VaultGit — Password Manager
Sign inGet started
Open source · AGPL-3.0 · Self-hosted

The enterprise password manageryou can actually host yourself.

Zero-knowledge vaults, SAML 2.0 SSO, Azure Key Vault custody, and an Intune-deployable browser extension — all in a single Docker stack you control.

Open the app Self-host in 5 min
SAML 2.0·Azure Key Vault·Microsoft Intune·SOC-friendly audit

Built for security teams

Every primitive an enterprise needs — not a single feature you have to bolt on.

Zero-trust encryption

AES-256-GCM client-side, with per-vault data keys wrapped by an HSM-backed KEK in Azure Key Vault. Plaintext never reaches the server.

SAML 2.0 enterprise SSO

Native SAML for Entra ID, Okta, ADFS. Group claims map to RBAC. JIT provisioning. Break-glass admin account.

Personal & team vaults

Granular RBAC: view, use, edit, manage. Group-based access via SAML claims. Re-key on access change without re-encrypting items.

Tamper-evident audit log

Hash-chained entries for every vault access, share, and admin action. CSV export plus optional syslog/SIEM forwarding.

Browser extension

Chromium MV3 extension for autofill, save-on-submit, and TOTP. Force-installable via Intune with extension ID + update URL.

Docker self-host

One docker-compose command. Postgres + Redis + reverse proxy. Healthchecks, structured logs, Prometheus metrics. AGPL-3.0.

Envelope encryption,
server-blind by design.

Each vault has its own AES-256-GCM Data Encryption Key. The DEK is wrapped by a Key Encryption Key held in Azure Key Vault — your KEK never leaves the HSM. The OpenVault server stores only ciphertext and wrapped keys; it cannot read your secrets even if compromised.

  • Per-vault DEK, wrapped by HSM-backed KEK
  • Decryption happens in the browser via Web Crypto
  • Sharing changes re-wrap the key — items never re-encrypt
  • Tamper-evident, hash-chained audit log
// Browser
const dek = await keyProvider.unwrap(vault.wrappedDek);
const item = await decryptJSON(dek, {
  ciphertext: row.ciphertext,
  iv: row.iv,
});
// → { username, password, totp, notes }
// Server (never sees this)
row.ciphertext = "Yk3z…"  // opaque blob
row.iv         = "qX1p…"
vault.wrapped  = "uSVR…"  // requires Key Vault to unwrap

Deploy in minutes

One Docker Compose file. One env file. Bring your own Postgres, Redis, and Key Vault.

# 1. Pull the stack
git clone https://github.com/your-org/openvault
cd openvault

# 2. Configure
cp .env.example .env
# edit .env: DB_URL, AZURE_KEYVAULT_URL, SAML_*, APP_URL

# 3. Launch
docker compose up -d

# 4. Bootstrap first admin + print SP metadata URL
docker compose exec app npm run bootstrap
Try the live demo Source on GitHub