VaultKeepR
← Back to blog

Why We're Building VaultKeepR — Our Vision for Password Security

VaultKeepR Team4 min read
privacydecentralizedpassword-manager

Why We're Building VaultKeepR

Every project starts with a frustration. Ours started with a question: why does every password manager require you to trust a company with your most sensitive data?

The Moment It Clicked

The LastPass breach of 2022-2023 was a wake-up call for the entire security industry. Not because the encryption was broken — it wasn't. But because millions of encrypted vaults were stolen from centralized servers, and users with weak master passwords became sitting targets for offline brute-force attacks.

The security community's response was predictable: "Use a stronger master password." "Enable 2FA." "Switch to [competitor]."

But we asked a different question: Why were all those vaults stored in one place to begin with?

The Core Insight

Every major password manager — LastPass, 1Password, Bitwarden, Dashlane — uses the same fundamental architecture: encrypt client-side, store on company servers. It's a solid model, but it creates an inherent trade-off: 

Strong encryption ──────────────── Centralized storage


        ↕                                 ↕
  Your side is secure            Their side is a target

The encryption might be perfect. But the availability, persistence, and control of your vault depends entirely on a company's infrastructure, policies, and continued existence.

We thought: what if we could keep the strong encryption but remove the centralized storage? What if your vault lived on a protocol, not a server?

The Three Pillars

VaultKeepR was designed around three principles:

1. Zero-Knowledge (For Real)

"Zero-knowledge" is marketing for most password managers. Yes, they encrypt client-side. But they still:

  • Require your email (identity)
  • Store your encrypted vault (target)
  • Control your recovery mechanism (access)
  • Know when and how often you sync (metadata)

VaultKeepR's zero-knowledge extends beyond encryption:

  • No email required — wallet address is your identity
  • No centralized vault storage — IPFS is your backend
  • No company-controlled recovery — Shamir fragments, you distribute them
  • Minimal metadata — we store only wallet address → CID mapping

2. Self-Sovereignty

Your passwords are yours. This means:

  • You control the encryption keys — derived from your master password + wallet
  • You control the vault location — IPFS, pinned by you if you want
  • You control recovery — Shamir shares, distributed by you
  • You can leave — export to CSV/JSON anytime, no lock-in

The trade-off is responsibility. If you lose your master password and your wallet and your Shamir shares, no one can help you. This is by design.

3. Cryptographic Trust, Not Corporate Trust

Traditional password managers ask you to trust their:

  • Server security
  • Employee access controls
  • Data handling policies
  • Legal compliance in their jurisdiction
  • Business continuity plans

VaultKeepR asks you to trust:

  • XChaCha20-Poly1305 (proven, open-standard cipher)
  • Argon2id (PHC winner, academic consensus)
  • IPFS (open protocol, content-addressed)
  • EIP-191 (Ethereum standard, widely implemented)

We believe mathematics and open protocols are more reliable trust anchors than corporate promises.

What We've Built

The Stack

ComponentTechnologyWhy
EncryptionXChaCha20-Poly1305 + Argon2idState-of-the-art, constant-time, memory-hard
StorageIPFS via StorachaDecentralized, content-addressed, persistent
AuthenticationEIP-191 wallet signaturesCryptographic proof, no shared secrets
RecoveryShamir Secret Sharing (3-of-5)Distributed trust, no single point of failure
TOTPRFC 6238 implementationStandards-compliant 2FA
Email aliases@vaultkeepr.xyz forwardingPrivacy-preserving identity

The Platforms

  • Web App — Full vault management at app.vaultkeepr.xyz
  • Chrome Extension — Autofill, auto-save, quick access
  • iOS App — Native SwiftUI with AutoFill integration
  • Core Library — Open-source @vault-keeper/core for cryptographic operations

Where We're Going

Short-Term (Next 3 Months)

  • Firefox extension — Second browser platform
  • Android app — Native Kotlin implementation
  • Third-party security audit — Formal verification of cryptographic implementation
  • Passkey support — FIDO2/WebAuthn alongside wallet auth

Medium-Term (6-12 Months)

  • Team vaults — Shared encrypted storage with role-based access
  • Hardware wallet integration — Ledger/Trezor for key signing
  • Zero-knowledge proofs — For selective credential sharing

Long-Term (Vision)

We believe the future of personal data management is:

  • Decentralized — No company controls your data
  • Interoperable — Open protocols, not proprietary ecosystems
  • User-sovereign — You own and control everything
  • Provably secure — Verified by math and open-source code, not trust

VaultKeepR is a password manager today. Tomorrow, it could be the foundation for how you manage all your digital identity.

Join Us

VaultKeepR is in active development. The core product is live, and we're building in public. You can:

  • Try VaultKeepR — Free to use at vaultkeepr.xyz
  • Read the code — Core crypto library is open-source on GitHub
  • Join the conversation — Follow us on X for updates
  • Join our community — Connect on Telegram for discussions

Keep Reading

We're building the password manager we wished existed. No compromises on privacy. No compromises on security. No compromises on ownership.

Welcome to VaultKeepR. Your keys. Your vault. Your rules.

Share𝕏in

Ready to take control of your passwords?

VaultKeepR is the first decentralized password manager. Zero-knowledge. Wallet-native. Yours.

Try VaultKeepR →