AliasVault: Open-Source E2EE Password & (Email) Alias Manager

Hi PrivacyGuides!

I’m excited to introduce AliasVault, an open-source password and (email) alias manager designed to protect your privacy online.

AliasVault combines password management with unique identity generation, including email aliases, to help you compartmentalize your online presence. This helps in preventing third parties (e.g. data brokers) from creating shadow profiles of you, a common issue when the same email address is used across multiple services. AliasVault is end-to-end encrypted, fully self-hostable, and designed with privacy-first principles at its core.

This project was recently mentioned by a PrivacyGuides.net user in another forum section, and I’m happy to now formally present it here to gather feedback from privacy enthusiasts like you. Shortly about me: I’m Leendert, a software developer with over 15 years of experience and a long term privacy enthusiast myself. As an example of this I’ve been running SpamOK.com, a free temp email service since 2013.

Over the past year, I’ve poured my heart into AliasVault, dedicating much of my free time to creating a tool that empowers people to take control of their digital identities.

AliasVault is completely free and open-source under the MIT license because I believe privacy is a right, not a privilege. While I plan to introduce optional convenience features for the cloud version in the future (for a small fee to cover upkeep and aid future development), the self-hosted version will always remain free and accessible.

I’d love your help, whether by trying it out, sharing it with friends, or simply offering feedback / advice.

Key Features:

• Unique Identities & Passwords: Generate unique email aliases and strong passwords for every service.
• Self-Hosted Email Server: Create and manage aliases without relying on third-party services.
• Zero-Knowledge Design: AES-256-GCM and Argon2id encryption ensure your data is secure. Your master password never leaves your device.
• Open-Source & Self-Hostable: Review, audit, and deploy AliasVault on your own infrastructure. Installation is quick with Docker (also supports ARM for Raspberry Pi).
• Official Cloud Version: For convenience, a fully-supported hosted option is available.

Try it Out:

• Cloud Version: AliasVault.net
• Self-Hosting & Docs: GitHub | Docs

I’m also proud to share that a community member created an independent in-depth review and self-hosting tutorial for AliasVault. Check it out on YouTube: https://www.youtube.com/watch?v=T7IqvNj5b2M

Future Plans:

I’m working to meet all PrivacyGuides’ recommended criteria for listing, with the security audit being a top priority. Transparency, open-source availability, and privacy-first practices are core to AliasVault.

Here are some of the short-term priorities (< 4-6 months):

• Security Audit: I’m actively exploring options with independent auditors and have applied for grants to support this effort. Hope to be able to share progress on this in the coming weeks.
• Feature Roadmap: The up-to-date roadmap is published on GitHub, but the biggest things being worked on right now are:
  • Creating browser extensions (Chrome/Firefox) with autofill mechanism. Already making good progress on this and it’s looking really nice, hope to have the first version out in the next two weeks.
  • Custom domain support on cloud version
  • Allow importing passwords from other password managers

Additional plans for the longer-term:

• Adding native mobile apps (iOS/Android)
• Team / organization features (sharing passwords/aliases)
• Integrating disposable phone number service for SMS confirmation

Feedback

I’d love to hear your thoughts:

• Would AliasVault fit into your privacy toolkit?
• What features or improvements would you prioritize?
• How can I make it easier for self-hosters and privacy advocates to adopt?

Your feedback will directly shape AliasVault’s development, so please share your thoughts. Thank you for taking the time to read about AliasVault, much appreciated! Looking forward to your input!

It looks interesting, I’ll try it out. Is it also based in the Netherlands like your other project? I’d rather use something that’s under GDPR.

Thanks for giving it a try! Both of my projects are hosted on my own servers with Hetzner in Germany, so yes, they are fully compliant with GDPR data protection regulations.

You’ve made a perfect solution! I can deal with the lack of TOTP support since I don’t recommend keeping it in your primary password manager anyways.

Thanks for your feedback . I do hope to add TOTP support to the client in the near future, which shouldn’t be too hard as AliasVault already has TOTP functionality built-in for it’s own 2FA.

I’m also making good progress on the browser extension, I’m estimating I’ll have the Chrome version out somewhere next week. This will make using AliasVault a lot easier with smart autofill, and being able to create an alias + email for a website with just one click when you’re on the signup form. I’ll post an update on it when it’s available.

Yay! for the new upcoming updates!

Please also release the .xpi file for Firefox at-least if Mozilla takes long to publish it for Firefox. Btw, I hope you will also make and release one for Firefox?!

How can the account be deleted? I wanted to delete the one I set up to try creating a different kind of vault from the beginning, but I can’t see how to delete the existing one.

Yes, I second this. Being able to delete should be easy and one or two clicks at most - and be made available soon. I hope it is.

@anon36940904 Yes after the Chrome extension is done I’ll focus on adapting it to support Firefox next. If publishing on the app store takes too long I’ll make sure to publish the files separately too.

@Sectional2932 Good point! Account deletion is currently only supported on the self-hosted version through the admin panel. The cloud version does not have a self-delete option yet. There is already an issue for this on GitHub: Add user delete account option to client app · Issue #373 · lanedirt/AliasVault · GitHub. I’ll try to get this feature included on the next release which should be published in the next few days. If you wish to have your account deleted on the cloud version immediately then feel free to send me a PM and I can do it for you.

It looks like that’s been in the backlog since December, so it might not be live anytime soon. I’ll send you a DM to delete the account, and I’ll consider it again when people can delete their own vaults.

I recommend adding an update here when account deletion is supported.

Happy to share that today AliasVault update 0.12.0 (and 0.12.1) have been released!

Updates:

• AliasVault now has it’s own browser extension starting with Google Chrome, enabling autofill on register and login forms. It’s currently pending review in the Chrome Web Store, which can take a couple of days up to three weeks. It is possible to install it manually in the meantime, see instructions here: Release 0.12.0 · lanedirt/AliasVault · GitHub. I’m going to make a video in the coming days to showcase all the features of the browser extension. Will post that later.
• Adds account self-delete option to client
• Adds option to disable all authentication IP logging for self-hosted installs (was requested by another user)
• Additional interface / UI tweaks

@Sectional2932, as discussed previously in this thread, the account delete option is now available .

Regarding the AliasVault browser extension: once the Google Chrome version has been accepted, I’ll begin work on porting it over to Firefox and other browsers.

Fantastic news! Thanks for the continued work and update with improvements.

Thanks for the updates. I will create a new account and try out the updated version.

Thank you!

Yes, I’ve considered adding a travel/duress mode before, and I think it would be a valuable feature. I haven’t personally encountered a situation where I needed to show my phone or laptop while traveling, but from what I’ve read, this seems like an important addition to a password manager. I’d love to hear your thoughts, have you run into situations that made you (want to) use this feature, or do you have any suggestions on a good way to implement this?

I would rather have a fantastic web app working instead of an app in full. Something like how Cryptee does it. But I hear it could be a lot harder to ensure on mobile and an app is just easier to make relatively.

If there is an app, you can always delete it when you need to but if the phone is inspected, they can see what apps you had downloaded. That’s why a web app is better since you can simply delete all history and site data and you’re done.

Hi everyone, happy to share that after a lot of continued hard work the new update for AliasVault (https://www.aliasvault.net) is out now:

AliasVault 0.14.0:

• Browser extension available everywhere: The AliasVault browser extension has been released and approved for all major browsers: Chrome, Firefox, Edge and Safari (macOS). It also works with all Chromium-based browsers such as Brave.
• Built-in 2FA authenticator: AliasVault now includes a built-in 2FA TOTP authenticator which allows you to store and generate 2FA tokens straight from your vault. Generating 2FA codes works with both the web-app and browser extensions. (Compatible with Google Authenticator)
• Misc improvements: there have also been a lot of smaller improvements made to the UI and user experience in general. Tweaks to the self-hosted setup experience, improved admin screen, improved documentation etc.

Next big thing I’m working on is a roadmap that will be published soon, which will include all the remaining work that will lead up to the 1.0 release. Major things in scope are native iOS/Android apps and improving alias/identity data structure to support importing passwords from existing password managers.

Also, as an update on the security audit side: I had a meeting with security auditors to discuss AliasVault, and they expressed interest in taking it on. I asked what a full audit of AliasVault’s scope might entail, and I’ve received estimates in the range of xx.xxx USD, which is quite a bit more than I expected. Since this is an open-source project, I don’t have the funds to cover that myself. That’s why I’ve applied for grants with NLNet and the OpenTech Fund a few weeks back. They’ve informed me there are some delays, and that the application is still being processed. I hope to receive a response within the next 2–3 weeks after which I can give a full update on this.

I’m again happy to receive your feedback / ideas if you had the time to give AliasVault a try. And also happy to answer any questions.

@ihateKYC: as you asked about it in one of your previous replies, happy to let you know TOTP support has now been added.

Thank you for the continued work and improvements. And glad to know more improvements are on the way!

For the audit cost, you can open up donations that can act as future subscription value for those who donate (A certain amount) to help you cover the costs. This may be logistically difficult to ensure but it’s possible. Just an idea.

Thanks again for providing a legitimate alternative for such a tool in the privacy space.

It might be wise not to rush your security audit, especially since your service currently generates little revenue and remains in its early development phase.

Keep in mind that 1Password was released in 2006 and completed its first security audit in 2014, while Bitwarden waited two years before undergoing its first audit.

Given that you’re operating independently and your service is already open source, it may be best to conduct a third-party audit once you have sufficient revenue.

Thanks for your insights and suggestions!

@anon36940904, I appreciate your support and the idea about accepting donations as future subscription credits. That’s something I’ll definitely consider if the grant application won’t (fully) work out, especially as premium features and subscriptions come into play later from a business perspective.

@patron, great point about the timing of security audits in relation to other projects like 1Password and Bitwarden. I wasn’t aware of 1Password and Bitwarden’s specific history regarding that, that’s good to know. My earlier discussions with the cybersecurity auditors do align with your suggestion: we’re aiming for the full security audit around the stable 1.0 release, when all major architecture, including datamodel refactoring and upcoming client logic for iOS/Android, is settled. When everything goes according to plan this could be somewhere near Q3/Q4 this year.

I’m however hopeful about the grant applications, as securing these funds would greatly enhance AliasVault’s security, benefiting all current and future users.

AliasVault 0.16.0 is out now!
Hi everyone, happy to share that a new update for AliasVault is live!

Here’s what’s new since the last post:

AliasVault 0.16.0:

• Import Wizard: You can now easily import credentials from other password managers with the brand-new import wizard. Currently supported: 1Password, Bitwarden, Chrome, Firefox, KeePass, KeePassXC, and Strongbox. (If you’re missing a service that you’re using now, please let me know!)
• Customizable Password Generator: You can now set your own password generation patterns globally or per credential, respected by the browser extension.
• Streamlined UI for Username/Password Logins: AliasVault now offers a cleaner and more intuitive interface for managing traditional credentials (just username + password). This is live across both the web app and browser extensions.
• Quality-Of-Life tweaks: Create custom credentials directly in the browser extension, improved autofill, enhanced admin analytics & user management, improved loading status indicators to match AliasVault look & feel.

Also, the roadmap for v1.0 has been published on GitHub, which contains all the areas/features that will be worked on in the coming months: AliasVault v1.0 roadmap · Issue #731 · lanedirt/AliasVault · GitHub

Over the coming weeks, my main focus will be R&D and development of the upcoming AliasVault native iOS and Android apps. These apps will enable seamless autofill of credentials across mobile platforms, making the AliasVault ecosystem one step closer in working everywhere