VaultMesh is a decentralized, end-to-end encrypted password manager. No cloud. No account. No server ever sees your data.
Every architectural decision was made to ensure that your credentials remain private — from the cipher used to how devices talk to each other.
No server — including the optional relay — ever sees plaintext data. Encryption and decryption happen exclusively on your device using keys that never leave it.
Your vault lives on your device in an SQLCipher-encrypted database. VaultMesh is fully functional offline — sync is a convenience, not a requirement.
Argon2id key derivation (256 MB memory), XChaCha20-Poly1305 symmetric encryption, X25519 key exchange, and Ed25519 signatures — auditable, proven algorithms.
Sync over your local network using libp2p mDNS — no internet required. For remote sync across NAT, an optional self-hosted relay forwards only encrypted payloads.
Every line of code is on GitHub. No black boxes — the security model is fully auditable. Contributions and third-party audits are welcome.
Hybrid Logical Clock + Version Vectors ensure concurrent edits across devices merge deterministically — no data loss, no sync conflicts, ever.
A native desktop app (Tauri) for Windows, macOS, and Linux, plus browser extensions for Chrome and Firefox that auto-fill credentials on any site.
Grant AI agents controlled, audited access to specific vault entries via MCP or JSON-RPC. Whitelist by category or tag with per-session rate limits and an immutable audit log.
SPAKE2 password-authenticated key exchange with Short Authentication String verification ensures only your physical devices can join your sync domain — no shared secrets transmitted.
Getting started takes less than two minutes. Your master password never leaves your device.
Install VaultMesh and set a strong master password. A vault key is derived locally using Argon2id — nothing is sent anywhere.
Import from other password managers or add entries manually. Every field is encrypted before touching disk.
The browser extension communicates with the desktop app via native messaging. Auto-fill works on any website with a single click.
Scan a QR code or enter a pairing code on another device. Sync begins automatically over LAN — or via relay for remote devices.
All builds are free. Checksums and signatures are published alongside each release.
Native Tauri application. Manages your vault, runs the sync engine, and bridges browser extensions.
Auto-fill passwords on any website. Requires the desktop app to be running.
Headless vault management for power users and scripts. Supports all core operations without a GUI.
Self-Host
The relay is a lightweight, stateless forwarder for NAT traversal. It never touches your plaintext data. Deploy it on any VPS in minutes using a single binary or Docker.