Password manager + encrypted file vault

Passwords, files, and access codeson your device, not in the cloud

ChromVoid is a local password manager and encrypted file vault. No cloud account: data is encrypted on your device, and you keep the backup wherever it works for you.

Open-source core
No cloud account
Keys stay with you
Back up anywhere
Argon2id · BLAKE3 · ChaCha20-Poly1305 · no hidden sync or background data uploads
What you get

One local vault boundary for daily secrets
and situations where you may be forced to show data.

Store passwords, OTP, payment cards, wallet recovery data, SSH keys, private notes, and files in one local vault. Separate vaults can use different passwords, so opening one does not show the list or count of the others.

chromvoid/vault
vault unlocked
Passwords & OTP
GGitHubdev@chromvoid.com•••••••••
BBank Accountuser@bank.com••••••
TOTP code
137 839
Notes
Server root access procedure
  1. Connect via SSH
  2. Verify host key
  3. Elevate with sudo
  4. Check system status
#ops
Files
PDF
report.pdf
JPG
diagram.png
ZIP
backup.zip
TXT
keys.txt
CSV
credentials.csv
+
Upload
Payment cards
Card record
Visa • 4242
Number, PIN, CVV, and billing notes stay in the vault.
Crypto wallets

Seed phrases, recovery instructions, wallet files, and address notes.

seed · wallet · recovery
SSH keys

Private keys, passphrases, host notes, and deployment access data.

private key · passphrase
CHROMVOID · ACCESS TOPOLOGY

The phone is the core

Mobile-first. The local vault stays on the chosen device. Every other surface only requests access; none holds a vault of its own.

LOCAL
REMOTE · E2E-ENC
via desktop
via desktop
VAULT
● LOCKED
AES-256 · ON-DEVICE VAULT
PHONE + VAULT
MOBILE HOST · PRIMARY VAULT
BACKUP
encrypted copy
AUTOFILL · Mobile
LOCAL ACCESS · on-device
DESKTOP
REMOTE CONSUMER

No local vault. Pulls access from the phone over a remote channel, then serves its child surfaces.

BROWSER
via desktop

requests through the desktop surface

AUTOFILL · Desktop
via desktop

no direct line to the phone vault

LOCAL
REMOTE
via desktop
CHROMVOID· PORTABLE BACKUP

Your backup can live anywhere. Restoring always happens on a phone or desktop.

A ChromVoid backup is a sealed copy of your vault — not a second system core. Put it on a flash drive, NAS, external disk, or in the cloud: the medium only holds ciphertext, and a restore still passes through Core.

01

The medium doesn't have to be trusted

A cloud, disk, or flash drive never becomes part of the trusted system. It just stores an encrypted blob.

untrusted medium
02

The file is built to be copied

If a backup ends up with a third party, it stays an encrypted artifact. Resilience depends on master-password strength, key material, and your threat model.

encrypted artifact
03

One format for phone and desktop

The same backup restores on a mobile host or on desktop, because the shared Rust Core handles the format and the rules.

shared rust core
LIMIT

A backup is not live-sync and not a second primary vault. After a restore, the device you chose becomes the storage location again.

STORE ANYWHERE · RESTORE VIA CORE
Hover a medium to trace its restore path — every restore re-enters through Core.USB flash drive → Core → Phone / Desktop. The drive only held ciphertext.Cloud → Core → Phone / Desktop. The provider never sees plaintext.NAS → Core → Phone / Desktop. Trust stays in Core, not the box.External disk → Core → Phone / Desktop. The disk is just a carrier.

Download ChromVoid

Choose an available build for your platform and check the Threat Model before installing.

Platform downloads
macOS
Planned

Planned for upcoming releases.

Android
Download

Latest Android APK is published on GitHub Releases.

iOS
Planned

Planned for upcoming releases.

Windows
Planned

Planned for upcoming releases.

Linux
Planned

Planned for upcoming releases.

PRO

PRO modules for work scenarios

One license unlocks advanced modules as they become available for your platform: remote access, native autofill, SSH signing, mounted encrypted volume, and emergency access.

01 / 05 · PRO MODULE

Remote Access

platform-dependent

Your secrets stay reachable remotely without moving storage to the cloud.

From another laptop, browser, or phone, you reach your unlocked host and continue where you stopped.

Without module

To reach secrets from another device, teams usually move the whole vault to a cloud or lose access away from the workstation.

With module

Remote access reaches the working environment from another device. The vault does not move; it stays on the host.

You left, and the needed password or key stayed on the work machine.
You work from a phone, but the vault stays on the desktop.
You need trip access to a work environment without cloud sync.
Availability depends on platform and runtime.
02 / 05 · PRO MODULE

Credential Provider

Pro module

System autofill that does not hand passwords to a cloud.

Logins and passwords fill natively in system fields while the source remains the local vault, not a cloud manager.

Without module

Convenient autofill almost always means passwords sync through somebody else's cloud service.

With module

The familiar system autofill flow stays, but the secret is issued only for the request and does not leave the local vault.

You log into apps and sites dozens of times a day and do not want copy/paste.
You need native OS autofill without a cloud password manager.
The password should be issued for a specific request, not sit in the background.
Availability depends on platform support for credential provider integration.
03 / 05 · PRO MODULE

SSH Agent

coming with runtime support

SSH access without private keys scattered across disks.

The server asks for a signature; the module signs from Core. There is no private-key file to copy or lose.

Without module

Private SSH keys live as files on every machine: they get copied, forgotten, and lost.

With module

You connect over SSH as usual, but the key never becomes a file on disk.

You connect to servers and git over SSH every day.
You do not want copies of private keys spread across devices.
You need explicit signing per connection, not a permanent key on disk.
Arrives as runtime support becomes available on your platform.
04 / 05 · PRO MODULE

Mounted Vault

platform-dependent

Encrypted files behave like a normal working folder.

Unlock once, then work in Finder or Explorer like any other folder. Unmount the session, and files are encrypted at rest again.

Without module

Editing encrypted files usually requires export, edit, and re-import, while decrypted copies spread across disk.

With module

The volume mounts as a normal folder: edit PDFs, notes, and documents in place; after unmount only encrypted data remains.

You keep Obsidian or Markdown notes in a normal working folder.
You edit PDFs and scans in place without export / re-import.
The decrypted folder should exist only during the session.
On macOS, FUSE mode depends on compatible macFUSE; mobile volume mount is currently outside scope.
05 / 05 · PRO MODULE

Emergency Access

Pro module

Trusted people can get access if something happens to you, under a clear rule.

Choose a trusted recipient and delay. If you do not cancel the request in time, access opens transparently for both sides.

Without module

The question 'what if something happens to me' is often unsolved or handled with a paper password in a safe.

With module

A predefined access-recovery rule visible to both sides, without hidden bypasses or backdoors.

You want family members not to be locked out of important access.
You hand off work to a colleague in case of vacation or illness.
You need a recovery plan that is not a hidden backdoor.
Availability depends on platform support and PRO verification through Core.

Up to 3 devices · modules depend on platform support

Module availability depends on platform and runtime.
chromvoiddeniability

One password shows one vault.Other passwords can open other vaults.

Each password can open its own vault. Opening one proves only that this vault exists — it does not reveal the shared list or number of others.

Access scheme
Password A
Decoy vault
Shared inventory: not shown
counter: absent
Password B
Work vault
Password C
Recovery vault
Password N
Private vault
how many more is unknown from this session
What this means
01

One visible answer

A normal password opens a plausible vault without claiming it is the whole system.

02

Many boundaries

Personal, work, recovery, and private data can live behind different passwords.

03

No shared counter

The visible vault does not reveal the list of other areas.

Limitation · Deniability only works within the threat model. It reduces markers of other vaults during plausible-layer disclosure or file copying, but it does not protect an open session, a compromised device, or OPSEC mistakes.

Architecture · storage model

How a password becomes an encrypted namespace

A password does not "open a vault"; it derives a key that selects an encrypted namespace inside storage. Data lives as authenticated chunks, and no vault list exists in plaintext.

key · corestorage namespaceremote transportuntrusted / boundary
KEY + STORAGE TRUST BOUNDARY · local hostUI CONTEXTBrowser ExtDesktop UIMobile UIDesktop Gateway · App boundaryShared Rust CoreUI surfaces call Core through explicit boundaries — they do not own storage; theextension connects locally to the Gateway, not to a cloud vault.KEY DERIVATIONvault passworduser secretvault_salt · 16 Bstorage_pepper · 32 BBLAKE3 — salt stretch( vault_salt ‖ storage_pepper‖ "vault-salt-v2" )stretched_salt · 32 BArgon2idplatform memory / timevault_key32 B · active-session keynever written to diskvault_salt — stored with storage metadata storage_pepper — outside chunk dir · OS keystorevault_key — active session only · not a storage file · no plaintext "real vault" markerCHUNK ENCRYPTIONplaintext chunk+ chunk name as AADChaCha20-Poly1305nonce ‖ ct ‖ tag(16)AAD binds ciphertext to expected chunk identity — tampered or moved chunks fail authentication.CHUNK NAMING / NAMESPACEcatalog:rootcatalog:commitcatalogblobshard:<id>delta:<id>otpderivative-indexBLAKE3(vault_key ‖ context ‖ index )opaque chunk filenameDifferent password → different vault_key → different chunk namespace.No plaintext vault list. No hidden-vault counter.DENIABLE NAMESPACES— every password opens a namespace; there is no "right vs wrong"Password Anamespace ADecoy vault catalogPassword Bnamespace BHidden vault catalogPassword Cnamespace CEmpty namespacereal namespace, chosenby another passwordindistinguishable from decoyno catalog exists → emptyUnlock is not "correct vs wrong" — the key-derived catalog decides:· catalog exists → Core loads it· no catalog → empty vault for that password· catalog corrupt → error / repair, not emptyThe decoy vault is a real namespace selected by a different password — not a fake screen.remote RPC — outside trust boundaryUNTRUSTEDTRANSPORTRemote accessNoise secure channelWebRTC primaryWSS relay fallbackTransport ready≠ vault accessHost unlock gaterequiredEncrypted in transit,never trusted as astorage location.Relay carries ciphertextchunks only — it is notthe data store.
FAQ

Short answers before you start.

Start with fit, limits, and platform status. Proof pages go deeper where it matters.

Buyer questions. Inspectable model.
1.Who is ChromVoid for?

For anyone who does not want passwords in someone else's cloud, plus security teams, journalists, lawyers, activists, and users who need local or phone-held boundaries.

2.Why not use a normal password manager?

Normal managers are good at convenience and sync. ChromVoid is for cases where browsers, cloud accounts, transport paths, or shared devices should not become the place where secrets live.

3.What does deniability mean here?

Each password can open its own vault. Showing one vault does not reveal the list or count of others. The guarantees depend on device state, storage medium, your own actions, and the public threat model.

4.What is ready today?

The basic vault path and selected platform builds are the starting point. Extended modules activate only when the module and platform runtime are available.

5.Is this overkill for daily use?

No. The basic path behaves like a local vault. Stricter boundaries are opt-in for workflows that need them.

6.Does the browser extension store passwords?

No. It talks to the local Desktop Gateway and receives temporary permissions (grants); it does not store the vault.

7.What if my storage files are copied?

Vault files are encrypted at rest, but master-password strength, key material, device state, and backups still matter.

8.What does ChromVoid not protect against?

No vault fully protects a compromised live device. ChromVoid reduces specific exposure paths; it does not replace OPSEC.

9.Are builds available now?

Some platforms have builds; others are in progress or planned. Check the availability matrix before installing.

10.What is LDL?

LDL is the Lifetime Device License for Pro modules on up to three Core devices when the module and platform runtime are available.

11.Where can I verify the security model?

Start with the public Threat Model, architecture diagrams, and GitHub repository before installing.

Platform statusThreat ModelGitHub

Download ChromVoid
for your platform.

Choose the current build for your platform, then inspect the public security model before installing.

Core safety is not an upsell.Deniability has documented limits.Current limitations are documented publicly.