- 🔒 End-to-end encryption - Your secrets are encrypted on the client side, server never sees plaintext
- 👥 Team collaboration - Share encrypted secrets with team members via secure invitations
- 📝 Version history - Track all changes to your secrets with full version control
- 🔄 GitHub integration - Sync secrets directly to your GitHub repositories
- 🎨 Modern UI - Beautiful, responsive interface built with React
- 🚀 Real-time updates - See changes instantly with SSE support
- 🔑 Multiple auth ooptions - Login with Google, GitHub, or local development mode
- 📦 Project organization - Organize secrets by projects for better management
Upon account creation, an asymmetric RSA-OAEP key pair is generated client-side within the user's browser. This key pair forms the foundation of the user's cryptographic identity within the system.
The generated private key is encrypted using a user-provided passphrase before any storage operations occur. This ensures that the private key remains protected even when stored on the server infrastructure.
To enable cross-device access, the encrypted private key is stored on the server. During authentication from a new device, the encrypted private key is retrieved and decrypted locally using the user's passphrase. The server never has access to the unencrypted private key or the passphrase.
When a new project is created, a random symmetric encryption key is generated client-side. This project-specific key is then encrypted using the user's public key and stored alongside the encrypted project content. All project secrets are encrypted and decrypted using this symmetric key, ensuring optimal performance while maintaining security.
The project sharing mechanism employs a temporary asymmetric key pair to facilitate secure transfer:
- A temporary RSA-OAEP key pair is generated for the invitation
- The project's symmetric key is encrypted using the temporary public key
- An invitation-specific code is used to encrypt the temporary private key
- When a recipient claims the invitation, they provide the invitation code to decrypt the temporary private key
- The temporary private key is used to decrypt the project's symmetric key
- Finally, the project key is re-encrypted using the recipient's public key
When inviting an existing account directly, the process is streamlined as the recipient's public key is already available:
- The project's symmetric key is encrypted directly using the recipient's stored public key
- A new encrypted project key version is created for the recipient
- No invitation code is required as the recipient can immediately decrypt using their private key
- The recipient gains instant access to the project upon invitation acceptance
This cryptographic workflow ensures end-to-end encryption throughout the entire project lifecycle, maintaining zero-knowledge architecture where the server cannot access plaintext data at any point.
Get up and running in one command:
make localThis will:
- Install all dependencies (npm + pnpm)
- Set up environment files automatically
- Start MongoDB in Docker (port 2137)
- Launch backend on
http://localhost:3000 - Launch frontend on
http://localhost:5173
Note: Local development mode includes simplified authentication - just enter any email to log in!
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License.