A cloud-based password manager — Secure, Simple, and Self-Hosted
LibrePass is a self-hosted, cloud-based password manager designed with security and simplicity in mind. It provides end-to-end encrypted password storage and synchronization across multiple devices while maintaining full control over your data.
This is a hobby project that served as a comprehensive learning experience in building secure, scalable systems from mobile clients to cloud backends.
Client Layer (Mobile & Web)
- Android app with Kotlin & Jetpack Compose
- Web client with Svelte (incomplete)
- End-to-end encryption on client-side
- Offline-first local database
API Layer (Spring Boot Backend)
- RESTful endpoints for vault operations
- Token-based authentication (tokens stored in database)
- Request validation & rate limiting
- Data encryption/decryption pipeline
Data Layer (PostgreSQL/MySQL)
- User accounts & credentials (hashed)
- Encrypted vault data (client-encrypted)
- Sync logs for conflict resolution
- Authentication tokens (database-stored)
User Registration/Login
Client → Server: Credentials over HTTPS
Server: Hash password, generate token
Server: Store token in database
Server → Client: Token
Password Storage & Sync
Client: Encrypt vault data with user key
Client → Server: Send encrypted payload over HTTPS
Server: Store encrypted data (server never sees plaintext)
Server → Client: Sync response with new changes
Client: Decrypt & update local vault
Offline Synchronization
Client (Offline): Store changes in local queue
Client (Online): Send queued changes to server
Server: Merge changes with conflict resolution
Server → Client: Return merged data
Client: Update local database
| Platform | Status | Technology | Key Features |
|---|---|---|---|
| 🤖 Android | ✅ Complete | Kotlin, Jetpack Compose | Biometric, Material 3, Sync |
| 🌐 Web | ❌ Incomplete | Svelte, TypeScript | Responsive, Cross-platform |
| 🔧 Backend | ✅ Complete | Spring Boot, PostgreSQL | APIs, Token Auth, E2E Encryption |
| 📚 Docs | ✅ Reference | Markdown | Setup, API, Deployment |
| Repository | Language | Status | Description |
|---|---|---|---|
| LibrePass-Server | Kotlin/Java | Unmaintained | Spring Boot backend with REST APIs, token auth (DB), encryption, and database |
| LibrePass-Android | Kotlin | Unmaintained | Android client with Jetpack Compose, biometric auth, Material 3 |
| LibrePass-Web | Svelte | Incompleted | Web client (started in Svelte) — abandoned due to time constraints |
| LibrePass-Docs | Markdown | Reference | Setup guides, API documentation, deployment instructions |
- ✅ End-to-End Encryption — Passwords encrypted before transmission
- ✅ Secure Authentication — Token-based auth with database storage
- ✅ Biometric Unlock — Face/fingerprint authentication (Android)
- ✅ Automatic Vault Lock — Auto-lock after inactivity
- ✅ HTTPS/TLS — All communications encrypted in transit
- ✅ Cross-Device Synchronization — Seamless sync across devices
- ✅ Self-Hosted — Full control over your data and infrastructure
- ✅ Offline Support — Works offline with local database sync
- ✅ Conflict Resolution — Smart handling of concurrent changes
- ✅ Material 3 Design — Native Android 12+ dynamic colors
- ✅ Dark Mode — Full dark mode support
- ✅ Multi-Language — Community-contributed translations
- ✅ Password Generation — Customizable strong password generation
- ✅ TOTP Support — Time-based One-Time Password scanning
Spring Boot 3.3.2 → Kotlin/Java → Spring Data JPA → PostgreSQL/MySQL
Token Auth (DB) → Encryption → RESTful APIs → Docker
Kotlin Coroutines → Jetpack Compose → Dagger Hilt → Biometric API
Material 3 → Navigation → DataStore → End-to-End Encryption
Svelte → Responsive Design → Secure Storage → API Integration
- Total Repositories: 4 active projects (Server, Android, Web, Docs)
- Primary Language: Kotlin + Java
- Architecture: Multi-module, microservices-ready
- License: GNU Affero General Public License v3.0
- Last Updated: October 2024 (Unmaintained)
- Learning Focus: Security, Mobile Dev, Backend Systems, Cloud Sync
For detailed information about each component:
- Server Setup: LibrePass-Server README
- Android App: LibrePass-Android README
- Full Docs: LibrePass-Docs
This project is no longer actively maintained as of October 2024. It was developed as a hobby/learning project and has served its purpose as a comprehensive educational resource.
- ✅ LibrePass-Server — Fully implemented and functional
- ✅ LibrePass-Android — Feature-complete mobile client
- ⏸️ LibrePass-Web — Started in Svelte, incomplete (abandoned due to time constraints)
- 📖 LibrePass-Docs — Reference documentation
The codebase remains available as:
- ✅ A reference implementation for secure password managers
- ✅ A learning resource for backend and mobile development
- ✅ An example of clean architecture and security best practices
- ✅ An open-source contribution to the security community
- ✅ A case study in project scope and time management
This backend implements several security measures:
- End-to-End Encryption — Passwords encrypted before transmission to server
- Secure Authentication — JWT tokens with expiration and refresh mechanisms
- HTTPS Communication — All API traffic encrypted in transit
- Password Hashing — User credentials hashed using industry-standard algorithms
- No Plaintext Storage — Passwords never stored unencrypted in database
- Input Validation — All API inputs validated and sanitized
- Rate Limiting — Protection against brute force and DOS attacks
Note: This is a hobby project. For production use, consider security audits by professional security experts and follow established security best practices for sensitive data systems.
Licensed under the GNU Affero General Public License v3.0 (AGPL-3.0)
This means:
- ✅ You can use, modify, and distribute the code
- ✅ You must disclose modifications
- ✅ You must use the same license
- 📖 Read Full License
- LibrePass Android — Mobile client for Android
- LibrePass Web — Web client for browser access
This hobby project taught me invaluable lessons about:
- 🏗️ Building scalable Spring Boot applications with multi-module architecture
- 🔑 Secure authentication with token management and database storage
- 💾 Database design for encrypted data storage
- 🔄 Cloud synchronization protocols and conflict resolution
- 📡 RESTful API design and versioning
- 🐳 Docker containerization and deployment
- 📱 Modern Kotlin and Jetpack Compose UI frameworks
- 🔐 Biometric authentication integration
- 🎨 Material Design 3 implementation with dynamic theming
- 🏗️ Clean architecture and multi-module project structure
- 🔄 Data synchronization in mobile applications
- 📍 Offline-first architecture patterns
- 🔒 End-to-end encryption implementation
- 🔑 Secure password handling and hashing
- 🛡️ HTTPS/TLS communication security
- 🎯 Biometric security best practices
- 🚨 Input validation and sanitization
- 📊 Rate limiting and DOS protection
- 🐳 Multi-stage Docker builds
- 📦 Maven and dependency management
- 🔧 Environment configuration
- 📝 Documentation and knowledge sharing
- 🏛️ Microservices and modular architecture
- 🔄 Cloud synchronization protocols
- 📊 Data consistency and conflict resolution
- 🎯 Separation of concerns and SOLID principles
- 🧪 Testing strategies for backend services
This project was a comprehensive learning experience that combined practical backend development with real-world security challenges. It provided insights into how secure cloud services work and the complexity involved in protecting sensitive user credentials.
Oskar Karpiński (@oskarkarpinski.eu)
With contributions from the LibrePass community.
- 🌐 Website: oskarkarpinski.eu
- 📧 Email: karpinski.oskar@outlook.com
- 🐙 GitHub: @OskarKarpinski
A comprehensive journey through secure software development, from mobile clients to cloud backends



