A modern, secure, and self-hosted password management solution built with Next.js 15, TypeScript, and PostgreSQL — the open-source alternative to LastPass and HashiCorp Vault.

🔐 Zero Locker — Building Trust Through Transparency

Zero Locker is a self-hosted, open-source password management solution designed with security, privacy, and user experience at its core. In an era where digital identity protection is paramount, I set out to create a tool that gives users complete control over their sensitive data without compromising on modern UX or security standards.

🌟 The Problem

Password managers have become essential tools in our digital lives, but they come with significant trust issues:

Proprietary closed-source code — You're trusting companies with your most sensitive data without knowing what's happening under the hood
Cloud dependency — Your passwords are stored on someone else's servers
High costs — Premium features locked behind expensive subscriptions
Limited customization — One-size-fits-all solutions that don't adapt to your needs
Vendor lock-in — Difficult to migrate data once you're committed

After experiencing these pain points firsthand, I realized there was a gap in the market for a truly transparent, self-hosted alternative that combines enterprise-grade security with modern design.

💡 The Vision

"What if password management could be as secure as military-grade encryption, as transparent as open-source code, and as beautiful as modern web apps?"

My goals for Zero Locker:

Security First — Implement AES-256-GCM encryption (the same standard used by governments and banks)
100% Transparent — Open-source everything, so users can audit and trust the code
Self-Hosted — Give users complete control over their data
Modern UX — Beautiful, intuitive interface that rivals commercial products
Feature-Rich — Support passwords, payment cards, secret notes, and more
Easy to Deploy — Docker-based deployment for seamless self-hosting

✨ Core Features

🔒 Military-Grade Encryption

Every piece of sensitive data is encrypted using AES-256-GCM encryption before being stored in the database. The encryption keys are derived from the user's master password using PBKDF2, ensuring that even if the database is compromised, the data remains secure.

Key security features:

End-to-end encryption for all sensitive fields
Master password never leaves the client
Automatic password history tracking with timestamps
Secure session management with BetterAuth
Zero-knowledge architecture — even I can't access your data

🔑 Comprehensive Credential Management

Zero Locker goes beyond simple password storage:

Account Management — Store usernames, passwords, URLs, and notes
Payment Cards — Securely store credit/debit card information with encrypted CVV
Secret Notes — Encrypted storage for API keys, recovery codes, or sensitive information
Tags & Categories — Organize your credentials with custom tags
Password History — Automatic tracking of password changes with timestamps

🎨 Modern, Intuitive Interface

Built with Next.js 15, React, TailwindCSS, and shadcn/ui, Zero Locker offers:

Lightning-fast performance with React Server Components
Responsive design that works beautifully on desktop and mobile
Dark mode support out of the box
Smart search and filtering capabilities
Drag-and-drop organization
Quick actions and keyboard shortcuts

🚀 Self-Hosted Deployment

Complete control means you decide where your data lives:

Docker deployment — One-command setup with Docker Compose
PostgreSQL database — Reliable, scalable data storage
Easy migration — Import credentials from text files or other password managers
Automatic backups — Schedule regular database backups
Environment-based configuration — Customize to your infrastructure

🏗️ Technical Architecture

Tech Stack

Frontend:

Next.js 15 — Latest App Router for optimal performance
React 19 — Modern UI with Server Components
TypeScript — Type safety throughout the codebase
TailwindCSS — Utility-first styling
shadcn/ui — Beautiful, accessible components
Zod — Runtime validation and type safety

Backend:

Next.js API Routes — Serverless API endpoints
Prisma ORM — Type-safe database queries
PostgreSQL — Production-grade database
BetterAuth — Secure authentication system
Node.js Crypto — Native encryption libraries

DevOps:

Docker & Docker Compose — Containerized deployment
GitHub Actions — CI/CD pipeline
Vercel — Optional cloud hosting
ESLint & Prettier — Code quality and formatting

Security Implementation

// Encryption flow
User Master Password → PBKDF2 Key Derivation → Encryption Key
↓
Sensitive Data → AES-256-GCM Encryption → Encrypted Data + IV + Auth Tag
↓
PostgreSQL Database (encrypted at rest)

Key security principles:

Zero-knowledge architecture — Server never sees unencrypted sensitive data
Salt and IV generation — Unique per-user and per-record
Authentication tags — Ensures data integrity
Secure session handling — HttpOnly cookies, CSRF protection
Rate limiting — Prevents brute-force attacks

Database Schema

The data model is designed for flexibility and security:

model User {
  id           String        @id @default(cuid())
  email        String        @unique
  name         String?
  accounts     Account[]
  cards        Card[]
  secrets      Secret[]
  sessions     Session[]
  createdAt    DateTime      @default(now())
  updatedAt    DateTime      @updatedAt
}

model Account {
  id              String          @id @default(cuid())
  userId          String
  name            String
  username        String?         // Encrypted
  password        String          // Encrypted
  url             String?
  notes           String?         // Encrypted
  tags            String[]
  passwordHistory PasswordHistory[]
  user            User            @relation(fields: [userId], references: [id])
  createdAt       DateTime        @default(now())
  updatedAt       DateTime        @updatedAt
}

model Card {
  id           String   @id @default(cuid())
  userId       String
  cardName     String
  cardNumber   String   // Encrypted
  cardHolder   String   // Encrypted
  expiryDate   String   // Encrypted
  cvv          String   // Encrypted
  billingZip   String?  // Encrypted
  user         User     @relation(fields: [userId], references: [id])
  createdAt    DateTime @default(now())
  updatedAt    DateTime @updatedAt
}

📈 Development Journey

Phase 1: Research & Planning

I spent weeks researching existing password managers, analyzing their security models, and identifying gaps:

Studied 1Password, Bitwarden, LastPass, and HashiCorp Vault
Reviewed NIST guidelines for password storage
Analyzed encryption best practices
Designed the information architecture in Excalidraw
Created mockups in Figma for the UI

Phase 2: Security Foundation

Security had to be built from the ground up:

Implemented AES-256-GCM encryption with the Node.js crypto module
Built a zero-knowledge authentication flow
Created secure key derivation using PBKDF2
Developed password strength validation
Implemented secure random password generation

Phase 3: Core Features

With security locked down, I focused on features:

Built the credential CRUD operations
Added payment card management
Implemented secret notes storage
Created the password history tracking system
Developed the search and filter functionality

Phase 4: User Experience

Making security accessible required thoughtful UX:

Designed an intuitive dashboard layout
Created smooth animations and transitions
Built keyboard shortcuts for power users
Implemented copy-to-clipboard with feedback
Added dark mode support
Optimized for mobile responsiveness

Phase 5: Deployment & Documentation

Making it easy for others to self-host:

Dockerized the entire application
Created comprehensive documentation
Built automated database migrations
Implemented environment-based configuration
Set up GitHub Actions for CI/CD

🎯 Key Features Breakdown

Landing Page Experience

The landing page immediately communicates trust and transparency:

Hero Section — Clear value proposition: "The open-source alternative"
Trust Indicators — User count, secrets protected, 100% open-source badge
Feature Highlights — Military-grade encryption, open source, lightning fast
Comparison — Positioned as alternative to LastPass and HashiCorp Vault
Waitlist — Early adopter signup with real-time counter
How It Works — 3-step onboarding process visualization

Dashboard

The main dashboard provides quick access to everything:

Search Bar — Global search across all credentials
Quick Stats — Total accounts, cards, and secrets at a glance
Recent Items — Quick access to recently used credentials
Categories — Organized by type (accounts, cards, secrets)
Actions — One-click copy, edit, or delete
Security Status — Password strength indicators and reuse warnings

Password Generator

Built-in password generation with customization:

Length control (8-64 characters)
Character set selection (uppercase, lowercase, numbers, symbols)
Exclude similar characters option
Copy to clipboard
Strength indicator
Generate history

Import/Export

Easy migration from other password managers:

Import — Support for CSV and JSON formats
Export — Encrypted backup downloads
Format Converter — Adapters for popular password managers
Batch Operations — Import multiple entries at once

🔐 Security Highlights

Threat Model

Zero Locker is designed to protect against:

Database breach — All sensitive data is encrypted
Man-in-the-middle attacks — HTTPS only, secure session cookies
Brute-force attacks — Rate limiting, account lockout
XSS attacks — Input sanitization, CSP headers
CSRF attacks — Token-based protection
Session hijacking — Secure session management

Encryption Flow

// Example: Encrypting a password
const encryptedData = encryptData(password, masterKey)
// Returns: { encryptedData, iv, authTag }

// Storing in database
await prisma.account.create({
  data: {
    password: encryptedData.encryptedData,
    iv: encryptedData.iv,
    authTag: encryptedData.authTag,
  },
})

// Decrypting on retrieval
const decryptedPassword = decryptData(
  account.password,
  account.iv,
  account.authTag,
  masterKey
)

Authentication Flow

User enters master password
Password is hashed client-side using PBKDF2
Hash is sent to server for authentication
Server validates hash and creates session
Session token stored in HttpOnly cookie
Master key derived from password for encryption/decryption

📊 Impact & Metrics

Since Launch:

✅ 38+ secrets protected — Growing user base
✅ 100% open source — Full transparency
✅ 3 users trusted — Early adopters from the waitlist
✅ 0 security incidents — Robust security implementation
✅ Active community — Contributors and feature requests

User Feedback:

"Finally, a password manager I can trust and host myself!"

"The UI is cleaner than commercial alternatives I've paid for."

"Being able to audit the code myself gives me peace of mind."

🚀 Deployment Guide

One-Command Deployment

# Clone the repository
git clone https://github.com/FindMalek/zero-locker.git
cd zero-locker

# Configure environment variables
cp .env.example .env
# Edit .env with your settings

# Start with Docker Compose
docker-compose up -d

# Your Zero Locker instance is now running at http://localhost:3000

Environment Configuration

# Database
DATABASE_URL="postgresql://user:password@localhost:5432/zero_locker"

# Auth
AUTH_SECRET="your-super-secret-key"
NEXTAUTH_URL="http://localhost:3000"

# Encryption
ENCRYPTION_KEY="your-encryption-master-key"

📚 Lessons Learned

Security is Hard, But Essential

Implementing encryption correctly requires deep understanding of cryptography
Zero-knowledge architecture adds complexity but provides real user protection
Security must be considered at every layer, not bolted on later
Regular security audits and updates are crucial

Open Source Builds Trust

Users are more willing to trust software they can inspect
Community contributions improve security through peer review
Transparency is a competitive advantage in security software

UX Can't Be an Afterthought

Even the most secure software is useless if people won't use it
Investing time in design pays dividends in user adoption
Security features should be invisible when they work correctly

Self-Hosting Matters

Users increasingly want control over their data
Docker makes self-hosting accessible to non-technical users
Documentation is as important as the code itself

🔮 Future Roadmap

Coming Soon:

🔄 Browser Extension — Autofill credentials across websites
📱 Mobile Apps — Native iOS and Android applications
🔗 2FA Support — Store and generate TOTP codes
📤 Import Wizards — One-click import from major password managers
🔍 Security Audit — Password breach monitoring
🌐 Multi-language Support — i18n for global accessibility
👥 Team Features — Shared vaults for organizations
🔐 Hardware Key Support — YubiKey and other U2F devices

🔗 Resources & Links

🌐 Live Demo: zero-locker.vercel.app
💻 GitHub Repository: github.com/FindMalek/zero-locker
📖 Documentation: docs.zero-locker.dev
🐛 Issue Tracker: github.com/FindMalek/zero-locker/issues
💬 Discussions: github.com/FindMalek/zero-locker/discussions

📌 Conclusion

Zero Locker represents my commitment to building tools that prioritize user privacy without sacrificing user experience. In a world where data breaches are common and trust in tech companies is eroding, open-source, self-hosted solutions are more important than ever.

This project taught me that security and usability don't have to be at odds. With thoughtful design, modern tooling, and a commitment to transparency, we can build software that protects users while empowering them.

Whether you're a developer looking to self-host your password manager, a security enthusiast wanting to audit the code, or someone who simply values privacy — Zero Locker is built for you.

🙏 Acknowledgments

Special thanks to:

The Bitwarden team for inspiration and open-source leadership
The Next.js team for an incredible framework
The shadcn/ui project for beautiful components
The open-source community for continuous feedback and contributions

"In security, trust is earned through transparency. Zero Locker is my commitment to that principle."

👉 Try Zero Locker
👉 Star on GitHub
👉 Join the Community