Hemdal

Hemdal is a secure, cross-platform password, secret, and environment variable manager with peer-to-peer sync. It stores your credentials with end-to-end encryption and autofills them into websites via a browser extension.

Features

• End-to-End Encryption: All vault items are encrypted with AES-256-GCM. Your master password is never stored; a vault key is derived using Argon2id.
• Zero-Knowledge Architecture: Only encrypted blobs leave your device during sync.
• Cross-Platform Desktop App: Built with Tauri (Rust + React), running on Windows, macOS, and Linux.
• Browser Autofill: Chrome/Firefox extension detects login forms, fills credentials automatically, and offers to save new passwords.
• Biometric Unlock: Unlock your vault with Windows Hello (Touch ID / Face ID support coming soon).
• TOTP / 2FA Code Generator: Generate 6-digit 2FA codes from stored TOTP secrets with a live 30-second countdown.
• Password Generator: Built-in generator with configurable length, character types, and strength meter.
• Password Breach Check: Check passwords against the Have I Been Pwned database via k-Anonymity API.
• Fuzzy Search: Quickly find items with fast substring scoring search.
• Import / Export: Import from Bitwarden JSON, 1Password CSV, or generic CSV. Export to encrypted JSON or CSV.
• System Tray & Auto-Lock: Minimize to tray, lock from tray menu, and auto-lock after 10 minutes of inactivity.
• P2P Sync: Synchronize your vault across devices on your local network without any cloud server (framework ready).
• Multiple Secret Types: Passwords, API keys, SSH keys, environment variables, secure notes, and credit cards.

Architecture

hemdal/
├── apps/
│   ├── desktop/          # Tauri desktop application (React + Rust)
│   ├── extension/        # Browser extension (Chrome/Firefox MV3)
│   └── web/              # Marketing website (Next.js + Supabase)
├── packages/
│   ├── types/            # Shared TypeScript types
│   ├── crypto/           # Shared crypto utilities
│   └── protocol/         # P2P sync protocol definitions

Security Model

1. Master Password -> Argon2id -> Master Key
2. Master Key -> Decrypts -> Vault Key (stored encrypted at rest)
3. Vault Key -> AES-256-GCM -> All vault items

The browser extension never stores your master password or vault key. It communicates with the desktop app via a local HTTP API (localhost:19421) only when the vault is unlocked.

Biometric Unlock (Windows Hello)

When enabled, a random biometric key is generated and protected by Windows DPAPI. The vault key is encrypted with this biometric key and stored on disk. On unlock, the system prompts for Windows Hello verification, DPAPI decrypts the biometric key, which then decrypts the vault key. The master password is never stored.

Development

Prerequisites

• Rust
• Node.js + pnpm
• Tauri CLI

Setup

# Install dependencies
pnpm install

# Build shared packages
pnpm build:desktop
pnpm build:extension

# Run the desktop app in dev mode
pnpm dev:desktop

# Build the browser extension
cd apps/extension
pnpm build
# Then load `apps/extension/dist` as an unpacked extension in Chrome

Desktop App Commands

# Dev mode
pnpm dev:desktop

# Build for production
pnpm build:desktop

# Build Tauri binary (installers)
cd apps/desktop && pnpm tauri:build

Browser Extension

1. Build the extension: cd apps/extension && pnpm build
2. Open Chrome and navigate to chrome://extensions/
3. Enable "Developer mode"
4. Click "Load unpacked" and select apps/extension/dist
5. The extension will show a checkmark badge when the Hemdal desktop app is running and the vault is unlocked

Website (Next.js + Supabase)

The apps/web directory contains a beautiful marketing website built with Next.js, Tailwind CSS, Framer Motion, and Supabase.

Features:

• Animated landing page with Hero, Features, Use Cases, Security, Download, and Newsletter sections
• Supabase Auth (GitHub OAuth + Magic Link email)
• Authenticated account dashboard
• Contact / Newsletter API backend
• Auto-deploys to Vercel on every push to master

Local Setup:

1. Copy apps/web/.env.example to apps/web/.env.local
2. Add your Supabase project URL and anon key
3. Run the initial migration in apps/web/supabase/migrations/001_initial.sql
4. Enable GitHub OAuth provider in Supabase Auth settings

Commands:

# Dev mode
pnpm dev:web

# Build for production
pnpm build:web

Deploy to Vercel (GitHub Actions):

1. Install the Vercel CLI locally: npm i -g vercel
2. Login: vercel login
3. Link the project (from apps/web): cd apps/web && vercel link
4. Get your token: vercel tokens create
5. In your GitHub repo, go to Settings > Secrets and variables > Actions and add:
   • VERCEL_TOKEN — from step 4
   • VERCEL_ORG_ID — from .vercel/project.json
   • VERCEL_PROJECT_ID — from .vercel/project.json
   • NEXT_PUBLIC_SUPABASE_URL — your Supabase project URL
   • NEXT_PUBLIC_SUPABASE_ANON_KEY — your Supabase anon key
6. Push to master and the site will auto-deploy via .github/workflows/deploy-web.yml

Roadmap

• Core vault with AES-256-GCM encryption
• Desktop app with React UI
• Browser extension with form detection
• Local HTTP API for extension communication
• Browser extension save-new-credentials flow
• TOTP code generation
• Secure password generator
• Import from 1Password / Bitwarden / CSV
• Export to JSON / CSV
• Fuzzy search
• Password breach check via Have I Been Pwned
• Biometric unlock (Windows Hello)
• System tray with auto-lock
• Full native messaging host support
• iOS/Android app with native autofill
• P2P sync over mDNS / WebRTC
• Biometric unlock on macOS (Touch ID) and Linux

License

MIT