Skip to content
@LibrePass

LibrePass

Take control of your passwords with LibrePass. Founded by @OskarKarpinski. This project is no longer actively developed as of October 2024.

🔐 LibrePass

A cloud-based password manager — Secure, Simple, and Self-Hosted

License: AGPL-3.0 Status: Unmaintained Languages


📱 What is LibrePass?

LibrePass is a self-hosted, cloud-based password manager designed with security and simplicity in mind. It provides end-to-end encrypted password storage and synchronization across multiple devices while maintaining full control over your data.

This is a hobby project that served as a comprehensive learning experience in building secure, scalable systems from mobile clients to cloud backends.


📸 Screenshots

Welcome Screen Add Cipher Screen View Cipher Screen Password Generator

🏗️ System Architecture

Core Components

Client Layer (Mobile & Web)

  • Android app with Kotlin & Jetpack Compose
  • Web client with Svelte (incomplete)
  • End-to-end encryption on client-side
  • Offline-first local database

API Layer (Spring Boot Backend)

  • RESTful endpoints for vault operations
  • Token-based authentication (tokens stored in database)
  • Request validation & rate limiting
  • Data encryption/decryption pipeline

Data Layer (PostgreSQL/MySQL)

  • User accounts & credentials (hashed)
  • Encrypted vault data (client-encrypted)
  • Sync logs for conflict resolution
  • Authentication tokens (database-stored)

Data Flow

User Registration/Login

Client → Server: Credentials over HTTPS
Server: Hash password, generate token
Server: Store token in database
Server → Client: Token

Password Storage & Sync

Client: Encrypt vault data with user key
Client → Server: Send encrypted payload over HTTPS
Server: Store encrypted data (server never sees plaintext)
Server → Client: Sync response with new changes
Client: Decrypt & update local vault

Offline Synchronization

Client (Offline): Store changes in local queue
Client (Online): Send queued changes to server
Server: Merge changes with conflict resolution
Server → Client: Return merged data
Client: Update local database

📟️ Platform Support

Platform Status Technology Key Features
🤖 Android ✅ Complete Kotlin, Jetpack Compose Biometric, Material 3, Sync
🌐 Web ❌ Incomplete Svelte, TypeScript Responsive, Cross-platform
🔧 Backend ✅ Complete Spring Boot, PostgreSQL APIs, Token Auth, E2E Encryption
📚 Docs ✅ Reference Markdown Setup, API, Deployment

🏗️ Project Components

Repository Language Status Description
LibrePass-Server Kotlin/Java Unmaintained Spring Boot backend with REST APIs, token auth (DB), encryption, and database
LibrePass-Android Kotlin Unmaintained Android client with Jetpack Compose, biometric auth, Material 3
LibrePass-Web Svelte Incompleted Web client (started in Svelte) — abandoned due to time constraints
LibrePass-Docs Markdown Reference Setup guides, API documentation, deployment instructions

✨ Key Features

🔐 Security First

  • End-to-End Encryption — Passwords encrypted before transmission
  • Secure Authentication — Token-based auth with database storage
  • Biometric Unlock — Face/fingerprint authentication (Android)
  • Automatic Vault Lock — Auto-lock after inactivity
  • HTTPS/TLS — All communications encrypted in transit

☁️ Cloud & Sync

  • Cross-Device Synchronization — Seamless sync across devices
  • Self-Hosted — Full control over your data and infrastructure
  • Offline Support — Works offline with local database sync
  • Conflict Resolution — Smart handling of concurrent changes

🎨 User Experience

  • Material 3 Design — Native Android 12+ dynamic colors
  • Dark Mode — Full dark mode support
  • Multi-Language — Community-contributed translations
  • Password Generation — Customizable strong password generation
  • TOTP Support — Time-based One-Time Password scanning

🛠️ Technology Stack

Backend Infrastructure

Spring Boot 3.3.2  →  Kotlin/Java  →  Spring Data JPA  →  PostgreSQL/MySQL
Token Auth (DB)    →  Encryption   →  RESTful APIs    →  Docker

Android Client

Kotlin Coroutines  →  Jetpack Compose  →  Dagger Hilt  →  Biometric API
Material 3         →  Navigation       →  DataStore    →  End-to-End Encryption

Frontend (Web) — Incomplete Project

Svelte  →  Responsive Design  →  Secure Storage  →  API Integration

⚠️ Note: LibrePass-Web was started using Svelte but never completed due to time constraints. The codebase serves as a reference for Svelte + security patterns


📊 Project Statistics

  • Total Repositories: 4 active projects (Server, Android, Web, Docs)
  • Primary Language: Kotlin + Java
  • Architecture: Multi-module, microservices-ready
  • License: GNU Affero General Public License v3.0
  • Last Updated: October 2024 (Unmaintained)
  • Learning Focus: Security, Mobile Dev, Backend Systems, Cloud Sync

📚 Documentation

For detailed information about each component:


⚠️ Project Status

This project is no longer actively maintained as of October 2024. It was developed as a hobby/learning project and has served its purpose as a comprehensive educational resource.

Completion Status

  • LibrePass-Server — Fully implemented and functional
  • LibrePass-Android — Feature-complete mobile client
  • ⏸️ LibrePass-Web — Started in Svelte, incomplete (abandoned due to time constraints)
  • 📖 LibrePass-Docs — Reference documentation

The codebase remains available as:

  • ✅ A reference implementation for secure password managers
  • ✅ A learning resource for backend and mobile development
  • ✅ An example of clean architecture and security best practices
  • ✅ An open-source contribution to the security community
  • ✅ A case study in project scope and time management

🔐 Security Considerations

This backend implements several security measures:

  1. End-to-End Encryption — Passwords encrypted before transmission to server
  2. Secure Authentication — JWT tokens with expiration and refresh mechanisms
  3. HTTPS Communication — All API traffic encrypted in transit
  4. Password Hashing — User credentials hashed using industry-standard algorithms
  5. No Plaintext Storage — Passwords never stored unencrypted in database
  6. Input Validation — All API inputs validated and sanitized
  7. Rate Limiting — Protection against brute force and DOS attacks

Note: This is a hobby project. For production use, consider security audits by professional security experts and follow established security best practices for sensitive data systems.


📄 License

Licensed under the GNU Affero General Public License v3.0 (AGPL-3.0)

This means:

  • ✅ You can use, modify, and distribute the code
  • ✅ You must disclose modifications
  • ✅ You must use the same license
  • 📖 Read Full License

🔗 Related Projects


🎓 What Was Learned

This hobby project taught me invaluable lessons about:

Backend Development

  • 🏗️ Building scalable Spring Boot applications with multi-module architecture
  • 🔑 Secure authentication with token management and database storage
  • 💾 Database design for encrypted data storage
  • 🔄 Cloud synchronization protocols and conflict resolution
  • 📡 RESTful API design and versioning
  • 🐳 Docker containerization and deployment

Mobile Development (Android)

  • 📱 Modern Kotlin and Jetpack Compose UI frameworks
  • 🔐 Biometric authentication integration
  • 🎨 Material Design 3 implementation with dynamic theming
  • 🏗️ Clean architecture and multi-module project structure
  • 🔄 Data synchronization in mobile applications
  • 📍 Offline-first architecture patterns

Cryptography & Security

  • 🔒 End-to-end encryption implementation
  • 🔑 Secure password handling and hashing
  • 🛡️ HTTPS/TLS communication security
  • 🎯 Biometric security best practices
  • 🚨 Input validation and sanitization
  • 📊 Rate limiting and DOS protection

DevOps & Infrastructure

  • 🐳 Multi-stage Docker builds
  • 📦 Maven and dependency management
  • 🔧 Environment configuration
  • 📝 Documentation and knowledge sharing

Architecture & Design Patterns

  • 🏛️ Microservices and modular architecture
  • 🔄 Cloud synchronization protocols
  • 📊 Data consistency and conflict resolution
  • 🎯 Separation of concerns and SOLID principles
  • 🧪 Testing strategies for backend services

This project was a comprehensive learning experience that combined practical backend development with real-world security challenges. It provided insights into how secure cloud services work and the complexity involved in protecting sensitive user credentials.


👨‍💻 Project by

Oskar Karpiński (@oskarkarpinski.eu)

With contributions from the LibrePass community.


🔗 Get Connected


Built with ❤️ as a Learning Experience

A comprehensive journey through secure software development, from mobile clients to cloud backends

⭐ Star us on GitHub📖 Read the Docs💬 Discussions

Pinned Loading

  1. LibrePass-Android LibrePass-Android Public

    LibrePass Android Application

    Kotlin 112 6

  2. LibrePass-Server LibrePass-Server Public

    The core LibrePass infrastructure

    Kotlin 23 1

  3. LibrePass-Docs LibrePass-Docs Public archive

    LibrePass Technical Documentation

    4 2

Repositories

Showing 7 of 7 repositories

Top languages

Loading…

Most used topics

Loading…