Local encrypted storage for secrets

Keep passwords, files, and OTPon a device you control.

ChromVoid keeps the vault locally or on your phone. Browsers, desktop apps, and workflow tools receive temporary access for a specific action without moving the vault into a cloud account or browser profile.

Check available buildView Threat Model
Local-first
Zero-cache
Vault stays local
Public threat model
Android build available · Desktop as readyOpen core · documented limits
chromvoid · workspace
[OUTSIDE]
INTERFACE
Workspace
Recent
Shared surface
Settings
About
DEVICE
macbook-local
offline-capable · sealed
OUTSIDE · interface only
INSIDE · sealed locally
stop · verify
[BOUNDARY]
unlock gate
device key
+ biometric
[INSIDE· vault space]
passwords, files, OTP, and recovery data stay inside
Passwords
312
sealed
Files
1.4 GB
sealed
OTP
24
sealed
Notes
58
sealed
SSH Keys
17
sealed
Wallets
6
sealed
Bank Cards
9
sealed
more bounded vaults
no cloud vault · short-lived access · local session
[TRUST STRIP]

Proof that the boundary is real

01
Public threat model

Coercion, device compromise, copied storage, and OPSEC assumptions are documented.

documented
02
Local or phone-held storage

Choose Local mode or Mobile host before a browser or cloud account enters the workflow.

you choose
03
Zero-cache browser path

The extension receives grants from localhost instead of becoming another vault.

localhost only
04
Short-lived access paths

USB, WebRTC, and WSS carry encrypted traffic without becoming the trust anchor.

untrusted channel
05
Honest limits

Deniability, live-device safety, and recovery all have documented limits.

bounded claim
Value comes from documented boundaries, local storage choices, and limits that are stated before install.
Problem

When a password manager isn't enough

Some secrets need to stay useful without spreading trust into every surface that touches them.

Border checks, legal pressure, shared devices, browser autofill, copied vault files, and compromised live sessions are different risks. Treating them as one flat sync problem hides the boundary you actually need.

One broad unlock

A single exposed app surface can reveal passwords, files, notes, and recovery paths together.

Too many traces

Data can leak into previews, clipboard history, temp storage, autofill, and sync layers.

Fast access can spread risk

Fast unlocks help daily work, but they do not always keep sensitive secrets away from browser profiles, previews, or temporary files.

Risk levels differ

Not every tool separates secrets by exposure level, device state, or the action that needs access.

01
Trust spreads quietly

Sensitive data can outgrow the place where you thought it lived.

02
Surfaces learn too much

Apps, sync layers, previews, and autofill expand what has to be trusted.

03
Some workflows need narrower access

Travel, shared devices, recovery, and professional secrets often need a smaller disclosure boundary than ordinary autofill.

What you get

One controlled vault boundary for daily secrets
and pressure scenarios.

Start with passwords, OTP, notes, and files in a local vault. Add phone-held secrets, decoy vaults, localhost-only browser access, and workflow-specific approvals only where they reduce real exposure.

chromvoid/vault
vault unlocked
Passwords & OTP
GGitHubdev@chromvoid.com•••••••••
PProton Maildev@chromvoid.com•••••••••
BBank Accountuser@bank.com••••••
TOTP code
137 839
Notes
Server root access procedure
  1. Connect via SSH
  2. Verify host key
  3. Elevate with sudo
  4. Check system status
#ops
Files
PDF
report.pdf
JPG
diagram.png
ZIP
backup.zip
TXT
keys.txt
CSV
credentials.csv
+
Upload
Browser Access
Connected to
localhost:57228
Short-lived grant active02:45
Higher-Risk Modes

Stronger boundaries when your threat model demands them.

Decoy Vault

Plausible vault for regular accounts and low-risk data.

Hidden Vault

Different passwords unlock different secret surfaces.

Passwords and OTP

Store logins and one-time codes without making a cloud account the main storage place.

Notes and files

Keep sensitive documents in encrypted vaults instead of loose files and previews.

Browser access

Fill or copy secrets through temporary localhost permissions that do not turn the browser into a vault.

Higher-risk modes

Use Mobile host, decoy vaults, and approvals when legal pressure, border search, or custody workflows need more.

How it works

Three decisions: where secrets live
what clients can learn.

Choose where the vault lives, connect apps and tools as clients, then give temporary permissions (grants) for specific actions. The value is less trust spread, not broader hiding.

01Main storage place
Local devicedesktop platforms as ready
local
Mobile hostphone holds the vault
active
Choose where secrets live
Use a local device, or keep the vault on your phone when the desktop should stay a client.
02Connected surfaces
Vaultsealed
Browser
Desktop
CLI · SSH
Wallet tool
Extension
Limit what clients learn
Browser and tools request scoped access instead of owning storage.
03Ephemeral access
github.comfill · read02:45
ssh prod-edge-3session00:58
wallet.toolsign once00:12
Expire access by default
Temporary permissions expire, can be revoked, and do not leave durable browser state.
Under the surface
Same Rust core runs across desktop and mobile.
Separate vaults are separate disclosure boundaries.
Browser extension talks to 127.0.0.1 only — it never stores a vault.
Important
ChromVoid does not send your vault to a cloud sync service. Secrets stay on the device or phone you selected.
DownloadView architecture
Plausible deniability

Decoy vaults support controlled disclosure.
Hidden vaults keep limits visible.

Deniability is controlled disclosure for specific threat models. A decoy vault can hold routine low-risk data, while hidden vaults reduce obvious inventory markers. The limits depend on storage, device state, OPSEC, and the public Threat Model.

ChromVoidvault
Decoy vault
Accessible with everyday credentials. Useful for regular accounts and low-risk disclosure.
Personal Email
you@example.com
• • • • • •
Banking
checking account
• • • • • •
Notes
meeting agenda
• • • • • •
Receipts.pdf
12 KB · Apr 20
Tax.docx
24 KB · Mar 18
Hidden vaults
Different password, different surface. No explicit vault count.
Research Notes
Encrypted note
• • • • • •
Project Atlas
Secure folder
Keys & Codes
One-time codes
• • • • • •
Medical Records
Private documents
Archive.bin
Encrypted file
• • • • • •
Decoy vault
A plausible vault can hold routine accounts without pretending every secret is present.
Hidden vaults
Different passwords can unlock different secret surfaces without exposing a simple inventory.
Less talkative metadata
Storage avoids obvious markers that prove what else exists.
Honest limitations
If a device is compromised while unlocked, no vault can promise safety.
Deniability is not a universal promise. It is useful under specific threat models: copied storage, controlled disclosure, and pressure scenarios with documented limits.
Read Deniability limits
Architecture proof

Architecture that keeps trust from spreading.

ChromVoid separates apps and tools from the place where the vault lives. Browser, desktop, and transport paths can do useful work without becoming storage.

The browser is a UI.Not a storage layer.
Untrusted Surface
UI only
Local Boundary
your device
Shared Core
domain authority
Vault Location
your choice
Untrusted Transport
encrypted, not trusted
Browser Extension
UI shell · no secrets stored
→ 127.0.0.1 only
Desktop App
Thin client
Workflow Tools
CLI · SSH · wallet · autofill
Desktop Gateway
Explicit boundary
Pairing & sessions
Capability grants
Policy enforcement
Audit · runtime grants
ChromVoid Rust Core
Single codebase. Same Core on desktop and mobile. Secrets, policy, and crypto live here.
Cryptography
Primitives & protocols
Storage
Vaults · indexes · metadata
RPC Contracts
Typed transports
Domain Policy
Vault invariants
Core Services
Key managementKDFSecure memoryZeroize
OR
Mobile Host
Vault on your phone
Phone holds the vault. Desktop requests access, never the storage layer.
Same Rust Core
Local Vault
Vault on this device
Encrypted at rest. Core applies domain rules and crypto, not UI surfaces.
Same Rust Core
Encrypted channels
Noise over network
WebRTC
primary
WSS Relay
fallback
USB
post-MVP
Channel is not trusted. Transport delivers ciphertext. Trust lives in Core, not the wire.
Remote unlock gate
transport_ready · host_locked
host unlock confirmed
remote_dashboard_open
Shared Rust Core
Crypto, storage, RPC contracts, and vault rules use one Core across desktop and mobile.
single-codebasedomain-authority
Mobile host
Phone can hold the vault while desktop stays a thin client behind host unlock.
unlock-gatethin-client
Noise over transport
WebRTC is primary, WSS fallback, USB post-MVP. Channels carry ciphertext.
webrtc → wssusb · post-mvp
Localhost browser boundary
The extension reaches Desktop Gateway on 127.0.0.1, never a cloud vault.
127.0.0.1no-cloud-sync
Cryptographic primitivesConcrete · auditable · narrow scope
Storage / vault
ChaCha20-Poly1305Argon2idBLAKE3
Transport secure channel
Noise XX / IK / XXpsk0X25519ChaChaPolyBLAKE2s
Open source. Open source. Public Threat Model. Inspectable end to end.
Inspect architectureView GitHubRead threat model
Workflow pages

Use the same boundary model across daily work and pressure workflows.

Each workflow starts with a user job: fill, mount, sign, recover, or connect remotely. The boundary decides what the surface can learn before the outcome happens.

SurfaceWhere work happens
->
BoundaryWhat limits exposure
->
OutcomeUseful work without moving trust
Shared vault boundary
01
Mounted Vault
Work with files, then unmount so storage locks again.
Surface
~/Documents
vault.cv
OS files stay explicit.
Boundary
User-initiated mount
Encrypted until mounted.
Outcome
Unmount -> re-locked
Work, then storage locks again.
Local · short-livedOpen Mounted Vault
02
Browser Extension
Autofill without turning the browser profile into a vault.
Surface
app.example.com/login
user...
passfilled
Browser sees a fill, not a vault.
Boundary
127.0.0.1 only
Gateway is local, not cloud storage.
Outcome
0:42grant
Short-lived fill; no durable browser state.
Short-livedOpen Browser Extension
03
Credential Provider
Native OS autofill without a cloud backplane.
Surface
Sign in to app
usera.kor
pass********
Native OS prompt, not in-page UI.
Boundary
Vault available
OS extension reads local vault grants.
Outcome
Native flow · no cloud
Autofill works without cloud backplane.
LocalOpen Credential Provider
04
SSH Agent
Sign per request without loose private key files.
Surface
~/proj
$ssh prod-01
requesting signature...
SSH asks for a signature; no key file.
Boundary
First-sign approvalid_ed25519
Local agent approves each connection.
Outcome
Signed in vault
Private keys never become loose files.
ApprovalOpen SSH Agent
05
Crypto Wallet
Review and approve transactions inside the vault boundary.
Surface
Transactionpreview
to0x7a...b2c4
amount0.42 ETH
gas21k
Review the exact transaction.
Boundary
Local review
Approval happens inside the vault.
Outcome
Approve transaction
Sign only the intended action.
ApprovalOpen Crypto Wallet
06
Emergency Access
Delayed release for trusted recipients without a hidden backdoor.
Surface
M
Maria K.
recipient
Pick recipient and release policy.
Boundary
72h delay
Delay and policy must clear.
Outcome
Visible recovery
Recovery is not a hidden backdoor.
Time-boundOpen Emergency Access
07
Remote
Remote access with replaceable transport and host-unlock gating.
Surface
WebRTCprimaryWSSfallbackUSBfuture
Network remote uses WebRTC/WSS policy; USB is post-MVP.
Boundary
Noise secure channelXX / IK / XXpsk0 · host-unlock gated
Host unlock requiredpending
Outcome
Transport is replaceable
Change transport without moving trust into the provider.
Host unlockOpen Remote
Same boundary model, different jobs. Download the build, then inspect the workflow pages.
Download
Pricing and download

Basic vault path is free.Pro adds advanced workflows.

Pro is one license for advanced workflow modules. Encryption, KDF, local vault architecture, and documented limits stay in the baseline.

free · vault path
Free
$0forever

For personal use, local vaults, and first supported workflows.

Basic vault path
Included
Passwords, notes, and OTP
Local mode on supported platforms
Encrypted backup and restore
Browser extension localhost path
Basic security settings
Download

Start here if your platform has a current build below.

pro · one license
Pro entitlement
$79one-time license

For Remote Access, Credential Provider, SSH Agent, Wallet, and Emergency Access when the module is available for your platform and runtime.

Extended modules
Included
One Pro product for paid modules
Up to 3 activated Core devices per purchase
Remote, credential-provider, SSH-agent, wallet, and emergency-access moduleswhen available for your platform
Core-authoritative entitlement checks
Already have a license?

LDL means Lifetime Device License: a one-time license for Pro modules on up to three Core devices. Modules activate only when platform availability and runtime capability allow.

Core security baseline · spans both plans
Core safety is not a paid feature.

Encryption, KDF, local vault architecture, and documented limits are included in the basic vault path. Pro adds scale and convenience for advanced workflows.

EncryptionKDFArchitecture
Module availability

Module and platform availability

This landing matrix is informational. Runtime access is still decided by platform support, module availability, and Core-authoritative entitlement checks.

Module / workflowCurrent statusCommercial tier
Local vault pathAvailable where a build existsFree baseline
Browser extension localhost pathPlatform-dependentFree baseline
Remote AccessActivates when module and runtime are availablePro module
Credential ProviderActivates on supported OS integrationsPro module
SSH AgentActivates when desktop runtime supports itPro module
Crypto WalletActivates by wallet-module availabilityPro module
Emergency AccessActivates when escrow workflow is availablePro module
Download

Check which build is ready for your platform.

Builds are published as platforms become ready. Check the current platform state before installing or planning a setup.

Platform downloads

The matrix shows which platforms have a build available today.

macOS
Planned

Planned for upcoming releases.

Android
Download

Latest Android APK is published on GitHub Releases.

iOS
Planned

Planned for upcoming releases.

Windows
Planned

Planned for upcoming releases.

Linux
Planned

Planned for upcoming releases.

Availability, features, and pricing can change. Check the download matrix before starting today.
FAQ

Short answers before you start.

Start with fit, limits, and platform status. Proof pages go deeper where it matters.

Buyer questions. Inspectable model.
1.Who is ChromVoid for?

For people whose secrets face more than ordinary sync risk: security teams, privacy users, journalists, lawyers, activists, crypto operators, and anyone who needs local or phone-held boundaries.

2.Why not use a normal password manager?

Normal managers are good at convenience and sync. ChromVoid is for cases where browsers, cloud accounts, transport paths, or shared devices should not become the place where secrets live.

3.What does deniability mean here?

Decoy and hidden vaults support controlled disclosure, but the guarantees depend on device state, storage, OPSEC, and the public Threat Model.

4.What is ready today?

The basic vault path and selected platform builds are the starting point. Extended modules activate only when the module and platform runtime are available.

5.Is this overkill for daily use?

No. The basic path behaves like a local vault. Stricter boundaries are opt-in for workflows that need them.

6.Does the browser extension store passwords?

No. It talks to the local Desktop Gateway and receives temporary permissions (grants); it does not store the vault.

7.What if my storage files are copied?

Vault files are encrypted at rest, but master-password strength, key material, device state, and backups still matter.

8.What does ChromVoid not protect against?

No vault fully protects a compromised live device. ChromVoid reduces specific exposure paths; it does not replace OPSEC.

9.Are builds available now?

Some platforms have builds; others are in progress or planned. Check the availability matrix before installing.

10.What is LDL?

LDL is the Lifetime Device License for Pro modules on up to three Core devices when the module and platform runtime are available.

11.Where can I verify the security model?

Start with the public Threat Model, architecture diagrams, and GitHub repository before installing.

Platform statusThreat ModelGitHub

Download ChromVoid for your platform
after checking the threat model.

If secrets should stay useful without becoming cloud, browser, or sync-layer state, start with the download matrix and inspect the public security model before installing.

DownloadRead Threat ModelView GitHub

Core safety is not an upsell.Deniability has documented limits.Current limitations are documented publicly.