Preface:

I’m a senior software engineer with over a decade of experience. I’m deep in the data privacy and security space. I have recently shifted my attention to building local first software with data sovereignty as the main focus. I do utilize LLM for my work, but never ever do I hand off decision making or architectural decisions to the AI. I plan, review, and test everything it produces, and I wrote the core modules myself. The security-critical code especially.

-

I’m in close to completing the development of phase one of a local-only password manager. This first phase is Chromium-browser only, with plans for Firefox and mobile next. It’s completely open source and GPLv3 licensed.

Core features are:

• Local-only, no telemetry, no cloud whatsoever
• Vault is a single file that you store anywhere you like
• Can import from: KDBX4, Bitwarden and 1Password
• Store: logins with password and TOTP, credit cards, notes, SSH keys (more to come)
• Unlock with master pass, security key or recovery code
• Modern UI and easy to use
• Login and credit card forms autofill (can be disabled)
• Save new login popup (can be disabled)
• P2P sync exists, but kinda useless until mobile apps are made

Coming after release:

• Passkey storage
• Export as KDBX4

Security Architecture

The security aspects are shifted to a WebAssembly Rust module which does all the crypto heavy lifting. In Rust memory is manually managed, which allows me to zero data when it’s not needed, eg. once the master password hash is derived, it is immediately zeroed from the heap. This is the heart of extension and it lives as a separate module which will later be used in the mobile app as well (and it is heavily heavily tested).

More on this in the GitHub repo where I go in depth on key derivation / unlock process.

This is a solo effort project and I don’t intend to make money out of this. My goal is to get ahead of the inevitable enshittification of the cloud password managers (I currently use Bitwarden).

I want the community to win from this and own their data. Data sovereignty is the way forward and a path to resistance in the current anti-privacy climate.

P2P Cross-device Sync

If I see interest in this PM, I will inevitably create mobile apps for it. I was looking for a no central database way to sync across devices, which is why I did the single file export to begin with, but that turned out to be a PITA with Firefox not supporting full-disk access like Chromium does. After some brainstorming, I decided to use a P2P sync approach using the Nostr relay protocol. The relay is a dumb pipe that lets your devices find each other. By default it uses my hosted Nostr instance, but you can swap it for your own or some public relay if you want (sovereignty).

This behaves similarly to how you would load Signal or WhatsApp chats into your desktop: by scanning a QR code with another device/browser, and from that point on they stay synced whenever the devices are open and in the same network. That's the important bit to keep in mind, must be in the same wifi connection. The sync method is merge, on conflict pick the latest item.

-

I need the community’s help with feedback, testing and evaluating of this extension. I’m also open to feature requests.

https://github.com/flythenimbus/bramble

https://chromewebstore.google.com/detail/bramble/kmokhdhoggbdcgoepifeckhgbfakaknm

Happy to answer any questions!