Introduction
open-secret is a password manager you host yourself. It stores logins, cards, identities, TOTP secrets, SSH keys, passkeys, notes, and more, and fills them on the web through a browser extension. Unlike a hosted password manager, the server it talks to is deliberately blind. It keeps only ciphertext and public keys.
How it differs from a hosted manager
In a typical cloud password manager, the provider holds a vault protected by a master password they help you reset. open-secret removes the provider from the trust boundary entirely:
- Your secrets are encrypted on your device, for your devices, before upload. The server stores per-device ciphertext it cannot read.
- You log in by proving possession of a per-device signing key, not by sending a password. The server stores only your public keys.
- There is no master password on the server and no server-side reset. Recovery comes from another device you control, or from an operator-held backup key, never from the server's own knowledge.
Who it's for
- Self-hosters and small teams who want a credential manager whose server compromise does not equal a vault compromise.
- Operators who are comfortable running a single Go binary over SQLite and managing their own backups.
- Anyone who wants entries that are post-quantum-encrypted today, not "someday."
The trade-off, stated plainly
Zero server-side trust has a cost: recovery can't come from the server, because the server never had your keys. So open-secret makes you set up recovery yourself. The only way to be locked out is to lose every recovery factor at once.
At first run the web app has you download an encrypted backup file of your keys (protected by a passphrase only you know). That file, plus any other paired device, plus the optional operator backup are three independent ways back in. You only need one. You lose the vault only if you lose all of them: every device, the backup file/passphrase, and operator backup (if any). See Backing up & recovering.
The pieces
open-secret is a small monorepo. As a user or operator you mostly touch the first three:
| Component | What it is |
|---|---|
| Backend | A Go + Connect-RPC server over SQLite. Stores ciphertext and public keys, and issues stateless session tokens it validates cryptographically rather than storing. The only thing you deploy. |
| Web app | A SvelteKit single-page app. Sign up, unlock, and manage entries in the browser. |
| Browser extension | Chrome / Edge (Manifest V3). Autofill, save prompts, password generation, and passkeys, paired to the web app. |
| Shared library | The TypeScript crypto + protocol core used by both frontends. Not something you run directly. |
The next page defines the vocabulary: Key concepts.