: Getting RSA + AES + Argon2id to work together seamlessly across client and server took weeks of iteration. Key management is hard.
Zero-knowledge trade-offs: When you can't read user data, you can't offer "forgot password" recovery the normal way. The BIP-39 recovery key was my solution.
Solo developer bandwidth: Building frontend, backend, encryption layer, admin panel, payment integration, and landing page alone is... a lot. But also incredibly rewarding.

What's next

Launching on Product Hunt on March 31 (Tuesday). After that:

Browser extension for auto-fill
Mobile app
More BYOS providers (Dropbox, OneDrive)
Team/organization vaults
Self-hosted option

Try it out

The app is live at cryptvault.app. Free tier available — no credit card required.

I'd love to hear your thoughts, feedback, or questions about the architecture. Happy to go deep on the encryption design if anyone's curious!

Forem: CryptVault