No master password — anywhere
Other managers add passkeys as a login shortcut on top of a master-password-derived key. Pass014 derives the encryption key from the passkey's PRF output itself. No password exists to bypass, on the server or on disk.
Most password managers let you sign in with a passkey but still hold a master-password-derived key that can decrypt your vault. Pass014 doesn't have one. The encryption key is derived directly from your security key or Face ID — no fallback exists, anywhere.
Open source · Self-hosted · Desktop (macOS · Linux · Windows), iOS & Firefox
Two ways to run it: connect to a backend you host, or keep the whole vault on one device with no server at all. Either way the passkey is the key.
Other managers add passkeys as a login shortcut on top of a master-password-derived key. Pass014 derives the encryption key from the passkey's PRF output itself. No password exists to bypass, on the server or on disk.
Register a device-bound Secure Enclave key — Touch ID or Face ID that never leaves the machine and never syncs to iCloud Keychain. Flip on hardware-only mode and the server refuses syncable passkeys outright, so your vault's root key can't leak through someone else's cloud account.
Entries are AEAD-sealed under a per-vault key, which is wrapped under your account key, which is derived from a per-passkey PRF. The backend stores ciphertext + envelopes. Compromise the server and you have a brick.
Local-only mode keeps the whole vault on one device — no backend, no network, no account anywhere else. On iPhone it's "Set up on this iPhone", unlocked by Face ID; on desktop, a security key or Touch ID. The authenticator is the passkey. Add a recovery security key later — until you do, there's no recovery if you lose the device.
Single Go binary plus nginx. Default storage is SQLite — no external services, no third-party telemetry, no upstream account. Backup is a GPG-encrypted file you keep wherever you want.
Add a new phone or laptop by scanning a one-shot QR code on your already-signed-in machine. Both sides display an 8-hex code; you compare on screen, the owner taps Approve. No password roams. Reconnect a fresh machine to an existing account with your username and a registered key — no invite needed.
Vaults can be shared by name to other Pass014 users. The vault key is sealed for the recipient via X25519 — your machine never hands it to the server, and the server can't forward it.
iOS credential-provider extension fills logins in Safari and any app that publishes its associated domain — from a local AEAD-sealed snapshot, no network needed once the vault is unlocked. The Firefox extension handles desktop-browser login + fill.
Logins, cards, notes, SSH keys, Wi-Fi, and a dozen more entry kinds — plus built-in TOTP two-factor codes and a strong password generator. Show a Wi-Fi network or a stored barcode as a scannable code on screen.
Deleting an entry moves it to a Trash you can restore from or empty. Every edit is kept as per-entry version history — reveal an old value or roll the entry back.
Sort and search entries across every unlocked account, rename vaults and devices, and choose how dates display. Sign in with a security key on macOS, Linux, and Windows (no admin rights), or with Touch ID / Face ID.
You tap a security key or Face ID. The authenticator returns an assertion plus a PRF output — a 32-byte secret derived from the passkey and a per-account salt.
PRF output (or a Secure Enclave ECDH) → HKDF → device key. Server hands over your account-key envelope (AEAD-sealed under the device key). Decrypted locally. The server never sees the plaintext key.
Each vault's encryption key is wrapped under either your account key (private) or sealed for you over X25519 (shared). Both unwrap on-device; entries decrypt one at a time on reveal.
One static Go binary, nginx as TLS terminator, SQLite by default. Small enough to run on a $5 VPS.
# build + install the binary + systemd unit + admin token
curl -L https://github.com/berrabou/pass014/archive/main.tar.gz \
| tar -xz
cd pass014-main
sudo deploy/install.sh
# then: edit /etc/pass014/config.env, drop in deploy/nginx.conf.example
# template (Let's Encrypt covered in deploy/README §6),
# `systemctl start pass014.service`, and you're up.
Full six-step walk-through in deploy/README.md — config, systemd, nginx, TLS. Single-user, multi-user, family — same setup either way.
docs/security-model.md for the full breakdown.
Pass014 is open-source under the AGPL-3.0 license. Backend (Go), desktop app (Tauri + React), iOS app (SwiftUI + Rust via UniFFI), and Firefox extension all live in one workspace.