I built a zero-knowledge encrypted secrets manager as a solo developer — launching next week

Hey IH! I'm Ali, a solo developer, and I just finished building CryptVault — an end-to-end encrypted secrets manager where no one (not even me) can access your data.

Why I built this
I've been using password managers for years, but something always bothered me:

• Most popular ones had data breaches (LastPass, anyone?)
• The "trust us, your data is safe" model felt wrong
• Affordable options were either too basic or not truly encrypted
• None of them let me control where my encrypted data is stored

So I decided to build one myself — with zero-knowledge architecture from day one. The server never sees your plaintext data. Period.

The tech behind it

This was the most fun (and challenging) part:

• RSA-4096 for key wrapping — each user gets a unique keypair
• AES-256-GCM for encrypting actual secrets — fast and authenticated
• Argon2id for key derivation from your Master Password — resistant to GPU/ASIC attacks
• Two-layer authentication: Account login (email + password → JWT) and Vault unlock (Master Password → decrypts your private key in memory)

Your Master Password never leaves your device. It derives the key that decrypts your RSA private key, which then decrypts your secrets. If you forget it, even I can't help you — that's the point.

For recovery, I implemented a 13-word BIP-39 mnemonic (similar to crypto wallets). You get it once when you create your vault.

What it does

• Store passwords, API keys, SSH keys, notes, cards, emails
• Built-in TOTP Authenticator — no separate 2FA app needed
• Password Health Analysis — flags weak, reused, and aging passwords
• Dark Web Monitoring — alerts when your credentials appear in breaches
• Bring-Your-Own-Storage (BYOS) — connect your Google Drive for encrypted backups you control
• Full English + Arabic support with RTL layout

Stack

• Frontend: React 19 + Vite 7 + Tailwind CSS
• Backend: Express 5 + Prisma 7 + PostgreSQL
• Deployment: Docker on a VPS, Cloudflare for DNS/CDN
• Payments: Stripe Billing

Business model

Simple and transparent:

• Free: 20 secrets, 5 categories, built-in TOTP
• PRO: $1.99/mo — unlimited secrets, dark web monitoring, BYOS, export/import

I wanted PRO to be affordable enough that it's a no-brainer if you use the free tier and want more.

Challenges I faced

1. Encryption complexity: Getting RSA + AES + Argon2id to work together seamlessly across client and server took weeks of iteration. Key management is hard.

2. Zero-knowledge trade-offs: When you can't read user data, you can't offer "forgot password" recovery the normal way. The BIP-39 recovery key was my solution.

3. Solo developer bandwidth: Building frontend, backend, encryption layer, admin panel, payment integration, and landing page alone is... a lot. But also incredibly rewarding.

What's next

Launching on Product Hunt on March 31 (Tuesday). After that:

• Browser extension for auto-fill
• Mobile app
• More BYOS providers (Dropbox, OneDrive)
• Team/organization vaults
• Self-hosted option

Try it out

The app is live at cryptvault.app. Free tier available — no credit card required.

I'd love to hear your thoughts, feedback, or questions about the architecture. Happy to go deep on the encryption design if anyone's curious!