https://github.com/zanni098/hemdal

Hemdal - Secure cross-platform password, secret, and variable manager with P2P sync
https://github.com/zanni098/hemdal

Last synced: 7 days ago
JSON representation

Hemdal - Secure cross-platform password, secret, and variable manager with P2P sync

• Host: GitHub
• URL: https://github.com/zanni098/hemdal
• Owner: zanni098
• Created: 2026-05-12T04:49:55.000Z (about 1 month ago)
• Default Branch: master
• Last Pushed: 2026-05-12T08:54:24.000Z (about 1 month ago)
• Last Synced: 2026-05-12T09:06:51.689Z (about 1 month ago)
• Language: TypeScript
• Homepage: https://hemdal-avob9mrsv-zanni098s-projects.vercel.app
• Size: 14 MB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • Agents: AGENTS.md

Awesome Lists containing this project

README

          
# Hemdal

Hemdal is a secure, cross-platform password, secret, and environment variable manager with peer-to-peer sync. It stores your credentials with end-to-end encryption and autofills them into websites via a browser extension.

## Features

- **End-to-End Encryption**: All vault items are encrypted with AES-256-GCM. Your master password is never stored; a vault key is derived using Argon2id.

- **Zero-Knowledge Architecture**: Only encrypted blobs leave your device during sync.

- **Cross-Platform Desktop App**: Built with Tauri (Rust + React), running on Windows, macOS, and Linux.

- **Browser Autofill**: Chrome/Firefox extension detects login forms, fills credentials automatically, and offers to save new passwords.

- **Biometric Unlock**: Unlock your vault with Windows Hello (Touch ID / Face ID support coming soon).

- **TOTP / 2FA Code Generator**: Generate 6-digit 2FA codes from stored TOTP secrets with a live 30-second countdown.

- **Password Generator**: Built-in generator with configurable length, character types, and strength meter.

- **Password Breach Check**: Check passwords against the Have I Been Pwned database via k-Anonymity API.

- **Fuzzy Search**: Quickly find items with fast substring scoring search.

- **Import / Export**: Import from Bitwarden JSON, 1Password CSV, or generic CSV. Export to encrypted JSON or CSV.

- **System Tray & Auto-Lock**: Minimize to tray, lock from tray menu, and auto-lock after 10 minutes of inactivity.

- **P2P Sync**: Synchronize your vault across devices on your local network without any cloud server (framework ready).

- **Multiple Secret Types**: Passwords, API keys, SSH keys, environment variables, secure notes, and credit cards.

## Architecture

```

hemdal/

├── apps/

│   ├── desktop/          # Tauri desktop application (React + Rust)

│   ├── extension/        # Browser extension (Chrome/Firefox MV3)

│   └── web/              # Marketing website (Next.js + Supabase)

├── packages/

│   ├── types/            # Shared TypeScript types

│   ├── crypto/           # Shared crypto utilities

│   └── protocol/         # P2P sync protocol definitions

```

### Security Model

1. **Master Password** -> Argon2id -> Master Key

2. **Master Key** -> Decrypts -> Vault Key (stored encrypted at rest)

3. **Vault Key** -> AES-256-GCM -> All vault items

The browser extension never stores your master password or vault key. It communicates with the desktop app via a local HTTP API (localhost:19421) only when the vault is unlocked.

### Biometric Unlock (Windows Hello)

When enabled, a random biometric key is generated and protected by Windows DPAPI. The vault key is encrypted with this biometric key and stored on disk. On unlock, the system prompts for Windows Hello verification, DPAPI decrypts the biometric key, which then decrypts the vault key. The master password is never stored.

## Development

### Prerequisites

- [Rust](https://rustup.rs/)

- [Node.js](https://nodejs.org/) + [pnpm](https://pnpm.io/)

- [Tauri CLI](https://tauri.app/start/prerequisites/)

### Setup

```bash

# Install dependencies

pnpm install

# Build shared packages

pnpm build:desktop

pnpm build:extension

# Run the desktop app in dev mode

pnpm dev:desktop

# Build the browser extension

cd apps/extension

pnpm build

# Then load `apps/extension/dist` as an unpacked extension in Chrome

```

### Desktop App Commands

```bash

# Dev mode

pnpm dev:desktop

# Build for production

pnpm build:desktop

# Build Tauri binary (installers)

cd apps/desktop && pnpm tauri:build

```

### Browser Extension

1. Build the extension: `cd apps/extension && pnpm build`

2. Open Chrome and navigate to `chrome://extensions/`

3. Enable "Developer mode"

4. Click "Load unpacked" and select `apps/extension/dist`

5. The extension will show a checkmark badge when the Hemdal desktop app is running and the vault is unlocked

### Website (Next.js + Supabase)

The `apps/web` directory contains a beautiful marketing website built with Next.js, Tailwind CSS, Framer Motion, and Supabase.

**Features:**

- Animated landing page with Hero, Features, Use Cases, Security, Download, and Newsletter sections

- Supabase Auth (GitHub OAuth + Magic Link email)

- Authenticated account dashboard

- Contact / Newsletter API backend

- Auto-deploys to Vercel on every push to `master`

**Local Setup:**

1. Copy `apps/web/.env.example` to `apps/web/.env.local`

2. Add your Supabase project URL and anon key

3. Run the initial migration in `apps/web/supabase/migrations/001_initial.sql`

4. Enable GitHub OAuth provider in Supabase Auth settings

**Commands:**

```bash

# Dev mode

pnpm dev:web

# Build for production

pnpm build:web

```

**Deploy to Vercel (GitHub Actions):**

1. Install the Vercel CLI locally: `npm i -g vercel`

2. Login: `vercel login`

3. Link the project (from `apps/web`): `cd apps/web && vercel link`

4. Get your token: `vercel tokens create`

5. In your GitHub repo, go to **Settings > Secrets and variables > Actions** and add:

   - `VERCEL_TOKEN` — from step 4

   - `VERCEL_ORG_ID` — from `.vercel/project.json`

   - `VERCEL_PROJECT_ID` — from `.vercel/project.json`

   - `NEXT_PUBLIC_SUPABASE_URL` — your Supabase project URL

   - `NEXT_PUBLIC_SUPABASE_ANON_KEY` — your Supabase anon key

6. Push to `master` and the site will auto-deploy via `.github/workflows/deploy-web.yml`

## Roadmap

- [x] Core vault with AES-256-GCM encryption

- [x] Desktop app with React UI

- [x] Browser extension with form detection

- [x] Local HTTP API for extension communication

- [x] Browser extension save-new-credentials flow

- [x] TOTP code generation

- [x] Secure password generator

- [x] Import from 1Password / Bitwarden / CSV

- [x] Export to JSON / CSV

- [x] Fuzzy search

- [x] Password breach check via Have I Been Pwned

- [x] Biometric unlock (Windows Hello)

- [x] System tray with auto-lock

- [ ] Full native messaging host support

- [ ] iOS/Android app with native autofill

- [ ] P2P sync over mDNS / WebRTC

- [ ] Biometric unlock on macOS (Touch ID) and Linux

## License

MIT