Open source · Apache 2.0 · v1.0

Your passwords.
Your devices.
No cloud vault.

VaultPeer is a KeePass-compatible password manager that stores credentials in standard .kdbx files and syncs them live between your desktop, phone, and always-on server node — directly over WebRTC. Phonebook handles peer discovery only; your decrypted vault never leaves your devices.

Get VaultPeer View on GitHub

Live vault sync

Encrypted KDBX · peer-to-peer

📖

VaultPeer-Phonebook

Signaling server — room join & ICE relay

↕ signaling only (no vault data)

🖥

Desktop node

Full UI · Windows

📱

Mobile node

Full UI · Android

⬡

Server node

Headless · 24/7 backup peer

↔ WebRTC data channels (encrypted .kdbx)

Features

KeePass power. Peer-to-peer sync.

VaultPeer works like KeePassXC on your device, then keeps every node in sync when you want — without handing your vault to a cloud provider.

🔐

KeePass-compatible KDBX

Open, create, and save standard .kdbx databases with AES-256, ChaCha20, and Argon2 — compatible with KeePassXC and other managers.

🔗

Live multi-device sync

Nodes join a room on Phonebook, discover each other, and exchange the encrypted vault over WebRTC data channels on startup and after local changes.

☁️

No cloud vault

Your credentials stay on your devices. Phonebook relays connection metadata only — it never sees decrypted vault contents or your master password.

📴

Offline-first

Use your vault without a network connection. Sync runs automatically when peers are available.

🔑

Password generator & OTP

Generate strong passwords and passphrases. Scan QR codes or enter secrets for RFC 6238 TOTP one-time passwords.

🛡

No telemetry

No analytics, no crash reporting, no cloud account. Network activity only when you explicitly enable sync.

Architecture

How VaultPeer sync works

Unlike cloud-first password managers, VaultPeer separates signaling from sync nodes. Only Phonebook handles WebRTC signaling. Every other component is a peer that holds and syncs the encrypted KDBX file.

┌─────────────────┐     signaling only      ┌──────────────────────┐
│ VaultPeer       │ ◄──────────────────────►│ VaultPeer-Phonebook  │
│ nodes           │   (room join, ICE, SDP)   │ (signaling server)   │
│                 │                         └──────────────────────┘
│  · Desktop      │
│  · Mobile       │
│  · Server node  │──── WebRTC data channels ────► peer-to-peer
└─────────────────┘      (encrypted .kdbx)            vault sync

Important: The server node is not the signaling server. It is a headless sync peer with no UI — it keeps the vault file on disk, stays online 24/7 as a backup, and accepts pushes and serves pulls to other nodes. Only VaultPeer-Phonebook handles signaling.

Ecosystem

VaultPeer projects

VaultPeer is a family of open-source repositories. Each plays a distinct role in the sync network. All are licensed under Apache 2.0.

VaultPeer Desktop

Node · UI

Windows desktop client with full vault management — create entries, generate passwords, auto-type, Windows Hello unlock, and browser integration.

GitHub Releases

VaultPeer Mobile

Node · UI

Android app with biometric unlock, system autofill, local backups, and the same KDBX format and sync protocol as desktop.

GitHub Releases

VaultPeer Server Node

Node · Headless

Always-on backup peer for VPS, NAS, or home server. No UI — holds the encrypted vault and syncs push/pull with other nodes. Docker-ready.

GitHub

VaultPeer Phonebook

Signaling

WebRTC signaling server. Nodes join a room, discover peers, and exchange ICE/SDP. Does not store or see vault data. Docker-ready.

GitHub

Get started

Set up your sync network

Four steps to sync your vault across devices.

Deploy Phonebook

Run VaultPeer-Phonebook on a server reachable by all your nodes — locally or on the internet. Use Docker for production.

Create or open a vault

Install VaultPeer Desktop or Mobile. Create a new .kdbx database or open an existing KeePass-compatible file.

Configure sync on each node

In Settings → Sync, enter your Phonebook WebSocket URL and a shared room ID. All nodes must use the same room ID and vault filename.

Add a server node (optional)

Deploy VaultPeer-ServerNode for a 24/7 headless peer that keeps a backup copy and syncs when desktop or mobile nodes come online.

FAQ

Common questions

What file format does VaultPeer use?

VaultPeer uses the standard KDBX format (KeePass 2.x compatible). Your database files have the .kdbx extension and can be opened by KeePass 2, KeePassXC, KeePass DX, and VaultPeer on other platforms.

Does VaultPeer connect to the internet by default?

No. VaultPeer makes zero network calls during normal operation. Network activity only occurs when you explicitly enable P2P sync (Phonebook + WebRTC) or optional browser integration on desktop.

What is the difference between Phonebook and the server node?

Phonebook is the WebRTC signaling server — it helps nodes find each other and exchange connection metadata. It never stores your vault. The server node is a headless sync peer like desktop and mobile, but without a UI. It holds the encrypted KDBX file on disk and participates in push/pull sync as a 24/7 backup.

Can Phonebook or the server node see my passwords?

No. Only the encrypted KDBX bytes travel over WebRTC. Phonebook relays signaling messages only. The server node stores the encrypted file but never decrypts it — you cannot unlock or edit entries through the server node.

What happens if two nodes edit the vault at the same time?

VaultPeer uses KeePass-compatible merge rules. Entries are matched by UUID. If the same entry was modified on both sides, the newer revision wins based on last-modified timestamps.

Ready to take control of your passwords?

Download VaultPeer for your platform, deploy Phonebook, and sync your encrypted vault across every device you own.

Desktop (Windows) Mobile (Android APK) Deploy Phonebook Server Node

Your passwords.Your devices.No cloud vault.