DEV Community: Cosmin Gheorghita

Building a zero-knowledge secrets manager with zero crypto knowledge

Cosmin Gheorghita — Fri, 24 Oct 2025 09:47:15 +0000

Way the way back on 5 Sep 2025, less than two months ago, I decided that I wanted to work on a side project. So I've started looking for ideas of things I could build.

Three days later, after navigating an ocean of new AI apps to see if I could get inspired, and getting frustrated with not finding anything, I was beginning to lose hope a little. I'm about to be a father for the first time in a few months, (writing it down just gave me chills,) I keep imagining in my head a scenario in which my daughter asks me something I can't explain and then turns to ChatGPT and it can explain it perfectly, and what she'll think of me when that happens repeatedly. I wonder what I would say to her if she'd ask me why I didn't know that.

Somehow that actually inspired me to use ChatGPT myself even more, maybe on some level I hope to make it make me learn how to beat it. So I've started feeding ChatGPT my skillset and spamming it with 'another list [of stuff I could build].' And then, I've reached an idea that would both solve my own need and, at the same time, be good enough to not loose interest while building it: a passwords/secrets manager that allows sharing between team members.

I've actually looked through my teams' discussions across multiple chat apps and the amount of times I've asked people for password and SSH access keys is nothing to ignore. I've actually remembered thinking multiple times 'we need a better way for this.'

ChatGPT informed me that most people have a spreadsheet of passwords that they share with the team. That sounds extremely insecure and brittle. To share some of the passwords you have to create separate files and copy/paste stuff around. That quickly turns into sharing stuff with people that don't need that kind of access. Not to mention that it's a pain to create those files in the first place, so people turn to asking every time for them, which is what we are also doing in my team.

I've been a full stack web developer and designer for over 15 years, but cryptography, which was a skill I needed for this idea, was not part of my skillset. I do enjoy a challenge though, so I decided that I would make ChatGPT teach me the bare bones of it and see if I can grasp it quick enough to build something.

Turns out ChatGPT is a great teacher, even to students that want to learn something they know almost nothing about. A great tip I've discovered is that you can ask it to re-explain something using your own understanding. For example, I've asked it at first to explain how such an app would work, and it quickly filled the screen with cryptography jargon which made me feel inadequate for such a challenge.

A stroke of luck made me remind it that I'm just a web developer, I don't really understand all that, and... it worked. The very next answer was the same stuff re-explained using my own terms. That is to say, it actually applied my knowledge of PHP and JavaScript and rewrote every bit of jargon using PHP and JS key words. Might seem weird to some, but it worked like a charm for me.

I had a pretty basic idea before of how passwords managers derive access keys from one's password at login and encrypt/decrypt everything on device, forming a 'no knowledge' system. By no knowledge I mean that the service itself would not be able to decrypt the stored secrets even if they wanted to. I've quickly found out there's actually a term for that: a zero-knowledge system.

Fast forward to when I'm writing this post, it's 23 Oct (yes, still 2025, future reader interested in a future billionaire's success story,) and I'm ready to talk about Assetspan.com. Look, do I hope to become rich from this? Yes. But that's not to say that this is not useful.

I known that adding a link to this post turns it instantly into an advertorial, but how else do I demonstrate what I'm saying if I don't give you the opportunity to mess with it. You're not forced to sign up, that's why I've stuck the asset creation form right there on the home page. Take a look and criticise it. That's all I hope for.

Actually, I'll even give you a pro tip to abuse the business plan which relies on creating multiple assets. You can create a single asset and use as many credential fields as possible. So why not add as many user/pass combos as possible onto a single asset?!

Kidding aside, there are probably other apps for storing and sharing secrets which I couldn't find during my research, and, as it always happens, I find out about only after I decide to build one myself and spend a bunch of time on.

Anyway, if this is something you are or were interested in, then I hope my attention to detail, the design, the ease of use, the fast loading times, or maybe the fact that it features both light and dark themes, could win you over to at least trying the app before dismissing it.

Nonetheless, here's one final tip for making ChatGPT work better; tell it a lot about yourself as a professional person. I mean about your skillset, your likes and dislikes in terms of coding/working/writing/thinking. Oh, and make sure you correct it when it's wrong, don't just assume it can't do better. You'd be surprised how quickly it corrects itself and starts to actually perform better for you.

And, I guess, my reply to my daughter would be that I'm just a fool — not a tool — and that's why I don't know most stuff, unlike ChatGPT.

Learning Cryptography with ChatGPT: Building Assetspan, a Zero-Knowledge Secrets Manager

Cosmin Gheorghita — Thu, 23 Oct 2025 14:38:49 +0000

On September 5th, 2025, I decided to build a side project.

Three days later, I was surrounded by dozens of AI startup ideas, none of them good enough to make me want to open my editor. At the same time, I kept thinking about becoming a father soon — and the thought hit me:

What if one day my daughter asks me something I can’t explain, then asks ChatGPT — and it answers better than me?

Instead of sulking about it, I did the only reasonable thing: I made ChatGPT teach me things I didn’t know — starting with cryptography.

That’s how Assetspan was born: a zero-knowledge secret manager for teams — built by someone who knew very little about cryptography two months ago.

Teaching ChatGPT to Teach Me

At first, I did what everyone does:
“Explain how a zero-knowledge password manager works.”

It threw every crypto term it could find: KDFs, salting, nonce generation, symmetric key wrapping, HMAC authentication…

I was about to give up — until I told it this:

“Explain it like I’m a full-stack PHP + JS developer who knows nothing about cryptography.”

That changed everything. It started using analogies with Laravel’s Hash::make(), everything was suddenly a PHP variable, etc.

Lesson learned:
If you want ChatGPT to be useful, first teach it who you are.

Zero-Knowledge in Developer Terms

A zero-knowledge secrets manager means:
• The server stores encrypted data only.
• The encryption key is never sent to the server.
• Even if someone steals the database — they get nothing useful.
• Even I, as the creator, can’t decrypt your data.

To do this, I needed 3 core ideas:
1. Master Password → Master Key
2. Every asset (password entry, SSH key, license, etc.) gets its own encryption key
3. Shared secrets don’t leak keys to the server or other users

Key Hierarchy (The Heart of The System)

User Password (not stored anywhere)
↓
Argon2id → Master Key (UserKey)
↓
Encrypts → KEK (Key Encryption Key)
↓
KEK encrypts → AEAKs (per-asset keys)
↓
AEAK encrypts → Secrets (passwords, SSH keys, API tokens)

Deriving the Master Key (JS example)

 deriveMasterKey(password: string, params: UserKeys) {
    const salt = b64dec(params.salt)
    const nonce = b64dec(params.private_blob.nonce)
    const ciphertext = b64dec(params.private_blob.cipher)

    // Derive KEK with Argon2id
    const KEK = sodium.crypto_pwhash(
        params.key_size,
        sodium.from_string(password),
        salt,
        params.ops,
        params.mem * 1024,
        sodium.crypto_pwhash_ALG_ARGON2ID13,
    )

    // Decrypt private key
    this.privKey = sodium.crypto_secretbox_open_easy(
        ciphertext, nonce, KEK
    )

    sodium.memzero(KEK)
},

• The salt is generated at user registration and stored in the DB.
• The password is never stored in plain text.
• This master key never leaves the browser.

Encrypting a Secret (Client-side, before sending to server)

async function encryptSecret(secret, assetKey) {
  await sodium.ready

  const nonce = sodium.randombytes_buf(sodium.crypto_secretbox_NONCEBYTES)

  const ciphertext = sodium.crypto_secretbox_easy(
    secret, nonce, assetKey
  )

  return {
    ciphertext: sodium.to_base64(ciphertext),
    nonce: sodium.to_base64(nonce),
  }
}

The server only sees { ciphertext, nonce }. No key. No plaintext.

Sharing a Secret Securely

1.  User A encrypts the asset key (AEAK) with User B’s public key.
2.  User A sends the encrypted AEAK to the server.
3.  User B decrypts it locally using their master key.

No plaintext secret or key is ever shared with the server.

So… What Is Assetspan?

It’s now live at Assetspan.com — a zero-knowledge secret & credential manager designed for teams.

You don’t even need to register to try it — the “Create Asset” form is right on the homepage. No email wall.

Final Thought — For My Daughter

If someday she asks me something I don’t know, and ChatGPT replies perfectly instead of me, I think I’ll tell her this:

“I don’t know everything. I’m just a fool — not a tool. But I built one so we can both learn.”