Local-first password manager & private vault space

Keep secrets insidea boundary you control.

ChromVoid keeps the interface outside and your passwords, files, OTP codes, notes, and separate vaults inside a private local boundary. Create as many vaults as your workflow needs.

DownloadRead threat model
Local-first
Zero-cache
Vault stays local
Public threat model
macOS · Windows · LinuxAudited · Open-source core
chromvoid · workspace
[OUTSIDE]
INTERFACE
Workspace
Recent
Shared surface
Settings
About
DEVICE
macbook-local
offline-capable · sealed
OUTSIDE · interface only
INSIDE · sealed locally
stop · verify
[BOUNDARY]
unlock gate
device key
+ biometric
[INSIDE· vault space]
sensitive data stays inside
Passwords
312
sealed
Files
1.4 GB
sealed
OTP
24
sealed
Notes
58
sealed
SSH Keys
17
sealed
Wallets
6
sealed
Bank Cards
9
sealed
more vaults
no outbound traffic · 0 packets · session local
[TRUST STRIP]

Verified boundary signals

01
Public threat model

Architecture, limits, and attack assumptions are documented.

documented
02
Local or phone-held secrets

Choose Local mode or Mobile host.

source of truth
03
Zero-cache browser path

The extension talks to localhost instead of becoming a browser vault.

localhost only
04
One encrypted transport contract

USB, WebRTC, and WSS follow the same encrypted stance.

channel-untrusted
05
Honest limits

Deniability depends on device state, storage medium, and OPSEC.

bounded claim
Credibility through documented architecture, explicit boundaries, and honest limits.
Problem

Why This Exists

Modern digital convenience makes sensitive data easy to access — and easy to expose.

Most tools optimize for sync, speed, and convenience. Sensitive data then spreads across cloud services, app memory, previews, autofill, and system surfaces.

One flat trust zone

Passwords, notes, files, and codes often live inside the same exposed app surface.

Too many traces

Data can leak into previews, clipboard history, temp storage, autofill, and sync layers.

Convenience over isolation

Most systems are optimized to open quickly — not to contain risk precisely.

No meaningful separation

Sensitive data is rarely split into separate vault spaces with different exposure levels.

01
Stored everywhere

Sensitive data spreads beyond the place you think it lives.

02
Trusted too broadly

Apps, sync layers, previews, and autofill expand the exposure surface.

03
Hard to separate risk

Most tools do not let you create real internal boundaries between different secrets.

What you get

One vault surface for daily
secrets and high-risk workflows.

Start with the familiar work: passwords, OTP, notes, and files. Then add stronger boundaries where they matter — phone-held secrets, decoy vaults, localhost-only browser access, and workflow-specific approvals.

chromvoid/vault
vault unlocked
Passwords & OTP
GGitHubdev@chromvoid.com•••••••••
PProton Maildev@chromvoid.com•••••••••
BBank Accountuser@bank.com••••••
TOTP code
137 839
Notes
Server root access procedure
  1. Connect via SSH
  2. Verify host key
  3. Elevate with sudo
  4. Check system status
#ops
Files
PDF
report.pdf
JPG
diagram.png
ZIP
backup.zip
TXT
keys.txt
CSV
credentials.csv
+
Upload
Browser Access
Connected to
localhost:57228
Short-lived grant active02:45
Higher-Risk Modes

Stronger boundaries when your threat model demands them.

Decoy Vault

Plausible vault for regular accounts and low-risk data.

Hidden Vault

Different passwords unlock different secret surfaces.

Passwords and OTP

Store logins and one-time codes without cloud vault storage in the middle.

Notes and files

Keep sensitive documents in an encrypted vault instead of loose files.

Browser access

Fill or copy secrets through a localhost extension that does not store a vault.

Higher-risk modes

Use mobile host, decoy vaults, and approval flows when your threat model needs more.

How it works

One flow, from source of truth
to temporary access.

Pick where the vault lives. Surfaces connect to it as clients. Access is handed out in short-lived grants — never copied, never permanent.

01Source of truth
Local devicemacOS · Windows · Linux
local
Mobile hostphone holds the vault
active
Choose where secrets live
Local device or your phone as source of truth.
02Connected surfaces
Vaultsealed
Browser
Desktop
CLI · SSH
Wallet tool
Extension
Connect your surfaces
Browser and tools act as clients, not storage.
03Ephemeral access
github.comfill · read02:45
ssh prod-edge-3session00:58
wallet.toolsign once00:12
Use short-lived access
Grants expire, can be revoked, and leave no residue.
Under the surface
Same Rust core runs across desktop and mobile.
Separate vaults are separate disclosure boundaries.
Browser extension talks to 127.0.0.1 only — it never stores a vault.
Important
ChromVoid does not send your vault to a cloud sync service. Secrets stay with the selected source of truth.
Check alpha availabilityView architecture
Plausible deniability

What is visible is controlled.
What is hidden should not advertise itself.

Deniability is about what cannot be proven, not about hiding everything. ChromVoid supports a decoy-vault and hidden-vault model, with limits documented publicly.

ChromVoidvault
Decoy vault
Accessible with everyday credentials. Plausible and practical.
Personal Email
you@example.com
• • • • • •
Banking
checking account
• • • • • •
Notes
meeting agenda
• • • • • •
Receipts.pdf
12 KB · Apr 20
Tax.docx
24 KB · Mar 18
Hidden vaults
Deeper surfaces. No explicit indicators.
Research Notes
Encrypted note
• • • • • •
Project Atlas
Secure folder
Keys & Codes
One-time codes
• • • • • •
Medical Records
Private documents
Archive.bin
Encrypted file
• • • • • •
Decoy vault
A plausible vault can exist for regular accounts and low-risk data.
Hidden vaults
Different passwords can unlock different secret surfaces without exposing a simple vault count.
Less talkative metadata
Storage avoids obvious markers that prove what else exists.
Honest limitations
If the device is compromised while unlocked, no vault can promise safety.
Deniability is not a universal promise. It is a tool for specific threat models, and its limits are part of the product documentation.
Read deniability limits
Architecture proof

One Core, explicit boundaries, encrypted transport.

ChromVoid separates UX surfaces from the place where secrets and policy live. The browser is a shell, desktop can be a thin client, and transport channels are treated as untrusted by default.

The browser is a UI.Not a storage layer.
Untrusted Surface
UI only
Local Boundary
your device
Shared Core
domain authority
Source of Truth
your choice
Untrusted Transport
encrypted, not trusted
Browser Extension
UI shell · no secrets stored
→ 127.0.0.1 only
Desktop App
Thin client
Workflow Tools
CLI · SSH · wallet · autofill
Desktop Gateway
Explicit boundary
Pairing & sessions
Capability grants
Policy enforcement
Audit · runtime grants
ChromVoid Rust Core
Single codebase. Same Core on desktop and mobile. Secrets, policy, and crypto live here.
Cryptography
Primitives & protocols
Storage
Vaults · indexes · metadata
RPC Contracts
Typed transports
Domain Policy
Vault invariants
Core Services
Key managementKDFSecure memoryZeroize
OR
Mobile Host
Source of truth on your phone
Phone holds the vault. Desktop requests access, never the storage layer.
Same Rust Core
Local Vault
Source of truth on this device
Encrypted at rest. Core applies domain rules and crypto, not UI surfaces.
Same Rust Core
Encrypted channels
Noise over network
WebRTC
primary
WSS Relay
fallback
USB
post-MVP
Channel is not trusted. Transport delivers ciphertext. Trust lives in Core, not the wire.
Remote unlock gate
transport_ready · host_locked
host unlock confirmed
remote_dashboard_open
Shared Rust Core
Crypto, storage, RPC contracts, and vault rules use one Core across desktop and mobile.
single-codebasedomain-authority
Mobile host
Phone can hold the source of truth while desktop stays a thin client behind host unlock.
unlock-gatethin-client
Noise over transport
WebRTC is primary, WSS fallback, USB post-MVP. Channels carry ciphertext.
webrtc → wssusb · post-mvp
Localhost browser boundary
The extension reaches Desktop Gateway on 127.0.0.1, never a cloud vault.
127.0.0.1no-cloud-sync
Cryptographic primitivesConcrete · auditable · narrow scope
Storage / vault
ChaCha20-Poly1305Argon2idBLAKE3
Transport secure channel
Noise XX / IK / XXpsk0X25519ChaChaPolyBLAKE2s
Open source. Public threat model. Inspectable end to end.
Inspect architectureView GitHubRead threat model
Workflow pages

Use the same vault boundary across daily and high-risk work.

Each workflow keeps the same stance: a surface performs work, a boundary limits what it can learn, and the outcome stays useful — without moving trust into the outer tool.

SurfaceWhere work happens
->
BoundaryWhat limits exposure
->
OutcomeUseful work without moving trust
Shared vault boundary
01
Mounted Vault
Vault files as an explicit volume — work, then unmount.
Surface
~/Documents
vault.cv
OS files stay explicit.
Boundary
User-initiated mount
Encrypted until mounted.
Outcome
Unmount -> re-locked
Work, then storage locks again.
Local · short-livedOpen Mounted Vault
02
Browser Extension
Autofill without turning the browser into a vault.
Surface
app.example.com/login
user...
passfilled
Browser sees a fill, not a vault.
Boundary
127.0.0.1 only
Gateway is local, not cloud storage.
Outcome
0:42grant
Short-lived fill; no durable browser state.
Short-livedOpen Browser Extension
03
Credential Provider
Native OS autofill, no cloud backplane.
Surface
Sign in to app
usera.kor
pass********
Native OS prompt, not in-page UI.
Boundary
Vault available
OS extension reads local vault grants.
Outcome
Native flow · no cloud
Autofill works without cloud backplane.
LocalOpen Credential Provider
04
SSH Agent
Per-request signing — no loose private key files.
Surface
~/proj
$ssh prod-01
requesting signature...
SSH asks for a signature; no key file.
Boundary
First-sign approvalid_ed25519
Local agent approves each connection.
Outcome
Signed in vault
Private keys never become loose files.
ApprovalOpen SSH Agent
05
Crypto Wallet
Transaction approval inside the vault boundary.
Surface
Transactionpreview
to0x7a...b2c4
amount0.42 ETH
gas21k
Review the exact transaction.
Boundary
Local review
Approval happens inside the vault.
Outcome
Approve transaction
Sign only the intended action.
ApprovalOpen Crypto Wallet
06
Emergency Access
Delayed release for trusted recipients.
Surface
M
Maria K.
recipient
Pick recipient and release policy.
Boundary
72h delay
Delay and policy must clear.
Outcome
Visible recovery
Recovery is not a hidden backdoor.
Time-boundOpen Emergency Access
07
Remote
Network remote first; transport stays replaceable, host-unlock gates access.
Surface
WebRTCprimaryWSSfallbackUSBfuture
Network remote uses WebRTC/WSS policy; USB is post-MVP.
Boundary
Noise secure channelXX / IK / XXpsk0 · host-unlock gated
Host unlock requiredpending
Outcome
Transport is replaceable
Change transport without moving trust into the provider.
Host unlockOpen Remote
Same boundary, different surfaces. One stance across seven workflows.
Check alpha availability
Pricing and alpha

You do not pay for encryption.You pay for scale and convenience.

The basic vault path is free. Pro is for extended modes when those workflows are ready. Core security mechanisms are not sold as an upgrade.

free · vault path
Free
$0forever

For personal use, local vaults, and the first alpha workflows.

Basic vault path
Included
Passwords, notes, and OTP
Local mode on supported platforms
Encrypted backup and restore
Browser extension localhost path
Basic security settings
Check alpha availability

Check the availability matrix below for current platform status.

pro · ldl
Pro entitlement
LDLlifetime device license

For extended modes and higher-scale workflows. Modules activate as rollout allows.

Extended modules
Included
One Pro product for paid modules
Up to 3 activated Core devices per purchase
Remote, credential-provider, SSH-agent, wallet, and emergency-access moduleswhen rollout allows
Core-authoritative entitlement checks
Already have a license?

Extended modules activate when rollout and runtime capability allow.

Core security baseline · spans both plans
Security is not a paid feature.

Encryption, KDF, and the basic security architecture are included in the basic vault path. You pay for scale and convenience.

EncryptionKDFArchitecture
Alpha availability

Check which build is ready for your platform.

Builds are published as platforms become ready. The matrix below shows current alpha status — check it before planning a deployment.

Alpha · platform availability

The current matrix shows which platforms have alpha builds today. Check before planning a deployment.

macOS
Alpha

Builds available for testing.

Android
In progress

Alpha in active development.

iOS
Planned

Planned for upcoming alpha releases.

Linux
Early access

Early access builds coming soon.

Availability, features, and pricing can change. The matrix above is the source of truth.
FAQ

Short answers before you install.

Short answers here. Full proof pages where it matters.

Short answers. Inspectable model.
1.What is ChromVoid?

ChromVoid is a local-first secret vault for passwords, OTP, notes, files, and security workflows. It reduces cloud trust and supports stronger boundaries when needed.

2.How is it different from a normal password manager?

Trust lives in a local or phone-held source of truth. Cloud accounts, browser profiles, and transport paths are treated as clients or surfaces.

3.What does deniability mean here?

A decoy vault can exist beside hidden vaults. The exact guarantees depend on the public threat model.

4.Can I use it without extra hardware?

Yes. The basic vault path works on one device. Hardware tokens are optional stricter boundary tools.

5.Is this overkill for normal users?

No. Basic mode behaves like a calm local vault; stricter modes only activate when configured.

6.Does the browser extension store passwords?

No. It talks to the local Desktop Gateway and receives short-lived grants.

7.What if my storage files are copied?

Vault files are encrypted at rest. Master-password strength and key material still matter.

8.What if my device is compromised while open?

No vault fully protects a compromised live device. ChromVoid reduces specific risks; it does not replace OPSEC.

9.Are alpha builds available now?

Some platforms have alpha builds; others are in progress or planned. Check the availability matrix on the home page.

10.What is LDL?

LDL is the Lifetime Device License for Pro modules on up to three Core devices when rollout allows.

11.Where can I verify the security model?

Start with the public Threat Model, architecture diagrams, and GitHub repository.

Platform statusThreat ModelGitHub

Check whether ChromVoid alpha
is ready for your platform.

If your secrets should stay out of hosted vault storage, start with the current alpha status and inspect the public security model before installing.

Check alpha availabilityRead Threat ModelView GitHub

No basic-security upsell.Deniability depends on the threat model.Current limitations are documented publicly.