An open API service indexing awesome lists of open source software.

https://github.com/pinkpixel-dev/keyper

๐Ÿ” A self-hosted credential manager with zero-knowledge encryption, multi-user support, and emergency recovery. Store API keys, passwords, and secrets securely with your own Supabase database. Features AES-256-GCM encryption, Argon2 key derivation, PWA support, and professional-grade security architecture.
https://github.com/pinkpixel-dev/keyper

aes aes-encryption api-keys argon2 credential-manager credentials encryption end-to-end-encryption multi-user password-manager progressive-web-app pwa react secret-management security self-hosted supabase typescript vault zero-knowledge

Last synced: about 1 month ago
JSON representation

๐Ÿ” A self-hosted credential manager with zero-knowledge encryption, multi-user support, and emergency recovery. Store API keys, passwords, and secrets securely with your own Supabase database. Features AES-256-GCM encryption, Argon2 key derivation, PWA support, and professional-grade security architecture.

Awesome Lists containing this project

README

          

# ๐Ÿ” Keyper - Self-Hosted Credential Management

Keyper Logo

**โœจ Your Credentials. Your Security. Your Rules. โœจ**

[![Version](https://img.shields.io/npm/v/@pinkpixel/keyper?style=for-the-badge&color=06B6D4)](https://www.npmjs.com/package/@pinkpixel/keyper)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=for-the-badge)](LICENSE)
[![React](https://img.shields.io/badge/React-19.1-61DAFB?style=for-the-badge&logo=react)](https://reactjs.org/)
[![TypeScript](https://img.shields.io/badge/TypeScript-5.8-3178C6?style=for-the-badge&logo=typescript)](https://www.typescriptlang.org/)
[![Supabase](https://img.shields.io/badge/Supabase-Ready-3ECF8E?style=for-the-badge&logo=supabase)](https://supabase.com/)
[![SQLite](https://img.shields.io/badge/SQLite-Local--First-003B57?style=for-the-badge&logo=sqlite)](https://www.sqlite.org/)
[![Docker](https://img.shields.io/badge/Docker-Ready-2496ED?style=for-the-badge&logo=docker)](https://hub.docker.com/)
[![Electron](https://img.shields.io/badge/Electron-v33-47848F?style=for-the-badge&logo=electron)](https://www.electronjs.org/)
[![PWA](https://img.shields.io/badge/PWA-Enabled-5A0FC8?style=for-the-badge)](https://web.dev/progressive-web-apps/)

_A modern, secure, self-hosted credential management application for storing and organizing your digital credentials with complete privacy and control._

![Keyper Screenshot](./screenshots/screenshot-dashboard.png)

[๐Ÿš€ Quick Start](#-quick-start) โ€ข [๐Ÿ–ผ๏ธ Screenshots](#๏ธ-screenshots) โ€ข [๐Ÿ“ฆ Installation](#-installation) โ€ข [๐Ÿ—„๏ธ Setup](#๏ธ-database-setup) โ€ข [๐Ÿ“ฑ PWA](#-progressive-web-app) โ€ข [๐Ÿ”ง Troubleshooting](#-troubleshooting)

---

## ๐Ÿ“ฅ Download

Desktop installers are available on the **[Keyper website](https://keyper.icu/getting-started/install-and-run/)** or on the [GitHub releases page](https://github.com/pinkpixel-dev/keyper/releases).

Scroll down to see other installation options.

---

## ๐Ÿ–ผ๏ธ Screenshots

![Keyper Screenshot 1](./screenshots/screenshot1.png)

![Keyper Screenshot 2](./screenshots/screenshot2.png)

![Keyper Screenshot 3](./screenshots/screenshot3.png)

![Keyper Screenshot 4](./screenshots/screenshot4.png)

![Keyper Screenshot 5](./screenshots/screenshot5.png)

---

## ๐ŸŒŸ Features

### ๐Ÿ”’ **Secure Credential Storage**

- ๐Ÿ”‘ **API Keys** - Store and organize your API credentials
- ๐Ÿ” **Login Credentials** - Username/password combinations
- ๐Ÿคซ **Secrets** - Sensitive configuration values
- ๐ŸŽซ **Tokens** - Authentication and access tokens
- ๐Ÿ“œ **Certificates** - SSL certificates and keys
- ๐Ÿ“„ **Documents** - Secure file uploads for `.pdf`, `.doc`, `.docx`, `.odt`, `.txt`, `.md`
- ๐Ÿงฉ **Miscellaneous** - Large multiline secure notes/commands/scripts that donโ€™t fit fixed types

### ๐Ÿท๏ธ **Smart Organization**

- ๐Ÿ“‚ **Categories** - Group credentials by service or type
- ๐Ÿ”– **Tags** - Flexible labeling system
- โšก **Priority Levels** - Low, Medium, High, Critical
- ๐Ÿ“… **Expiration Tracking** - Never miss renewal dates
- ๐Ÿ” **Real-time Search** - Find credentials instantly
- ๐Ÿ‘๏ธ **Quick Reveal & Copy** - Reveal and copy sensitive values directly from the credential detail view
- ๐Ÿ‘๏ธ **Inline Text Document Preview** - Text-like document credentials (`.txt`, `.md`, `text/*`) can be previewed inline in credential detail view
- โฌ‡๏ธ **Secure Document Download** - All document credentials can be downloaded from detail view

### ๐Ÿ›ก๏ธ **Enterprise-Grade Security**

- ๐Ÿ”’ **Row Level Security (RLS)** - Database-level isolation
- ๐Ÿ” **End-to-End Encryption** - Client-side encryption, zero-knowledge architecture
- ๐Ÿ‘ค **Multi-User Support** - Self-service registration, account switching, and per-user vault isolation
- ๐ŸŒ **Secure Connections** - HTTPS/TLS encryption
- ๐Ÿ  **Self-Hosted** - Complete control over your data

### ๐Ÿ” **Advanced Encryption Features**

- **Zero-Knowledge Architecture** - All encryption happens client-side
- **AES-256-GCM Encryption** - Industry-standard authenticated encryption
- **Argon2id Key Derivation** - Memory-hard, ASIC-resistant (with PBKDF2 fallback)
- **Auto-Lock Protection** - 15-minute inactivity timeout with activity detection
- **Simplified Bcrypt Master Passphrase** - Secure bcrypt-only authentication for new users
- **Backwards Compatibility** - Legacy wrapped DEK system maintained for existing users
- **User-Controlled Reset** - Secure emergency passphrase reset without admin backdoors
- **Database-Only Storage** - No localStorage usage except for database config
- **Professional Security Audit** - EXCELLENT security rating

### ๐Ÿ“ฑ **Modern Experience**

- ๐ŸŒ™ **Dark Theme** - Easy on the eyes
- ๐Ÿ“ฑ **Responsive Design** - Works on all devices
- โšก **Progressive Web App** - Install like a native app
- ๐Ÿš€ **Fast Performance** - Built with Vite and React 19
- ๐ŸŽจ **Beautiful UI** - Modern glassmorphism design

---

## ๐Ÿš€ Quick Start

Get Keyper running on your own infrastructure in under 5 minutes!

### Prerequisites

- **Node.js 18+** installed on your system
- **Database (choose one)**:
- ๐Ÿ—„๏ธ **SQLite (local mode)** โ€” no account or server required, zero configuration, works in browser and Electron desktop
- โ˜๏ธ **Supabase** โ€” free tier works perfectly for hosted/remote/multi-device usage
- **Modern web browser** (Chrome, Firefox, Safari, Edge)

### โšก 1-Minute Installation

```bash
# Install Keyper globally
npm install -g @pinkpixel/keyper

# Start the server (default port 4173)
keyper

# Or start with custom port
keyper --port 3000

# Open in your browser
# ๐ŸŒ http://localhost:4173 (or your custom port)
```

**That's it!** ๐ŸŽ‰ Follow the in-app setup wizard to configure your database (choose **SQLite** for zero-config local storage, or **Supabase** for hosted cloud storage).

### ๐ŸŒ Try the Demo

**Want to try Keyper before installing?** Visit our hosted demo:

**๐Ÿ”—** [**app.keyper.icu**](https://app.keyper.icu)

Just enter your own Supabase credentials and start managing your encrypted credentials instantly! Your data stays completely private since all encryption happens in your browser.

**Demo Usage:**

- โœ… **Completely Secure** - Zero-knowledge architecture means your data never leaves your browser
- โœ… **Real Functionality** - Full Keyper experience with your own Supabase instance
- โœ… **No External Signup Required** - Just bring your Supabase URL and anon/publishable key
- โœ… **In-App User Registration Available** - Create multiple isolated user vaults directly inside Keyper
- โš ๏ธ **Demo Limitations** - Recommended for testing and light usage only
- ๐Ÿ  **Self-Host for Production** - Install locally for best performance and full control

_Note: The demo uses the same secure architecture as self-hosted Keyper. Your Supabase credentials are stored only in your browser's localStorage and never transmitted to our servers._

---

## ๐Ÿ“ฆ Installation

### Method 1: Global NPM Installation (Recommended)

```bash
npm install -g @pinkpixel/keyper
```

**Available Commands:**

- `keyper` - Start Keyper server
- `keyper --port 3000` - Start on custom port
- `keyper --help` - Show help and usage
- `credential-manager` - Alternative command
- `keyper-dashboard` - Another alternative

### Method 2: NPX (No Installation Required)

```bash
npx @pinkpixel/keyper
```

### Method 3: Local Development

```bash
git clone https://github.com/pinkpixel-dev/keyper.git
cd keyper
npm install
npm run build
npm start
```

### Method 4: ๐Ÿณ Docker

Run Keyper as a containerised web app โ€” no Node.js required on the host!

**Quick Start (Docker Hub)**
```bash
docker run -d -p 8080:80 --name keyper --restart unless-stopped pinkpixeldev/keyper:latest
```

**Build Locally (Docker Compose)**
```bash
# Clone the repo
git clone https://github.com/pinkpixel-dev/keyper.git
cd keyper

# Build & start (serves on http://localhost:8080)
docker compose up -d

# Or on a custom port
HOST_PORT=3030 docker compose up -d

# Force rebuild after source changes
docker compose up -d --build

# Stop
docker compose down

# Follow logs
docker compose logs -f
```

> **Note:** Keyper stores all configuration (Supabase credentials or SQLite provider selection) in browser `localStorage` โ€” no environment variables or volumes are required.

### Method 5: โšก Electron Desktop App

Run Keyper as a native desktop app on **Windows or Linux**!

#### Published desktop downloads

| Platform | Package | Download |
| --------------------- | -------------------- | ---------------------------------------------------------------------------------------------------- |
| Windows | NSIS installer | [Keyper.Setup.v1.1.4-win-x64.exe](https://pub-da847cd0fc1045b3a5a7fcc39a3be134.r2.dev/Keyper.Setup.v1.1.4-win-x64.exe) |
| Linux | AppImage (ARM64) | [Keyper-1.1.4-arm64.AppImage](https://pub-da847cd0fc1045b3a5a7fcc39a3be134.r2.dev/Keyper-1.1.4-arm64.AppImage) |
| Linux | AppImage (AMD64) | [Keyper-1.1.4-x86_64.AppImage](https://pub-da847cd0fc1045b3a5a7fcc39a3be134.r2.dev/Keyper-1.1.4-x86_64.AppImage) |
| Linux (Debian/Ubuntu) | `.deb` (x86_64) | [keyper_1.1.4_amd64.deb](https://pub-da847cd0fc1045b3a5a7fcc39a3be134.r2.dev/keyper_1.1.4_amd64.deb) |
| Linux (Debian/Ubuntu) | `.deb` (ARM64) | [keyper_1.1.4_arm64.deb](https://pub-da847cd0fc1045b3a5a7fcc39a3be134.r2.dev/keyper_1.1.4_arm64.deb) |

#### Preview (no packaging)

```bash
git clone https://github.com/pinkpixel-dev/keyper.git
cd keyper
npm install
npm run electron:preview
```

#### Build a distributable installer

```bash
# desktop packaging from source
npm run electron:build:linux # AppImage + deb
npm run electron:build:win # NSIS installer
```

Installers are output to `dist-electron/`.

---

## ๐Ÿ—„๏ธ Database Setup

Keyper supports two database backends โ€” choose the one that fits your workflow:

| Feature | SQLite (Local) | Supabase (Cloud) |
| ------------------------- | ---------------------------------------------------------------------- | ----------------------------- |
| Setup required | None โ€” auto-configured | Project creation + SQL script |
| Internet connection | โŒ Not required | โœ… Required |
| Multi-device sync | โŒ Not supported | โœ… Supported |
| Works in browser/PWA | โœ… Yes | โœ… Yes |
| Works in Electron desktop | โœ… Yes | โœ… Yes |
| Data location | Your device (IndexedDB in browser/PWA, optional file path in Electron) | Your Supabase project |

### Option A: SQLite (Local โ€” Zero Config)

1. Start Keyper and open the app in your browser, PWA, or Electron desktop build
2. In the setup wizard, select **"SQLite (Local)"** as your database provider
3. **Master Passphrase**: Create your encryption passphrase
4. **Start Managing**: Add your first encrypted credential! ๐ŸŽ‰

> SQLite mode stores your encrypted vault locally with no external service required. In browser/PWA mode it uses **IndexedDB** automatically; in Electron you can also point Keyper at a SQLite file on disk.

### Option B: Supabase (Hosted Cloud)

#### Step 1: Create Your Supabase Project

1. Visit [supabase.com](https://supabase.com) and sign up/login
2. Click **"New Project"**
3. Configure your project:
- **Name**: `keyper-db` (or your preference)
- **Database Password**: Generate a strong password
- **Region**: Choose closest to your location

4. Wait 1-2 minutes for setup completion

#### Step 2: Get Your Credentials

1. In Supabase dashboard: **Settings** โ†’ **API**
2. Copy these values:
- **Project URL**: `https://your-project.supabase.co`
- **anon/public key**: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...`

โš ๏ธ **Important**: Use the **anon/public** key, NOT the service_role key!

#### Step 3: Configure Keyper

1. Start Keyper: `keyper`
2. Open [http://localhost:4173](http://localhost:4173)
3. **Database Setup**: Configure your Supabase connection
- Enter your Supabase URL and anon/publishable key
- Copy and run the complete SQL setup script in Supabase SQL Editor
- If you already have an existing Keyper database, run the update script too (`migration-add-document-misc-types.sql`) so `document` and `misc` credential types work
- The script creates tables with the latest security features:
- `raw_dek` and `bcrypt_hash` columns for the new simplified security model
- Backwards compatibility for existing users with legacy `wrapped_dek` system
- Latest credential type support (`api_key`, `login`, `secret`, `token`, `certificate`, `document`, `misc`)
- Test the connection

4. **Master Passphrase**: Create your encryption passphrase
- Choose a strong passphrase (8+ characters recommended)
- New users get the simplified bcrypt-only authentication system
- This encrypts all your credentials client-side with secure emergency reset capabilities

5. **Start Managing**: Add your first encrypted credential! ๐ŸŽ‰

---

## ๐Ÿ“ฑ Progressive Web App

Keyper works as a Progressive Web App for a native app experience!

### ๐Ÿ–ฅ๏ธ Desktop Installation

1. Open Keyper in Chrome/Edge/Firefox
2. Look for the install icon in the address bar
3. Click to install as a desktop app
4. Access from your applications menu

### ๐Ÿ“ฑ Mobile Installation

1. Open Keyper in your mobile browser
2. Tap the browser menu (โ‹ฎ)
3. Select **"Add to Home Screen"** or **"Install App"**
4. Access from your home screen

### โœจ PWA Benefits

- ๐Ÿ“ฑ Native app experience
- ๐Ÿš€ Faster loading times
- ๐ŸŒ Offline functionality
- ๐Ÿ”„ Background updates
- ๐Ÿ“ฒ Push notifications (coming soon)

---

## ๐Ÿ”ง Troubleshooting

### Common Issues

**โŒ "Connection failed: Database connection failed"**

- Verify URL format - now supports any valid HTTP/HTTPS URL (v1.0.6+)
- โœ… Cloud: `https://your-project.supabase.co`
- โœ… Local: `http://localhost:54321`, `http://192.168.1.100:8000`
- โœ… Custom: `https://supabase.mydomain.com`
- Use **anon/public** key, not service_role
- Check that your Supabase project is active

**โŒ "relation 'credentials' does not exist"**

- Run the complete SQL setup script in Supabase SQL Editor
- Ensure the script completed without errors

**โŒ New `document` or `misc` credentials fail to save**

- Run the existing-database update script: `migration-add-document-misc-types.sql`
- Confirm `credentials_credential_type_check` includes `document` and `misc`

**โŒ Dashboard shows "No credentials found"**

- Click **"Refresh App"** button
- Clear browser cache and reload
- For PWA: Uninstall and reinstall the app

**โŒ Can't enter new credentials after clearing configuration**

- Refresh the page after clearing configuration
- Ensure you're using a valid HTTP/HTTPS URL (any format supported in v1.0.6+)
- Try clearing browser cache if form inputs appear stuck

**โŒ Categories dropdown is empty when using custom username**

- This issue has been resolved in the latest version
- Categories should now appear for all usernames (both default and custom)
- If still experiencing issues, try refreshing the page after setting your username

**โŒ App doesn't show setup wizard after clearing database**

- Clear browser cache and cookies for the site
- For Chrome/Edge: Settings โ†’ Privacy โ†’ Clear browsing data โ†’ Cookies and cached files
- For Firefox: Settings โ†’ Privacy โ†’ Clear Data โ†’ Cookies and Site Data + Cached Web Content
- Refresh the page to see the initial setup screen

**โŒ Stuck in configuration loops or can't access settings**

- Clear browser cache and localStorage completely
- Refresh the page and reconfigure your database connection
- Ensure your Supabase credentials are correct
- Use the built-in database health checks to verify table integrity

**โŒ Multi-user vault conflicts**

- Each user has their own isolated encrypted vault
- Use **Dashboard Settings โ†’ User Management** to switch users
- Use **Create New User** from the lock screen or **Add New User** in user management
- Refresh after user-switch actions if prompted for the cleanest vault context handoff
- Each user's data is completely separate and encrypted individually

### ๐Ÿ”‘ Master Passphrase Reset

**Forgot your master passphrase?** No problem! Your encrypted data is completely safe and you can securely reset your passphrase:

**Important**: It's not possible to _view_ your current master passphrase, but you can _update/change_ it using our secure bcrypt-based reset system.

๐Ÿ“– **Complete Reset Guide**: For detailed step-by-step instructions, see our comprehensive [Emergency Passphrase Reset Guide](./docs/EMERGENCY_PASSPHRASE_RESET.md)

**Quick Overview:**

**For Supabase users:**

1. Access your Supabase dashboard and navigate to the `vault_config` table
2. Generate a new bcrypt hash using your desired new passphrase
3. Replace the `bcrypt_hash` value in your database
4. Login with your new passphrase

**For SQLite (local) users:**

1. Open your browser's DevTools โ†’ Application โ†’ IndexedDB โ†’ find the Keyper database
2. Alternatively, use the in-app **Settings โ†’ Reset** tab for guided instructions
3. Generate a new bcrypt hash using your desired new passphrase
4. Replace the `bcrypt_hash` value in the `vault_config` table and reload

**Security Benefits:**

- โœ… **No Backdoors**: Complete elimination of admin override capabilities
- โœ… **User Control**: Only you can reset your own passphrase
- โœ… **Data Safety**: Your encrypted credentials remain completely safe
- โœ… **Industry Standard**: Uses proven bcrypt hashing technology
- โœ… **Zero Knowledge**: Hash-only storage ensures maximum security

### Getting Help

1. Check the [Self-Hosting Guide](SELF-HOSTING.md)
2. Review browser console for errors (F12 โ†’ Console)
3. Verify your database provider logs (Supabase dashboard โ†’ Logs, or browser DevTools โ†’ Console for SQLite errors)
4. Use the master passphrase reset process above for password issues
5. Report issues on [GitHub](https://github.com/pinkpixel-dev/keyper/issues)

---

---

## ๐Ÿ›ก๏ธ Security & Privacy

### Your Data, Your Control

- โœ… **Self-Hosted** - Run on your own infrastructure
- โœ… **Private Database** - Your Supabase instance or local SQLite storage
- โœ… **No Tracking** - Zero telemetry or analytics
- โœ… **Open Source** - Fully auditable code

### Security Features

- ๐Ÿ”’ **Row Level Security** - Database-level access control
- ๐Ÿ” **Encryption** - Data encrypted at rest and in transit
- ๐Ÿ‘ค **User Isolation** - Each user sees only their data
- ๐Ÿ›ก๏ธ **Offline-First Option** - SQLite mode requires no internet and stores data entirely on-device

### Multi-User Notes

- **Registration**: Users can self-register from the lock screen via **Create New User**; no admin account is required.
- **User Management**: Dashboard includes a **User Management** area that lists registered users and supports secure switching.
- **Isolation**: Every username has its own `vault_config`, passphrase verifier, encryption key material, credentials, and categories.
- **No Backdoors**: Switching users never bypasses passphrase verification, and there is no admin recovery path.
- **Reset Model**: Emergency passphrase reset remains self-service per user via that userโ€™s `bcrypt_hash` record.

---

## ๐Ÿš€ Tech Stack

- **Frontend**: React 19.1 + TypeScript
- **Build Tool**: Vite 7.0
- **Styling**: Tailwind CSS + shadcn/ui
- **Database**: Supabase (PostgreSQL + Auth) or SQLite (sql.js / IndexedDB)
- **State Management**: TanStack Query
- **Forms**: React Hook Form + Zod
- **PWA**: Vite PWA Plugin + Workbox

---

## ๐Ÿ“„ License

This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.

---

## ๐Ÿค Contributing

We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.

---

## Made with ๐Ÿ’–

**Created by Pink Pixel** โœจ
_Dream it, Pixel it_

- ๐ŸŒ **Website**: [pinkpixel.dev](https://pinkpixel.dev)
- ๐Ÿ“ง **Email**: [admin@pinkpixel.dev](mailto:admin@pinkpixel.dev)
- ๐Ÿ’ฌ **Discord**: @sizzlebop
- โ˜• **Support**: [Buy me a coffee](https://www.buymeacoffee.com/pinkpixel)

---

**โญ Star this repo if Keyper helps secure your digital life! โญ**