We Built an Open-Source, Zero-Knowledge Password Manager — Here's Why (and How)

itsmeakhil — Wed, 11 Jun 2025 17:23:43 +0000

It started with a sticky note.

Literally.

One of our teammates forgot the admin password to a test server. He’d written it down, then tossed it. Oops.

It was funny at first. But also frustrating.
We’re developers. We should know better.

That moment triggered a conversation that turned into a weekend project that turned into a full product:

Zecrypt — a zero-knowledge, open-source password manager built with:

FastAPI (Python) for the backend

Next.js (React) for the frontend

MongoDB as the data store

AES-GCM for client-side encryption

And a commitment to zero-knowledge principles: even we can't access your data.

Why We Built Zecrypt
Most password managers either:

Don’t feel secure enough (because they’re not zero-knowledge), or

Feel too complex to use or trust (because they’re black boxes).

We wanted something different — something we'd actually trust with our own keys, credentials, and secrets.

So we built Zecrypt with 3 guiding principles:

Client-side encryption by default

Zero-knowledge architecture

Radical transparency through open source

What Makes Zecrypt Different
🔐 Zero-Knowledge by Design
All encryption happens in the browser or app. We never see or store your plaintext data, and we couldn’t decrypt it even if we tried.

🔓 AES-GCM Encryption
We use AES with Galois/Counter Mode (GCM), a widely respected, modern encryption standard that ensures both confidentiality and integrity.

📦 MongoDB as an Encrypted Store
Every credential, API key, and password you store is encrypted before it ever touches our database. MongoDB just holds the ciphertext.

⚡ FastAPI for Speed and Simplicity
Python was a natural fit for building a fast, lightweight, and easily auditable backend. FastAPI gives us async performance and type-safety out of the box.

🖥️ Next.js for a Smooth Frontend Experience
Users don’t care about encryption algorithms — they care about UX. We wanted to make storing and retrieving credentials feel frictionless.

🧪 Fully Open Source
Our repo has been public from day one. If you’re a dev, you can audit the code. Fork it. Contribute. Or even host your own version.

Under the Hood: How It Works
User logs in – Their password never leaves the client.

Encryption keys are derived on the client using PBKDF2 or Argon2.

Each password entry is encrypted using AES-GCM with a unique nonce.

Encrypted data is stored in MongoDB via FastAPI.

When retrieved, decryption also happens entirely on the client.

Even if someone had full access to our infrastructure — database, codebase, everything — they’d see nothing but gibberish.

No backdoors. No exceptions. Not even for us.

Welaunched Zecrypt today because we believe secure password management shouldn’t be a luxury or a mystery.

You can try it, fork it, or dig into the code here:
👉 GitHub Repo

Try it out. Break it. Improve it.

We’re just getting started — and we’d love your feedback.

What’s Next

➤ Share with friends, family, and colleagues
💻 Mac Application (Planning Offline Edition)
📱 Mobile support via Flutter
🛡️ Self-hosted version for teams and orgs

Security should be a right, not a feature.

If you're building with FastAPI, Next.js, MongoDB, or just want to help make open security tools better, come say hi. PRs welcome.

P.S. Ever stored a password in plain text in your notes app? We have too.
Let’s never do that again.
Follow us on LinkedIn

DEV Community: itsmeakhil

We Built an Open-Source, Zero-Knowledge Password Manager — Here's Why (and How)