Open Source · Local First · No Cloud

Your Vault.
Your Machine.

CryptHub is a local-first password manager that encrypts everything with AES-256-GCM. No cloud. No accounts. No telemetry. Your passwords never leave your device.

Launch Web App View on GitHub

crypthub — vault

→git clone https://github.com/srsdesigndev/crypthub.git

Cloning into 'crypthub'...

→cd crypthub && npm install && npm start

Rebuilding native dependencies...

Installing better-sqlite3 prebuilt binary...

✓ CryptHub is running — Your vault is ready.

Why CryptHub

Everything you need.
Nothing you don't.

Built for people who want full control over their passwords without handing them to a third party.

AES-256-GCM Encryption

Every password is individually encrypted with a random IV before it touches storage. Military-grade, authenticated encryption.

Local-Only Storage

Your data lives in your browser's IndexedDB — or a local SQLite file in the desktop app. No internet connection required. Ever.

Vault Migration

Export your entire vault as a signed, encrypted .crypthub file. Import on any machine or browser with your master password.

Master Password Auth

Your master password is never stored. Only a PBKDF2-derived hash with a random salt. The session key lives in memory only.

Password Generator

Generate cryptographically random passwords with configurable length and symbols. Strength meter gives instant feedback.

Search & Categories

Instantly filter by label, username, or category. Organise passwords into Social, Work, Finance, Dev, and more.

Security Model

Cryptography you
can verify.

Open source means you don't have to trust us. Read the code, audit it yourself, or run it locally.

Master Password → PBKDF2

Your password is never stored. It's run through PBKDF2 (310k iterations) with a random 32-byte salt to produce a hash.

PBKDF2(password, salt, 310000) → masterHash

Session Key Derivation

A 256-bit encryption key is derived and lives in memory only — cleared immediately on lock or tab close.

PBKDF2(password, salt) → sessionKey (CryptoKey)

AES-256-GCM Per Entry

Each password is encrypted individually with a unique random IV. The GCM auth tag detects any tampering.

AES-256-GCM(password, sessionKey, iv)

Export Signature Chain

Export files use a two-layer key chain. Tamper with the file and the auth tag verification fails on import.

PBKDF2(masterHash, exportSalt) → exportKey

256

bit encryption key

GCM

authenticated mode

bytes sent to cloud

MIT

open source license

Portable Vault

Take your vault anywhere.

Switch machines without losing a single password. One encrypted file is all you need.

🖥️

Your Browser

Unlock vault with master password

→

⚡

Export

Click Migrate Vault → Export

→

🔐

vault.crypthub

Signed encrypted binary file

→

⚡

Import

Verify master password on new machine

→

💻

Any Device

Vault fully restored, ready to use

Get Started

No install required.

Run CryptHub directly in your browser — no download, no sudo, no setup.

Launch in Browser

Works on any device with a modern browser. Your vault is stored locally in IndexedDB — encrypted, private, and never transmitted anywhere.

Open CryptHub

No Install Works Offline Chrome Firefox Safari Edge

🖥️

Prefer the desktop app?

The Electron app uses SQLite + native crypto for extra performance. Clone the repo and build it yourself — MIT licensed, open source.
View on GitHub →

Your Vault. Your Machine.

Everything you need.Nothing you don't.

Cryptography youcan verify.