I’ve been working on a small side project in my spare time and I’d love some honest security focused feedback from this community
The project is PassFX - a terminal based password manager designed to work entirely offline. No cloud sync, no accounts, no browser extensions. Everything is encrypted locally and unlocked with a single master passphrase that never leaves the machine.
The core idea is simple:
reduce attack surface by removing the cloud entirely.
I wanted something:
- I could use on an air-gapped or offline machine
- That didn’t rely on a browser extension or remote service
- Where I could reason clearly about the threat model
This isn’t meant to replace enterprise solutions or compete with hosted managers. It’s more of an exploration into how minimal and auditable a password manager can be while still being usable day to day for developers.
What I’m looking for feedback on
I’m especially interested in thoughts around:
- Cryptographic choices and key derivation approach
- Threat model assumptions (what I’m missing or underestimating)
- Secure storage practices on disk
- UX tradeoffs in terminal-only security tools
- Any obvious “don’t do this” red flags
If you’re curious, the repo is here:
GitHub: https://github.com/dinesh-git17/passfx
Top comments (6)
happy to take a look :)
Thanks!!
No prob. Check suggested improvements, I left my analysis. Overall, it's a very good personal project. Just a few minor adjustment's that you perhaps didn't consider before (or did but understandably went with a simpler version).
:D
Are entry names or metadata stored in plaintext on disk, or is everything wrapped inside a single encrypted container? Filename leakage is often overlooked in local-only tools.
Great question! That's something I tackled very early on in the project.
PassFX doesn't store individual entries or filenames as separate files. Everything lives in a single encrypted container on your disk. Entry names, metadata, and values are all encrypted together before being written.
The only plaintext artifacts are the container file itself. The Salt and Vault are separated in different directories and if an attacker were to access those files, they'll see cypher text. Unless they have a supercomputer and a years to spend on this, they won't be able to decipher your encrypted passwords
Some comments may only be visible to logged-in visitors. Sign in to view all comments.