CryptHub — Local Password Manager

CryptHub

local-first password manager · AES-256-GCM · no cloud · no accounts · MIT license

Web App

Requires Chrome 86+ or Edge 86+. No install. No account. Works offline after first load.

Overview

CryptHub is an open-source password manager that runs entirely in your browser. Your vault is stored as an encrypted .crypthub file on your filesystem — not inside the browser, not on any server. All cryptographic operations run locally via the browser's native Web Crypto API.

There are no accounts, no emails, no subscriptions, and no telemetry of any kind. The only way to access a vault is the master password used to create it.

License	MIT
Encryption	AES-256-GCM
Key derivation	PBKDF2, 310,000 iterations, SHA-256
Vault storage	Local filesystem — File System Access API
Session key	In-memory only, cleared on lock or tab close
Cloud storage	None
Telemetry	None
Third-party scripts	None (Google Fonts for typography only)
External audit	None — source is open for review

Security Model

The master password is never stored. On unlock, it is passed through PBKDF2 (310,000 iterations, SHA-256, 32-byte random salt) to derive a 256-bit AES-GCM key. This key exists only in memory for the duration of the session. Locking the vault or closing the tab clears it immediately.

Every save operation encrypts the full vault payload with AES-256-GCM using a fresh random 12-byte IV. The GCM authentication tag is stored in the file header. Any modification to the vault file — even a single byte — causes authentication to fail and the file is rejected before any data is exposed.

The .crypthub binary file format:

Offset   Size   Field
------   ----   -----
0        4      Magic bytes: CRHB (0x43 0x52 0x48 0x42)
4        4      Version: 1 (uint32, big-endian)
8        32     Salt (random, per-vault, stored permanently)
40       12     IV  (random, refreshed on every write)
52       16     GCM authentication tag
68+      n      Ciphertext (AES-256-GCM encrypted JSON payload)

The JSON payload contains all vault entries and metadata. Plaintext never touches disk. All operations happen in memory.

Algorithm	AES-256-GCM (authenticated encryption)
Key derivation	PBKDF2-SHA256, 310,000 iterations
Salt	32 bytes, CSPRNG, stored in file header
IV	12 bytes, fresh CSPRNG value on every write
Auth tag	16 bytes GCM standard — any tampering fails decrypt
Crypto implementation	Web Crypto API — browser-native, zero libraries
Password generator	crypto.getRandomValues() — CSPRNG

No formal audit has been conducted. CryptHub uses standard primitives correctly to the best of the author's knowledge but has not been reviewed by a professional cryptographer. Full implementation: docs/js/main.js ↗

How It Works

Creating a vault

Click "Create New Vault". The browser's file picker opens — choose where to save your .crypthub file. Enter a master password. An empty encrypted vault is written to that file immediately.

Opening a vault

Click "Open Existing Vault". Select your .crypthub file. Enter your master password. PBKDF2 derives the key, AES-GCM decrypts the payload, and the vault loads into memory. Wrong password or tampered file — decryption fails, nothing shown.

Adding and editing entries

Each entry stores: label, username, password, category, notes. Every change — add, edit, delete — immediately re-encrypts the full vault with a new IV and writes it back to your file. No manual save step.

Moving to another device

Copy your .crypthub file via USB, AirDrop, or any method you trust. Open CryptHub in Chrome or Edge on the other device, select the file, enter your master password. Vault is fully restored.

Locking

Click the lock button. Session key and all plaintext entries are cleared from memory. The vault file on disk remains encrypted and untouched.

Browser Support

CryptHub uses the File System Access API to read and write vault files directly on your filesystem — not inside browser storage. This means your vault survives browser clears and isn't subject to storage quotas or browser policies. The tradeoff is browser compatibility.

Chrome 86+	Supported
Edge 86+	Supported
Brave, Opera (Chromium)	Supported
Firefox	Not supported
Safari	Not supported

Firefox and Safari do not implement the File System Access API as of 2026. There is no IndexedDB fallback — maintaining two storage backends with different security properties is not a tradeoff worth making. If you open CryptHub in an unsupported browser, a clear error is shown. No silent failures.

FAQ

What happens if I forget my master password?

There is no recovery. Your password is never stored. If you forget it, the vault cannot be decrypted. Write it down and keep it offline.

What happens if I delete my .crypthub file?

Your vault is gone. Keep copies in multiple locations — USB drive, external storage, or encrypted cloud backup.

Does clearing browser data affect my vault?

No. Your vault is a file on your filesystem, not inside the browser. Clearing browser data has no effect on it.

Does it work offline?

Yes. After the first page load, everything runs locally. No network requests are made during use.

Can I run it without the hosted version?

Yes. Clone the repo and open docs/crypthub.html directly in Chrome or Edge. No build step. No server.

Is the code audited?

No. It is open source. Full implementation in one readable file: docs/js/main.js ↗. Read it before trusting it.

Terms of Use

CryptHub is provided free of charge under the MIT License. By using it, you accept the following:

Provided "as-is" with no warranty of any kind.
Authors are not responsible for data loss or vault inaccessibility.
No formal security audit has been conducted. Use at your own discretion.
You are solely responsible for maintaining backups of your vault file.
MIT License applies — free to use, modify, and distribute with attribution.

Full license: github.com/srsdesigndev/crypthub/blob/main/LICENSE ↗