v1.0.0 — Community Release

Privacy-first.
Zero cloud.
Always yours.

AES-256-GCM encrypted password manager and AI privacy tools — built for developers and security-conscious users who refuse to compromise their secrets.

⬇ Download Free Explore Products →

vault_encrypt.log

algorithm AES-256-GCM

kdf Argon2id

memory 128 MB

iterations 4

nonce 96-bit random / write

telemetry none ✓

network blocked ✓

status_

256

bit encryption

bytes to cloud

94+

secret patterns

// products

One suite.
Two weapons.

VaultMorph gives you an offline password vault and an AI privacy firewall — a complete security toolkit that never touches the cloud.

Password Manager

🔐

VaultMorph Vault

A fully offline password manager with military-grade encryption. Stores every credential, note, and TOTP secret locally — encrypted at rest, never leaving your device.

AES-256-GCM Argon2id KDF TOTP 2FA Biometric Android + Windows CSV import

⬇ Download Security details →

AI Privacy Tool

🛡

VaultMorph AI Shield

Sanitize API keys, credentials and PII before pasting into ChatGPT, Claude, or Copilot. Restore the originals from the AI's response. Your secrets stay on your machine.

94+ patterns Air-gapped detection Risk scoring Multi-session Windows Free community

🛡 Learn More Download →

// vault features

Every detail
hardened.

No shortcuts. No "good enough." Every feature in VaultMorph is built around the assumption that your secrets are worth protecting.

🔒

Per-field AES-256-GCM

Every field — username, URL, notes, TOTP secret — encrypted independently with a unique 96-bit random nonce on every write.

🧠

Argon2id Key Derivation

128 MB memory, 4 iterations, 4 threads. GPU and ASIC resistant. Your master password is never stored in plain text — anywhere.

🔑

TOTP Authenticator

Built-in RFC 6238 TOTP with QR scanning and manual entry. Compatible with Google Authenticator and Microsoft Authenticator.

👆

Biometric Unlock

Fingerprint and face unlock via Android BiometricPrompt API. Quick access without ever typing your master password in public.

📊

Password Health Engine

Live entropy meter on all password fields. Weakness detection, reuse checking. 50-bit minimum entropy enforced on registration.

📦

Encrypted .vmb Backups

Portable encrypted backup format with magic header verification, KDF version tagging, and independent AES-256-GCM encryption.

🚫

Network Blocked by Default

Android's network_security_config.xml blocks all outbound traffic. The app cannot phone home — not by accident, not by design.

⏱

Auto-Lock & Rate Limiting

30-minute idle timeout, progressive lockout after 5/10/20 failures. Clipboard auto-clears 30 seconds after any copy.

📁

Universal CSV Import

Import from Chrome, LastPass, Bitwarden, 1Password, and KeePass. Automatic column detection, no manual field mapping required.

Layer	Technology
Vault encryption	AES-256-GCM, per-field, unique nonce/write
Key derivation	Argon2id — 128 MB, 4 iters, 4 threads
Login hash	Argon2id (same params, GPU/ASIC resistant)
2FA	TOTP RFC 6238 + replay attack protection
Biometric	Android BiometricPrompt API
Backup format	.vmb — AES-256-GCM + magic header
Screenshot block	FLAG_SECURE on all screens
Network	Blocked — network_security_config.xml

// zero-trust design

The full security stack, documented.

VaultMorph was designed to pass a security audit from day one. Every vulnerability found during development was patched before v1.0.0 shipped — tracked and verified.

14 security findings were identified and fixed during internal review. From raw password storage to TOTP replay attacks — nothing shipped broken.

✅ No raw passwords stored ✅ TOTP replay protection ✅ Rate limiting enforced ✅ Idle expiry 30 min ✅ Clipboard auto-clear ✅ FLAG_SECURE active

Privacy-first.Zero cloud.Always yours.