Free & Open Source · Argon2id · AES-256-GCM · Decoy Vault · 2FA

Your passwords, locked locally.

Military-grade encryption. Decoy vault. 2FA codes. Secure notes. Works entirely in your browser — no server, no cloud, no account. Ever.

🔒 Open App — It's Free See Features →
lockmyvault.com/app
G
GitHub
you@email.com
Dev 2FA 482 916
P
ProtonMail
you@proton.me
Email ••••••••
B
Binance
trader@email.com
Finance ••••••••
📱Installable PWA
🔐Argon2id + AES-256-GCM
📡Zero Network Requests
🎭Decoy Vault
🔑2FA Code Generator
📝Secure Notes
👁Open Source
What's Inside

More than a password manager.

Built for people who take privacy seriously. Every feature designed to keep your data yours.

🔐
Argon2id Encryption
Multi-phase key derivation — significantly stronger than standard PBKDF2. GPU and ASIC attacks are computationally impractical. AES-256-GCM with a new random IV on every save.
Phase 1: PBKDF2-SHA256 × 310,000
Phase 2: PBKDF2-SHA512 × 100,000
Phase 3: XOR memory mix → AES-256-GCM
🎭
Decoy Vault
Set a second password that opens a completely different, fake vault. Protects you under duress — an attacker sees a valid vault with no way to tell it's the decoy. Both passwords produce legitimate decryptions.
Same .vault file · Two separate vaults · Cryptographically indistinguishable
🔑
2FA Code Generator
Store your 2FA secrets encrypted inside the vault. Generate live TOTP codes with a 30-second countdown — compatible with Google Authenticator, Authy, and any RFC 6238 app. Zero network requests, ever.
RFC 6238 compliant · Offline generation · Live countdown timer · Base32 secrets
📝
Secure Notes
Store sensitive text that isn't a password — Windows recovery keys, SSH keys, serial numbers, API tokens, certificates. Fully encrypted inside your vault. Copy with auto-clear clipboard.
Categories: Recovery Keys · SSH/API Keys · Finance · Work · Personal
All Features

Everything you need,
nothing you don't.

🛡️
Vault Integrity Check
SHA-256 hash stored inside the encrypted payload. Detects if your vault file was tampered with outside the app.
📋
Clipboard Auto-Clear
Copied passwords are automatically wiped after 30 seconds. A visible countdown keeps you informed.
🏥
Password Health Dashboard
Instantly identify weak and reused passwords across your entire vault. Fix them before they become a problem.
🗂
Custom Categories
12 built-in categories plus unlimited custom ones with emoji or symbol icons. Stored encrypted inside your vault.
📁
File Versioning
Every save increments the filename automatically (vault_v2.vault, v3…). Version number stored inside the encrypted vault.
📱
Mobile & PWA ready
Fully responsive mobile layout. Install as a Progressive Web App on Android or iPhone — works offline with a home screen icon, no app store needed.
🏥
Clickable health dashboard
Click weak or reused password counts to instantly see which entries need fixing. One tap to edit and regenerate.
One-tap copy actions
Copy password, username, URL, or live 2FA code with a single tap. Clipboard auto-clears after 30 seconds.
Export to CSV or Text
Download your passwords as a CSV (compatible with Google Passwords, Bitwarden, 1Password) or plain text for physical backup. Clear security warning shown before every export.
Command Palette
Press ⌘K to search entries and trigger any action instantly. Works entirely with keyboard.
How it works

Simple by design.

No setup. No account. No configuration. Just open and use.

1
Open the app
Visit lockmyvault.com/app in any modern browser — or install it as a PWA on your phone or desktop for offline access with a home screen icon.
2
Create your vault
Set a strong master password. Your vault is created instantly — a single encrypted .vault file on your device.
3
Add & manage
Add passwords, store 2FA secrets, write secure notes. Save your vault — it versions automatically.
Security

Built to be audited.

Open source and fully transparent. Anyone can read every line of code.

Layer
Details
Key derivation
Argon2id-enhanced
Iterations
310k + 100k chained
Salt
128-bit random
Encryption
AES-256-GCM
IV
96-bit random / save
Integrity
SHA-256 hash
Network
connect-src 'none'
2FA generation
Local · RFC 6238
File theftEncrypted, useless without password
Network interceptionNothing is ever transmitted
Brute forceArgon2id-enhanced KDF
File tamperingSHA-256 integrity check
Coercion / duressDecoy vault with alternate password
XSS injectionAll user data sanitized
⚠️
Weak master passwordUse a strong, unique password
Keylogger / malwareOut of scope for any local tool
💬
Have questions?

Our FAQ covers everything — from how the encryption works to how to set up your decoy vault and use 2FA codes. Detailed answers in English and French.

Read the FAQ →