It started with a sticky note.
Literally.
One of our teammates forgot the admin password to a test server. He’d written it down, then tossed it. Oops.
It was funny at first. But also frustrating.
We’re developers. We should know better.
That moment triggered a conversation that turned into a weekend project that turned into a full product:
Zecrypt — a zero-knowledge, open-source password manager built with:
FastAPI (Python) for the backend
Next.js (React) for the frontend
MongoDB as the data store
AES-GCM for client-side encryption
And a commitment to zero-knowledge principles: even we can't access your data.
Why We Built Zecrypt
Most password managers either:
Don’t feel secure enough (because they’re not zero-knowledge), or
Feel too complex to use or trust (because they’re black boxes).
We wanted something different — something we'd actually trust with our own keys, credentials, and secrets.
So we built Zecrypt with 3 guiding principles:
Client-side encryption by default
Zero-knowledge architecture
Radical transparency through open source
What Makes Zecrypt Different
🔐 Zero-Knowledge by Design
All encryption happens in the browser or app. We never see or store your plaintext data, and we couldn’t decrypt it even if we tried.
🔓 AES-GCM Encryption
We use AES with Galois/Counter Mode (GCM), a widely respected, modern encryption standard that ensures both confidentiality and integrity.
📦 MongoDB as an Encrypted Store
Every credential, API key, and password you store is encrypted before it ever touches our database. MongoDB just holds the ciphertext.
⚡ FastAPI for Speed and Simplicity
Python was a natural fit for building a fast, lightweight, and easily auditable backend. FastAPI gives us async performance and type-safety out of the box.
🖥️ Next.js for a Smooth Frontend Experience
Users don’t care about encryption algorithms — they care about UX. We wanted to make storing and retrieving credentials feel frictionless.
🧪 Fully Open Source
Our repo has been public from day one. If you’re a dev, you can audit the code. Fork it. Contribute. Or even host your own version.
Under the Hood: How It Works
User logs in – Their password never leaves the client.
Encryption keys are derived on the client using PBKDF2 or Argon2.
Each password entry is encrypted using AES-GCM with a unique nonce.
Encrypted data is stored in MongoDB via FastAPI.
When retrieved, decryption also happens entirely on the client.
Even if someone had full access to our infrastructure — database, codebase, everything — they’d see nothing but gibberish.
No backdoors. No exceptions. Not even for us.
Welaunched Zecrypt today because we believe secure password management shouldn’t be a luxury or a mystery.
You can try it, fork it, or dig into the code here:
👉 GitHub Repo
Try it out. Break it. Improve it.
We’re just getting started — and we’d love your feedback.
What’s Next
➤ Share with friends, family, and colleagues
💻 Mac Application (Planning Offline Edition)
📱 Mobile support via Flutter
🛡️ Self-hosted version for teams and orgs
Security should be a right, not a feature.
If you're building with FastAPI, Next.js, MongoDB, or just want to help make open security tools better, come say hi. PRs welcome.
P.S. Ever stored a password in plain text in your notes app? We have too.
Let’s never do that again.
Follow us on LinkedIn
Top comments (0)