Skip to main content
Keptex

Storing credentials is a category error.

Every cloud password manager exists because of a missing primitive: a way to derive your credentials on demand from something you already own. Cryptographic wallets gave us that primitive. Keptex is what happens when you build a credential manager on top of it.

The same credential, every time.

Give the algorithm the same inputs, your wallet, the site, the account, a counter, and it produces the same private key. Always. Auditably. From any device, with no server in the loop.

// Path A, imported wallet
signature := wallet.signMessage("Keptex, sign to derive your credentials…")
userKey := HKDF(signature, "com.keptex.userKey")
// downstream, passwords + passkeys
siteKey := HMAC-SHA256(userKey, "com.keptex.site" || rpId || username || counter)
password := policy.materialize(siteKey, policy)
passkeyId := HMAC-SHA256(userKey, "com.keptex.credentialId" || rpId || userHandle || counter)

Full specification in /algorithm. Source in github.com/keptex.

Two threat models, side by side.

cloud manager
  • Cloud manager stores your credentials in an encrypted vault that syncs through their servers.
  • Recovery: master password + recovery code. Lose both and you lose everything.
  • Threat model: trust their KMS, their cloud, their backups, their employees, their incident response.
  • Audit: closed-source crypto. You trust their security claims.
keptex
  • Keptex never stores credentials. Each one is re-derived from your wallet on demand.
  • Recovery: your seed phrase. Re-install anywhere, every credential mathematically returns.
  • Threat model: trust the source-available algorithm + your wallet (hardware-backed by default).
  • Audit: source-available algorithm, zero-dependency, published test vectors. Anyone can verify.

The honest trade-offs, your call.

Same inputs always produce the same credential. Re-register at a site and the same passkey comes back, that is the feature, your accounts survive any re-install. Want a clean break instead? Bump a counter and Keptex derives a fresh credential, leaving the old one orphaned.

Wallet alone, or wallet plus a secret.

By default your wallet signature is the only key, with nothing extra to memorise. Prefer a second factor? Turn on a master secret and every credential is derived from your wallet and that secret together, so a stolen wallet on its own is not enough. Both modes stay deterministic and fully recoverable; you pick one per profile when you set it up.

Convenience, or total privacy.

Let Keptex fetch site icons so your list is easy to scan, or switch to fully local: no network calls, no fetched logos, nothing leaves your device. The same dial runs through the whole app, you decide where polish ends and zero-trace privacy begins.

Whatever you choose, custody is yours alone. Keptex keeps no copy and no escrow, so protect your wallet, and your master secret if you set one, like the keys to the kingdom. Because that is exactly what they are.