Vault is a personal, browser-based secure storage tool. It runs entirely
in your web browser. There is no remote account server and no vault data is sent over
the internet when you save passwords or encrypt files — everything happens on your device.
Vault combines a password manager (store website logins, notes, and
generated passwords) with standalone encryption tools (encrypt text,
documents, or short messages with a password you choose).
What is it for?
Keeping usernames, passwords, URLs, and notes for sites and services in one encrypted place.
Generating strong random passwords when you create or update an account.
Encrypting a piece of text or a file (Word, PDF, ODT, TXT) so only someone with the password can open it.
Sending an encrypted message string that is safe to paste into email or chat (with the password shared separately).
Backing up your encrypted vault to a JSON file you can restore later.
Vault is intended for personal use. It has not been professionally audited. For
enterprise-grade autofill across all apps, consider a dedicated password manager
(Bitwarden, 1Password, etc.) and use Vault’s backup export if you need to migrate data.
How it works (no server)
When you unlock Vault with your master password, the app derives an
encryption key using PBKDF2-SHA256 (25,000 iterations) and encrypts
your data with AES-GCM 256-bit encryption. The encrypted blob is
stored in your browser’s localStorage for this website address only.
Your master password is never stored. If you forget it, there is
no recovery — the encrypted data cannot be decrypted without it.
Because storage is tied to this exact website URL, clearing browser data for this site,
using a different browser, or using a private/incognito window without syncing will
not show the same vault unless you import a backup.
Sign-in vs master password
Vault uses two security layers before you reach your saved entries:
Layer
Purpose
Stored?
Sign-in account (username + password you create)
Opens the app for you on this browser — like a door on the tool itself. Each person picks their own username and password.
Only one-way PBKDF2-SHA256 hashes are saved in this browser’s localStorage. Plaintext username and sign-in password are never stored and cannot be read back.
Master password
Actually protects your vault entries and backups. Derives the AES encryption key.
Never stored. You must remember it.
Important: The sign-in screen is a convenience gate on this device, not
server authentication. Anyone with access to your unlocked browser could open Vault.
Short sign-in passwords could also be guessed offline by someone who copies your browser
storage. The master password is what keeps your real data safe — make it
long and unique.
You create your own sign-in account the first time you use Vault on a
browser. There are no shared or pre-set usernames. If you use Vault on another phone,
computer, or browser, create an account there too (or import a backup after signing in).
Create your account
When you open Vault for the first time on a browser, you need a sign-in account before
you can set up your encrypted vault.
On the sign-in screen, click Create account.
Choose a username (2–64 characters; letters, numbers, dots, dashes, and underscores only).
Choose a password (at least 6 characters) and type it again to confirm.
Click Create account. Vault stores only hashed versions of your username and password in this browser — not the plain text.
You are taken to the Unlock vault screen to set your master password (see Quick start below).
Returning later on the same browser
Use Sign in with the same username and password you created. As long as
this browser’s site data for Vault has not been cleared, your account and encrypted vault
remain available.
Same person, different browser or device
Sign-in accounts do not sync across devices automatically. On a new browser
you can either:
Create a new account and then Import a backup JSON from the Backup tab (you will need the master password from when that backup was exported), or
Keep separate vaults on separate devices if you prefer.
Username already taken? That name is already registered on this browser.
Pick a different username, or sign in if it is yours.
No “forgot sign-in password”. If you forget the username or password you
created, Vault cannot recover them — they are stored only as one-way hashes. You would
need to create a new account on that browser and restore from a backup JSON if you have one
(using the original master password, not the sign-in password).
Quick start
Open index.html (or your live Vault URL) in a modern browser (Chrome, Firefox, Safari, or Edge).
First visit on this browser: click Create account, choose a username and password, then confirm.
Returning on this browser:Sign in with the username and password you created.
On the Unlock vault screen:
First time: if no vault exists yet, set a strong master password (twice if prompted) and create the vault.
Returning: enter your existing master password and click Unlock.
Extra vault on same account: tick Create a new vault, enter a new master password twice, then create.
Use the Vault tab to add your first entry with + New.
Go to Backup and download a backup JSON file. Store it on your computer or phone — it is useless without your master password, but you will need both if you lose browser data or move to another device.
Vault tab — password entries
Your main password list. Each entry can hold:
Label — a name you recognise (e.g. “Email provider”).
URL — optional website address.
Username / email
Password — with Show, Copy, and Generate buttons.
Notes — free text (recovery codes, security questions, etc.).
Search
Type in the search box to filter entries by label, URL, username, or notes.
Password generator
Open Generator options to set length (4–128) and character sets
(uppercase, lowercase, digits, symbols). Click Generate to fill the
password field, then Save.
Edit or delete
Select an entry on the left to edit it. Save writes encrypted data to
localStorage. Delete removes the entry after confirmation.
Cancel discards unsaved changes.
Vault does not auto-fill passwords into other websites or apps. Copy the password and
paste it where you need it.
Encrypt / Decrypt tab
A quick tool for encrypting or decrypting plain text with a password
you type. Useful for short secrets that are not full vault entries.
Encrypt
Enter a password.
Paste or type plaintext.
Click Encrypt. The result is a base64 blob you can copy and store or send.
Decrypt
Enter the same password used to encrypt.
Paste the encrypted blob.
Click Decrypt to recover the original text.
This tab uses the vault’s standard single-round encryption. For multi-round document
encryption, use the Documents tab.
Documents tab
A fuller encryption workspace with two modes, selected from the Mode dropdown.
Mode: Encrypt / Decrypt Document
Encrypt or decrypt whole files: Word (.doc, .docx), PDF, ODT, or TXT.
Choose a file (Browse or drag-and-drop onto the drop zone).
Enter a password.
Set Count (encryption rounds, 1–20; default 5). Higher counts take longer but add more layers.
Encrypt & Download saves one encrypted file. The original filename and type are preserved inside the encrypted package — the download name may not match the original.
To recover: select the encrypted file on the Decrypt side, enter the same password and Count, then Decrypt & Download Original.
Mode: Send / Receive Encrypted Message
Encrypt short messages for email or chat. The Encrypt panel turns your message into a
single encrypted string; the Decrypt panel reverses it.
Set password and Count on both sides (they must match).
Type a message and click Send on the Encrypt panel — it appears encrypted on the Decrypt panel’s receive list (and vice versa within the same browser session).
Click Copy on a received note, or double-click an item to move it into the send box above.
You can also copy the encrypted string from one device and paste it on another, as long as password and Count match.
Count must match. If encryption used Count 5, decryption must
also use 5. The encrypted file or message exposes only the round count
externally; filename and file type stay hidden inside the ciphertext until decrypted.
Backup tab
Export (Download backup)
Downloads the currently unlocked vault as a JSON file. The file
contains only encrypted data — it is unreadable without the master password that was
used when that vault was created.
Keep backups in a safe place (encrypted disk, password-protected archive, or offline storage).
Import
Choose a previously exported .json backup and click Import.
This replaces the currently unlocked vault with the backup’s contents.
Other vaults stored in the same browser are not affected.
After import, you will need the master password from when that backup was made
the next time you unlock.
Settings tab
Change master password
Re-encrypts the entire vault with a new master password. You must enter:
Current master password
New master password (minimum 6 characters)
Confirm new master password (must match — prevents typos from locking you out)
After a successful change, use the new password to unlock and make a
fresh backup.
Lock, sign out & auto-lock
Lock — clears the decrypted vault from memory and returns to the unlock screen. Your encrypted data stays in localStorage under your signed-in account.
Sign out — returns to the sign-in screen. You must enter your account username and password again, then your master password to open the vault.
Auto-lock — after 5 minutes with no mouse, keyboard, touch, scroll, or wheel activity, Vault locks automatically. The timer pauses while the browser tab is hidden.
Multiple accounts and vaults on one browser
You can have more than one person using Vault on the same computer, each with their own
sign-in account. Each account keeps its own encrypted vault data separate in localStorage.
Multiple sign-in accounts
Each person clicks Create account and picks their own username and password.
Usernames must be unique on that browser — two people cannot share the same username there.
Sign out, then sign in as the other person to switch accounts.
Multiple encrypted vaults (same account)
One signed-in user can also keep more than one independent encrypted vault (e.g. “work”
and “personal”), each with its own master password:
Unlock existing: enter the master password; Vault tries each stored vault for your account until one decrypts.
Create another: on the unlock screen, tick Create a new vault, confirm the password twice, then create.
Delete one vault: on the unlock screen, enter that vault’s master password and click Delete this vault. Other vaults for your account remain.
Without the correct master password, an attacker cannot tell how many vaults exist or
who they belong to — only that encrypted blobs are present.
Install on phone (PWA)
On a live HTTPS site, Vault can be installed as a Progressive Web App
and works offline after the first visit (thanks to the service worker).
iPhone (Safari)
Open the Vault URL in Safari.
Tap Share → Add to Home Screen → Add.
Android (Chrome)
Open the Vault URL in Chrome.
Tap the menu (⋮) → Install app or Add to Home screen.
iOS limitation: A home-screen PWA cannot act as system-wide password
autofill in Safari or other apps. Open Vault, copy the password, then paste it where needed.
Security & limitations
Remember your master password. There is no “forgot password” flow.
Lose the password and lose access to the vault and any backups encrypted with it.
All encryption runs in your browser using the Web Crypto API.
Sign-in accounts exist only in this browser’s storage for this site — they are not synced to a server.
Do not upload your master password, sign-in password, or backup files to untrusted sites.
Clearing site data for this domain deletes your sign-in account(s) and local vault storage — keep regular backups.
Use a strong, unique master password (long passphrase recommended). Use a separate, strong sign-in password too.
This tool is for personal use and has not been independently security-audited.
Encrypted exports and document files are only as safe as the passwords you choose and how you share them.
Troubleshooting
“Wrong master password” but I’m sure it’s correct
Check Caps Lock and keyboard layout.
If you meant to create a new vault, tick Create a new vault instead of unlocking.
If you imported a backup, you need the master password from when that backup was exported.
Decrypt failed / wrong password on a document or message
Password must match exactly.
Count must match the value used when encrypting.
For message mode, paste the full encrypted string with no extra spaces or line breaks removed.
Vault empty after browser update or on a new device
Data lives in this browser’s storage for this site URL. Import your JSON backup and
unlock with the correct master password.
Service worker / offline not working
Offline install requires HTTPS (or localhost). Opening files directly
from disk (file://) skips the service worker by design.
Sign-in not accepted
Check Caps Lock and that you are using the username and password you created on this browser.
If you have never used Vault on this browser before, click Create account instead of signing in.
If you cleared this site’s browser data, your old sign-in account is gone — create a new account and import a backup if you have one.
Vault cannot recover a forgotten sign-in password (only one-way hashes are stored).
Forgot sign-in password but have a backup
Create a new account on this browser, then use Backup → Import after you
unlock with the master password from when the backup was made. The
sign-in password and master password are separate — restoring data depends on the master
password, not the sign-in password.