Show HN: Bramble – Local-first password manager (github.com)
About Bramble:
It aims to be as feature-rich as all popular and a replacement for cloud-based providers. I don't think we need to store our data in the cloud and be at the whims of companies raising their prices every year. There's always a breach and then we find out that some fields aren't encrypted, metadata is visible, and so on. I'm frustrated with this and the increasing lack of transparency during these breaches.
The P2P sync in Bramble uses a Nostr relay (which can be self-hosted) to keep your devices in sync. The relay just introduces the devices to each other; the data then flows directly over WebRTC, so there's no vault server and no cloud copy of your passwords anywhere. What leaves your device is end-to-end encrypted and your devices authenticate each other directly, so a snooping or MITM relay gets practically nothing.
Crypto is all done in Rust so I can control exactly how key material lives and dies in memory (secrets get zeroed out, no GB leaving copies lying around). In Chromium it's a wasm module, on mobile it's native builds bridged over via uniffi.
Android app:
I'm still deciding whether to publish the app on Play store or simply provide the signed APK which users can sideload. Reason for that is Google's plan to lock down Android and take away ownership from its users. Read more about it here: https://keepandroidopen.com/
The app uses no Play APIs whatsoever and runs perfectly on GrapheneOS, where I actually did all my testing.
Questions, feedback, feature requests - all welcome!
TL;DR: I dislike private-equity and venture funded companies messing with our security, so I created my own Password Manager which is local-first, free, open source and as transparent as it gets.
63 comments
[ 4.1 ms ] story [ 90.5 ms ] threadI do too! And I appreciate your transparency about the vibe coding. But nowhere in the repository that I've found so far do you say who is writing this. For something like a password manager, I kind of need to know who's responsible for it, and who's reviewing the LLM source code, what they've done before, what their business model is, etc.
Can you share?
My name is Doug, based in Toronto, Canada. I've been a software engineer for over 10 years, working in various startups that handle very sensitive data (fintech, health tech, legal tech.) I've had the opportunity to build security-heavy software and directly handled sensitive info like SIN, bank details, patient histories etc.
Business model: This is essentially a passion project for me that I intend to keep working on - for usage within my family and the OSS community. This version of the app is always going to be free and open source. In the future if this were to ever take off and I now want to earn from it, I would probably do a business version with cloud storage (with self-host option)
The goal is offering an alternative that doesn't enshittify over time, secure, fully sovereign and convenient.
Give it a try and if you find anything, I'll prioritize fixing it. I'm really keen on getting a top-notch autofill engine.
Bramble's sync is built around its own encrypted vault instead. When two devices conflict it just compares timestamps on the encrypted entries and keeps the newer one as-is, without ever unwrapping your per-entry keys to merge. Nothing off the shelf did that against my vault format, so the core is custom. It's a pretty simple implementation tbh
I like that you made this P2P, I designed one that sits on top of sqlite and is 100% local first but is not P2P, take a look if you are interested in some prior art in this space:
https://saveoursecrets.com/
I decided to go with native apps all the way, Rust backend and Flutter front-end but kind of regret it now with how the Play/App stores are such a hassle to work with.
I'll check out your website and see what's up!
Honestly, though, I'm most intrigued by your P2P solution. I've built a couple of web apps as custom html elements that use indexedDB for storage and I've been trying to figure out the sweet spot for syncing the data between apps. I think this nostr relay hits the mark as something people can feel comfortable not self hosting, while power users can host their own solution. Seems like a great solution, to me! Any advice as to some footguns with the approach? I'm very interested in giving it a try myself[0], so any notes you think would prevent some re-work would be really appreciated!
[0] as a public domain/oss-licensed module, if there's a reasonable method of packaging it as a standalone library
What about using Nostr relays to also back up your data passwords? I built a library called Tablinum around this idea. Local first but backed up to Nostr relays using NIP-59 gift wrapped events.
https://tablinum.dev
With that said, I really do like Tablinum! I might need that for something else. How are merge conflicts handled?
It would be good to see screenshots of Bramble. The "sprawl of plugins and forks" in KeePass is why I use it. Many of the KeePass clients have modern UI's. I'll think about switching to Bramble when the sprawl begins.
Keepass also can't match URLs with Regex which is something I make use of in bitwarden.
I have also built a local first tool to manage big codebase and visualize it using AST and not using LLMs they hallucinate a lot https://github.com/animesh-94/Onboard-CLI
i have made it open source!!
To clarify: the protection comes from the encryption, not from where the file lives. Cleartext never touches the disk.
Most people are not going to think through where to store an encrypted folder on a share so that there is a backup. If you are targeting just tech forward users that's probably okay, but for larger usage, you might think about full disaster recovery case where a computer and phone are both lost, as well as how to make it easy on where a copy is always stored or sync'd so users don't have to worry.