A zero-knowledge password manager built into Koder ID. Your vault is encrypted on your device with AES-256-GCM before anything leaves your machine. The server stores only ciphertext it can never decrypt.
Every design decision in Koder Keys puts your privacy first.
Your master password and Secret Key never leave your device. The server is a blind storage tier that only sees AES-256-GCM ciphertext.
Two-secret model: your password plus a 34-character Secret Key. Losing both means permanent lockout — by design, not by bug.
Password hashing with Argon2id (64 MB, 3 iterations, 4 threads). Brute-force resistant. Completes in ~36 ms on modern hardware.
Store logins, credit cards, secure notes, TOTP seeds, and SSH keys. All encrypted with the same VDK — one key for everything.
Encrypted vault syncs across all your devices via the SyncSince API. Version-based delta sync keeps bandwidth minimal.
Print your Secret Key as a physical Emergency Kit. If you lose your devices, the kit is your recovery path — no admin backdoors.
From password to encrypted vault in milliseconds.
Your password and Secret Key combine through a multi-stage derivation chain to produce the Vault Data Key (VDK).
// Key derivation chain password + secret_key + account_id | v Argon2id (64 MB, t=3, p=4) MUK [32 bytes] | v HKDF-SHA256 VDK [32 bytes] | +--> Fingerprint (HMAC-SHA256) | v AES-256-GCM (random nonce) ciphertext --> server
Manage your vault from the command line. Initialize, add credentials, list, edit, and delete — all with client-side encryption.
keys init — bootstrap a new vault and print your Emergency Kitkeys add — encrypt and store a new loginkeys list — decrypt and display all itemskeys edit — fetch, decrypt, merge, re-seal with CAS# Bootstrap a new vault $ koder-id-cli keys init \ --user user-abc --password "****" Vault created: Vault ID: 01JSGK... VDK Fingerprint: a8f2c1... === EMERGENCY KIT === Secret Key: A3-VKXN2-... === SAVE THIS KIT === # Add a credential $ koder-id-cli keys add \ --name "GitHub" --username koder-dev \ --pw "s3cret!" --url https://github.com Item created: ID: 01JSGM... Type: LOGIN
Koder Keys vs. established password managers.
| Feature | Koder Keys | 1Password | Bitwarden | KeePass |
|---|---|---|---|---|
| Zero-knowledge encryption | ✓ | ✓ | ✓ | ✓ |
| Secret Key (two-secret model) | ✓ | ✓ | — | — |
| Integrated with IAM (SSO, MFA) | ✓ | — | — | — |
| CLI-first workflow | ✓ | ✓ | ✓ | — |
| Self-hostable | ✓ | — | ✓ | ✓ |
| No admin recovery backdoor | ✓ | ✓ | — | ✓ |
| Emergency Kit (physical recovery) | ✓ | ✓ | — | — |
| Version history (90 days) | ✓ | ✓ | — | — |
| gRPC + REST API | ✓ | — | ✓ | — |
| Free for all users | ✓ | — | ✓ | ✓ |
Your vault is permanently inaccessible. This is by design — there are no admin backdoors, no recovery endpoints, and no way for anyone (including Koder) to decrypt your data. Print your Emergency Kit and store it somewhere safe.
No. The server is a blind storage tier. It receives AES-256-GCM ciphertext and random nonces — it has no access to the encryption key (VDK), which is derived entirely on your device from your password and Secret Key.
When you add a new device, it generates an X25519 keypair and creates a pending enrollment. Your authorized device encrypts the Secret Key + VDK to the new device's public key. The new device polls for the payload, decrypts it, and is ready. The handshake expires in 5 minutes.
Yes. Koder Keys is included with every Koder ID account at no additional cost. There are no premium tiers, no feature gates, and no item limits.
Create your vault in under a minute. Your passwords belong to you — and only you.
Get Started