SecurePass — A Fully Offline, Open-Source, Zero-Knowledge Password Manager
SecurePass is a robust, local-first password management solution built on a Zero-Knowledge architecture. It prioritizes absolute privacy by ensuring that sensitive data never leaves the user's device, eliminating cloud-based vulnerabilities. +1 Core Functionality The application uses AES-256-GCM encryption combined with PBKDF2 key derivation. When a user enters their master password, the system generates a local encryption key to unlock a vault stored in an encrypted SQLite database or JSON file. Because the master password is never stored, only the user holds the "key" to their data. Key Technical Features Air-Gapped Security: Operates 100% offline with no internet permissions, preventing data exfiltration. Modern Desktop Stack: Built using React and Electron, providing a cross-platform GUI (Windows, macOS, Linux) with a focus on UX (Dark Mode, Auto-lock). Secure Utilities: Includes a built-in password generator, clipboard auto-clearing, and categorized storage. Offline Sync: A unique QR-code-based transfer system allows users to move their encrypted vault between devices without needing a network connection.
SecurePass is a privacy-centric, desktop-based password management solution designed to eliminate the risks associated with cloud-based storage and third-party data breaches. It operates on a Local-First, Zero-Knowledge architecture, ensuring that the user remains the sole owner of their cryptographic keys and sensitive data.
1. Core Philosophy: The "Air-Gap" Mentality
Unlike mainstream managers (like LastPass or Bitwarden) that sync encrypted blobs to a central server, SecurePass is built to work in a completely offline environment.
Zero Trust: The application assumes the internet is a hostile medium and does not require internet permissions to function.
No Cloud Latency: Performance is instantaneous because data retrieval happens directly from local disk (SQLite or JSON).
2. Cryptographic Architecture
The security of SecurePass is built on a multi-layered encryption stack:
Key Derivation (PBKDF2): When you enter your master password, it isn't "checked" against a stored version. Instead, it is passed through PBKDF2 (Password-Based Key Derivation Function 2) with a high iteration count. This transforms your password into a 256-bit encryption key.
Encryption Standard (AES-256-GCM): Data is encrypted using Advanced Encryption Standard (AES) with a 256-bit key in Galois/Counter Mode (GCM).
Why GCM? It provides both confidentiality and authenticity, meaning the app can detect if the encrypted file has been tampered with or corrupted before attempting to decrypt it.
Memory Security: Sensitive data (like the master password) is cleared from RAM as soon as the session is locked or the app is closed, preventing "memory scraping" attacks.
3. Technical Stack & Structure
The project uses a hybrid stack to balance a modern user interface with high-performance local logic:
Frontend (React + Electron): Provides a cross-platform desktop experience. Electron allows the app to feel native on Windows, Linux, and macOS while utilizing the flexibility of React for a "Dark Mode" friendly, responsive UI.
Backend (Node.js/FastAPI): Handles the "heavy lifting"—managing the local database connections and executing the cryptographic functions.
Storage Layer: Uses Encrypted SQLite. Every row in the database is an encrypted blob, meaning that even if someone steals the
vault.dbfile, they see nothing but randomized characters.
4. Advanced Utility Features
QR-Based Offline Sync: To solve the problem of moving passwords to a new phone or laptop without the cloud, SecurePass generates a temporary, encrypted QR code. The second device scans it to transfer the vault over a local, peer-to-peer connection.
Clipboard Sanitation: Automatically clears the system clipboard 30 seconds after you copy a password, preventing other apps from "sniffing" your secrets.
Dynamic Generator: A cryptographically secure random number generator (CSPRNG) that creates passwords based on specific entropy requirements (length, symbols, casing).