I built a zero-knowledge CLI password manager from scratch. AES-256-GCM, Argon2id, 22 secret types, MCP support.

Aarav Maloo — Thu, 19 Mar 2026 13:44:39 +0000

I know the password manager space is crowded. 1Password, Bitwarden, KeePass — all great. All built by teams, funded by someone, making decisions on a roadmap you don't control.
I built APM alone. Every line of security-critical code is hand-written by me. No AI wrote the crypto. No shortcuts.
Here's what's under the hood:
AES-256-GCM — authenticated encryption, not just confidentiality.
Argon2id — winner of the Password Hashing Competition. Memory-hard at 64MB default, up to 512MB. GPU clusters hate it.
Random salt plus three-layer key derivation — 96 bytes of key material split into Encryption, Authentication, and Validation keys.
Zero knowledge — your master password is never stored. Ever.
It supports 22 secret types: passwords, TOTP, SSH keys, API keys, Kubernetes credentials, banking info, medical IDs, legal documents, and more. Shell-scoped sessions with inactivity timeouts. A YAML-based password policy engine. A JSON-driven plugin architecture with event hooks. A full Team Edition with RBAC and isolated encryption domains. And an MCP server so your AI coding agent can query the vault — but only after you manually unlock it. The agent never holds the keys.
I used AI for naming and readability refactors only. Every security-critical path is human-written. I believe no AI should be trusted blindly with cryptographic implementation, so I didn't.
Is it perfect? No. Is the architecture sound? I think so, and I'd love for people smarter than me to tear it apart.
GitHub: https://github.com/aaravmaloo/apm
Docs: https://aaravmaloo.github.io/apm
Tell me what I got wrong.

DEV Community: Aarav Maloo

I built a zero-knowledge CLI password manager from scratch. AES-256-GCM, Argon2id, 22 secret types, MCP support.