The Industrial-Grade, Zero-Knowledge Secret Manager.
Fortivault is a decentralized ecosystem for managing passwords, API keys, and environment variables. It was designed to eliminate the weakest link in web security: the browser. Through a "bridge" architecture featuring a native Rust engine, Fortivault ensures your secrets are never decrypted in a vulnerable environment.
Fortivault operates on a security triad to guarantee data integrity:
- Fortivault Web (SvelteKit): Administrative interface and viewer. It acts as a "dumb" terminal that requests cryptographic operations from the desktop client.
- Fortivault Core (Rust/Tauri): The "brain" of the project. It manages private keys, AES-256-GCM encryption, and integration with OS biometrics.
- Fortivault Server (NestJS/PostgreSQL): The orchestrator. It manages RBAC permissions, encrypted data synchronization, and audit logs.
The project follows a rigorous Neobrutalist aesthetic to convey robustness and clarity:
- Palette: Blue (#3B82F6), Black (#000000), and Grey (#F3F4F6).
- UI:
4pxborders, solid shadows, and mono typography for sensitive data. - UX: Physical visual feedback — "sinking" buttons and components that react to the status of the Rust engine.
- The server only stores encrypted payloads.
- Private keys reside exclusively within Fortivault Desktop.
- Local decryption: plaintext secrets never touch the database.
- Personal Vaults: Individual secrets.
- Department Vaults: Sharing based on asymmetric encryption (Group Keys).
- RBAC: Fine-grained control over who can view, edit, or manage vaults.
The Fortivault Run feature allows you to inject secrets directly into a process's memory:
fortivault run "npm run dev"No .env files are written to disk, preventing accidental leaks in repositories.
Fortivault includes an integrated mail system using Mailpit:
- Zero external dependencies — No SendGrid, AWS SES, or Sendmail required
- Isolated mailboxes — Each user has
user@fortivault.local - Air-gapped friendly — Works in offline/isolated networks
- Automatic retention — Emails expire after 30 days
- Admin dashboard — View queue, manage mailboxes at http://localhost:8025
Email workflows:
- Account activation
- Password reset notifications
- Department invitations
- Security alerts
- Frontend: SvelteKit + TailwindCSS
- Backend: NestJS + PostgreSQL
- Core & Desktop: Rust + Tauri
- Queue/Cache: BullMQ + Redis
- Email: Mailpit (internal sandbox, zero external dependency)
- Monorepo: Turborepo
- Validation: Zod
- FR01: Secure Browser-Desktop pairing via ECDH.
- FR02: Creation of Personal and Department vaults.
- FR03: Support for types: Password, API Key, and Env Vars.
- FR04: Mandatory decryption within the Rust engine.
- FR05: Immutable audit logs on the Backend.
- FR06: Functional CLI for runtime variable injection.
- FR07: "Break-glass" recovery system via Shamir's Secret Sharing.
- Clone the monorepo:
git clone https://github.com/your-user/fortivault.git
- Install dependencies:
pnpm install
- Start the development environment:
pnpm dev
Distributed under the MIT License. See LICENSE for more information.
Developed with a focus on maximum security and raw performance.