Skip to content

Offline-first CLI Password Manager with Local File System Storage & Server Sync #100

Description

@YashwantSaste

I would like to propose an offline-first CLI-based password manager that integrates seamlessly with the existing zecrypt-server backend, while also supporting secure local file system storage.

The goal is to enable users—especially developers and power users—to manage passwords locally via a CLI, with optional encrypted synchronization to the backend server.
Problem Statement

Currently, password managers are often:

  • Fully dependent on network connectivity
  • Browser or UI-heavy
  • Hard to integrate into developer workflows
  • Less flexible for air-gapped or offline environments

There is a strong use case for:

  • A local, CLI-driven password manager
  • Secure file-based encrypted storage
  • Optional zero-knowledge sync with the backend
  • Proposed Solution

Introduce a CLI client that acts as a first-class consumer of zecrypt-server and supports:

  1. CLI-Based Password Management

Users interact via terminal commands:

zecrypt init
zecrypt login
zecrypt add github --username user --password ****
zecrypt get github
zecrypt list
  1. Encrypted Local File System Storage (Offline-First)
    Passwords stored locally in encrypted form
    No backend dependency for read/write operations
    Example structure:

~/.zecrypt/
├── vaults/
│ ├── personal.zvault
│ └── work.zvault
├── config.yml
└── keystore

Encryption keys derived from:
Master password
OS keychain / keystore (optional)
3. Optional Backend Sync (Zero-Knowledge)
CLI syncs encrypted vaults with zecrypt-server
Server never sees plaintext data
Backend acts as:

  • Encrypted vault storage
  • Metadata/version manager

Possible APIs:

POST /vault/sync
GET /vault/export
POST /vault/import
  1. Import / Export Capabilities
    Enable:
    Export local vault → backend
    Import backend vault → local file
    Backup / restore workflows
    Easy migration between machines
    Formats:
  • Encrypted .zvault files
  • Optional decrypted export (explicit user consent)
  • Sync Strategy (Initial Ideas)
  • Timestamp-based or version-based sync
  • Conflict detection with manual resolution
  • Advanced option (future): CRDT-based sync

Benefits

  • Offline-first & developer-friendly
  • Strong security & zero-knowledge compliance
  • CLI automation & scripting support
  • Easy backup, restore, and migration
  • Extends zecrypt beyond web-only usage

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions