AliasVault: Open-Source E2EE Password & (Email) Alias Manager

Thank you so much for getting back. I truly do appreciate the improvements. I should have explicitly mentioned that in my last comment. And I’m glad to see AliasVault improve as much and as quickly it is which underscores your efforts for the same.

I’ll keep testing as you keep improving and will get back when I have more substantial things to talk about. Thank you again.

I keep my AliasVault (AV for short) credentials in KeePass. But right now, in order to log in to AV, I have to copy both my username and password (for example, UUU—PPP), paste them into the AV username field (UUU—PPP), and then cut/paste the password (PPP), then delete ‘—’ (without ’ ') from username field to put them into the AV password field. This is not a good security measure.

I think a good number of people use password managers for this as well.

Can you allow AV open in a new window? You can check this https://community.bitwarden.com/uploads/default/original/3X/7/8/78b813dd74283290db9c3e7077804dae4c5fae82.png

Thank you.

I’m sorry, but I don’t understand the point of this tool. Why would I need it if I already have SimpleLogin and Bitwarden?

Because this tool is offering what that combination is offering all in one tool. Also, more options are always a good thing and we need competition in the privacy space with similar and different tools.

Also, the way you say it implies that you’re following a faulty logic to say the least. It’s like asking, why do I need to eat different kinds of food when one kind of food exists. Silly, no?

Hi @suvubi,

Thanks for your suggestion. I assume you’re talking about the browser extension for the login process, correct? Assuming you do, I agree it’s a good idea to add an “open in new tab” button to the login page. This button already exists for the credential and email detail pages to “pop out” the extension. But having it on the login page too so autofilling multiple fields from a different password manager makes sense. I’ll include this in the next release.

You may find this article interesting as it covers the issues with Copyleft+CLA: Redirecting to: /concerns/copyleft-cla

It’s arguably worse than being closed source in some ways, because it creates a significant power imbalance with the illusion of openness. Closed source on the other hand is at least upfront about the power imbalance and makes no illusions.

Copyleft without a CLA on the other hand is a much more balanced playing field. The project owners must abide by the terms of the license (say the AGPL) for external contributions, and reciprocally, external contributors must abide by the terms of the license for contributions from the project owners.

Hi @RoyalOughtness and @anonymous261, thanks for your feedback and suggestions regarding AliasVault’s open-source license and use of a CLA (Contributor License Agreement).

I did some more reading on this topic, and agree with the sentiment that a CLA sends the wrong message and can create power imbalances. I have now updated the CONTRIBUTING.md to remove the CLA template entirely and clarify that no CLA is required for AliasVault contributions:

License and Contributions
AliasVault is licensed under the GNU Affero General Public License v3.0 (AGPLv3). By submitting code, documentation, or other contributions to this project, you agree that:

1. Your contribution will be licensed under the same AGPLv3 license as the project
2. You have the legal right to grant this license (e.g., you are the author, or have permission)
3. You understand that your contribution will be made public under the AGPLv3 terms
4. You are not expected to provide support or warranties for your contribution

There is no Contributor License Agreement (CLA) required. We believe in a balanced open source model where all contributors are treated equally under the terms of the AGPLv3.

By using AGPLv3 without a CLA, AliasVault remains fully open and fair for everyone: all contributors (including myself) are equally bound to share any changes under the same license, ensuring true software freedom and transparency.

I’m proud to say that with this, AliasVault is one of the only fully open-source password managers (both client and server) that is 100% licensed under AGPLv3 with no CLA strings attached.

Unlike:

• Bitwarden – AGPLv3 but with a CLA
• Vaultwarden – no CLA, but only server-side; Bitwarden’s clients are still required which are under their own CLA
• Proton Pass – open source client apps, but closed source server
• 1Password – fully closed source

I’m committed to position AliasVault as a genuinely open, transparent, and user-respecting alternative and to set an example going forward. Thanks again for the feedback!

Hey ! First of all thank you for working on this project ! Still did not try it but if I understood correctly it brings something new to other PM (aliases integrated with password manager).
Edit: verified and yes Bitwarden can create aliases through others services’ APIs but yours wholly integrates both !

Do you have updates on this ?

I think this is the only hard requirement AliasVault does not fulfil before we start considering it.

Best regards

Also : what will happen to AliasVault if you can’t keep working on it tomorrow ? You seem to be the only person running AliasVault (the hosted version)

Another comment : Thrilling, love that after showing AV’s strenghts compared to SimpleLogin, you also point out two weaknesses of AV compared to SL. GOAT. Love this.

Oops : I was about to try your service but I saw that AliasVault aliases can’t be used to reply or send emails… This is a serious issue for me.

I see that you plan to add phone numbers aliases. Can you precise wdym ? One-time phone numbers or phone numbers rentals ? Would it be similar to SMSPool.net ? To say the least, this type of business doesn’t run itself and you seem alone on AliasVault. So if you plan to do email aliases, phone number aliases, password manager, password generator, identity generator, … won’t it be too much ?

This would be like combining strongphrases.net, Addy.io, Bitwarden ans SMSPool. Alone.

Hi @mangomango,

Thanks for your questions and your interest in AliasVault! You asked multiple questions, so let me try and address your points one by one:

1. Security audit update
Yes a few weeks ago I mentioned I’d be able to share an update soon. In the meantime I did receive feedback: and unfortunately, AliasVault was not selected for the grant that would’ve funded the audit. That said, my goal is still to have a proper third-party security audit completed before v1.0 is released (planned for end of this year). The main challenge now is funding, and I’m actively exploring alternative ways to secure that. I’ve already reached out to several other parties so I hope something will come out of that.

2. Email reply/send support
Yes, replying or sending emails via AliasVault aliases isn’t possible yet. This feature is however on the roadmap for v1.0 and will be implemented in the coming weeks/months. Email sending and delivery is quite delicate though, especially for self-hosting in terms of IP reputation, so this requires some more attention for how it can be properly introduced.

3. Phone number aliases
This feature is still in the concept phase. I see value in both one-time/burner numbers (e.g. for account verifications) and longer-term, privacy-friendly number rentals/reservations. It could end up similar to services like SMSPool, but whether this becomes a tightly integrated AliasVault feature or a separate service is still under consideration. Various countries have different rules about anonymous phone numbers, so that may also affect regional availability. I’ll be coming back on this.

4. Solo vs. big team
AliasVault is indeed run by myself for now. Sustainability is a fair concern, but it’s worth remembering that many popular services from big companies have been abandoned too. For examples in the email/domain space, think of Google Inbox, Google Domains, Firefox Send, etc. The size of a team or company isn’t a guarantee of longevity. In fact, VC backed companies might be forced to shut down or pivot if their product isn’t showing multi-digit growth YoY. Being smaller has it’s benefits allowing for more flexibility and fewer external pressures.

For context: my other free service SpamOK, a temporary email platform, has been online and maintained for over 12 years already.

But for anyone that is concerned about long-term availability of a hosted service: that’s exactly why I decided to make AliasVault fully open-source and easy to self-host. Unlike some alternatives that either don’t offer self-hosting or make it unnecessarily complicated, AliasVault gives you full control and flexibility.

And as the project grows, or if like-minded people with the right skills who believe in its mission want to get involved, I would be very happy to bring them on board. But regardless, I’m staying focused and continuing to push AliasVault forward.

Hi @lanedirt

If you could include a Fill & Submit option, that would be fantastic. This saves us one click. And because many people dislike this, I propose making it optional.

I’m now utilizing RoboForm due of its excellent auto-fill and submit feature. Simply select the item you require, and it will automatically access the website and enter your credentials before clicking submit, log in, sign in, or something similar. You’re logged in with only one click.

Hope you take the time to consider this. Thanks.

Hi again

Here’s another update from me from my experience using it thus far after the recent updates. These are my wishlist items so please fit them in your list of priorities as you work on improving the tool.

1. While AliasVault is now more than a MVP, I’m starting to feel the need to more and more want some polish all around - from a design POV and workflow POV. And while the new update did make it more “usable”, I still feel it lacks more stability with snappy actions and quick saves and faster opening of the web version.
2. I’m now really starting the feel the need for better email management. Atleast once if not twice I week I have the need to response to emails I receive but I can’t just yet. Please also focus on improving the email side of things. This primarily includes, better email management all around, replies via aliases, and custom names that one can set to each alias when you reply to the receiver sees that name. In other words, incorporate the features and functionality that Simplelogin has. Reverse aliasing would be fantastic too.
3. When within an account, you see a very short list of recent emails on that alias. I want the ability to expand and view all emails sent to that particular alias within account details page view itself. Right now, I have to go hunting for it manually in the main Email view which is annoying to say the least.

I think more and more of the smaller improvements and features are becoming a noticeable issue now - as I have been using it and if one is to continue only relying on AliasVault.

Please see to these as best and soon as you can. And get back should anything be unclear. Thanks again!

@suvubi Thanks for your suggestion. I’ll check how RoboForm has implemented this and look into if this could also work for AliasVault. I’ve added it to the list.

@JG Thanks for testing the recent updates! Re:

1. I agree, some things might still be rough around the edges, but with every release things are improving, and I’m working as fast as I can to push improved features out. The slow loading of the web version on some clients is a known issue and, in hindsight, a downside of the used WebAssembly technology. Not that much that can be done at this time to improve this except a full rewrite (which can happen in the future, but will take quite some time). If you have any specific ideas or examples of where you feel the experience could be more polished (beyond what’s already on our roadmap), I’d love to hear them.
2. The replying to email feature will probably take a bit of time before this can be rolled out, as there are quite a lot of contingencies that need to be dealt with for it to work properly. I’m estimating this will become available near the v1.0 release later this year.
3. Being able to load more emails on the credentials page should be a quick fix and will indeed make it more useful, I’ll try and get that included with the next release!

–

Furthermore as a general update, last week AliasVault version 0.20.0 has been released with the following updated features:

1. LastPass and generic CSV import: Added support to import credentials from LastPass password manager. Additionally a generic CSV import has been added which provides a template file, enabling bulk importing data from any third-party system into AliasVault.
2. Email view improvements: The email view in the web app has been improved for desktop (large) screens, which now adds a sidebar. This makes it easier to browser through received emails. The email page now also auto-refreshes when new emails have been received.
3. Self-host improvements: the install.sh script has been updated with automatic dependency checks, ensuring smoother installations and quicker detection of any issues in self-hosted environments. Also the official installation instructions have been updated to provide more details and troubleshooting steps.
4. Misc tweaks: Updated admin panel with more statistics and filter options. Add identity generator gender setting, allowing you to specify an explicit gender for newly generated aliases. Several smaller tweaks to browser extension and mobile apps.

I’ve also been working on publishing the AliasVault Android app on the F-Droid app store. It initially took some time to set up the repository to meet F-Droid’s requirements, but after some tinkering the submission was finally accepted two days ago. So I expect AliasVault to be available on F-Droid somewhere later this week and will update this thread once it’s published.

@lanedirt
Thank you for noticing and adding this to the list. I’ve also discovered that the offer to launch browser extensions in new windows has been implemented in the latest release.

Hi everyone,

Happy to share that after lots of ongoing effort, AliasVault 0.21.0 is out now, and the updated browser extension & mobile apps are available in the stores!

01440×1200 56.2 KB

What’s new in version 0.21.0:

1. Multilanguage: All client apps (web app, browser extension, mobile app) are now fully multilingual, and AliasVault is now officially available in English and Dutch. Translations are managed via Crowdin, and we’re looking for contributors to help add more languages like German, French, and Spanish and more. Want to help? Learn how and get in contact: https://github.com/lanedirt/AliasVault/blob/e830b9c482ff6243e58a7bf44857d49fac59dba2/CONTRIBUTING.md
2. Advanced password generator: Advanced password generator options are now available in the browser extension and mobile apps. Now you can control the generated password length and complexity on-the-fly when creating a new credential through the apps.
3. Attachment improvements: You can now upload/download attachments via the browser extension and mobile apps. The mobile app also features a preview for images and text files, allowing you to securely view images from inside your encrypted vault without having to store them locally on your phone.
4. Self-host improvements: Added improved checks to self-host installation such as OS platform detections. Also fixed issues with false-positive warnings showing up in the logs, making troubleshooting when any local issues occur easier to do.
5. Misc tweaks: Improved credential search and filtering across all apps to make it easier to find the correct credentials. Add “load more” button to recent email blocks in all apps (thanks for the suggestion @JG !) Add more statistics to admin page. Add option to “reset” vault on import/export page in web app. Also fixed a number of reported bugs.

Additionally, I’m happy to share that the AliasVault Android app is now available on the F-droid store as well: https://f-droid.org/packages/net.aliasvault.app/ (new 0.21.0 release can take a few days before its published on F-Droid).

My aim for the next release is to update the core data model to support additional credential types such as identities, credit cards, and more. And also to lay the groundwork for introducing passkey support. And it goes without saying that there are lots of other (smaller) things on the roadmap and todo list as well that have been proposed by users, which will get looked at as well.

Thanks everyone for your ongoing support!

Hi! I just registered my Alias Vault today. I’m excited to explore it!

The first thing I tried is creating a new credential/alias for my Privacy Guides account, but the confirmation email just never arrives sadly, so I had to go back to using my other email address. Why could this possibly happen?

I have a few feedbacks after exploring the app:

1. The difference between private domains and public domains is such an important detail (everyone can access the emails sent to the addresses using the provided public domains as long as they know the address) that should be displayed and explained clearly in the General Settings instead of being buried under multiple clicks (+ New Alias > Create via advanced mode > Select Email Domain).

   As a first-timer, I browsed and clicked on the menu and explored all the buttons/settings there to get a general idea of how things work (I’m using Alias Vault through web browser). Then I stumbled upon the ‘Default email domain’ in the General Settings. I was confused and didn’t know the difference between Private Domains and Public Domains as there is no explanation provided. It was until I tried creating a new alias via + New Alias > Create via advanced mode > Select Email Domain (I had to click on the default domain) that I learned the difference.

2. On iPhone, the service URL part should recognize URL without https:// or add it automatically. Sometimes, it’s more convenient to type the short and memorable URL there, like facebook.com, than having to go back to the browser to copy the URL (or if I’m using an app, there won’t even be URL to copy). It could be simple for those who are familiar with computer to sense what’s wrong when the ‘Invalid URL format’ error shows up then try adding https://, but it could be frustrating for someone who’s not (my uncle, who I suggests him use this app for more security, for example).

3. On iPhone, in Add Credential > Manual, the alias (email) domain is not there for the user to choose, so one would have to manually memorize and type the whole domain if I want to use Alias Vault’s alias service. That’s not so user-friendly in my opinion.

4. I really like the Generate Random Alias feature which generates even first name, last name, gender, birthdate for me. It would be even better if there’s an option to generate an username using a random word (similar to Bitwarden’s username generator).

Apart from that, I have a few questions:

5. Since your aliasing service doesn’t forward the emails to users’ real email addresses, but store the emails on your server, does that make you technically an email service provider (like Proton Mail, Tuta, Gmail)? If true, it means it’s possible you’re going to receive user data requests from the governments in the future once your service is big enough. How do you plan to deal with that?

6. This is just my guess, so please let me know if it’s correct or not. Although it is stated that everything is end-to-end encrypted, but due to the nature of email, an email sent to an user’s alias is unencrypted and can be read by Alias Vault when Alias Vault initially receive it on Alias Vault’s server. Alias Vault then encrypt the email for the user, after that, the email is encrypted at rest and Alias Vault cannot access it (zero-access encryption). As far as I know, Proton Mail and other email providers that claim “end-to-end encryption” all work like that. So does Alias Vault work the same way?

Finally, one thing I love about Alias Vault is it allows me to use multiple aliases per service, unlike SimpleLogin’s strict 1 alias per service (and they don’t even openly talk about that, just send warning after it happens and threaten to ban users or immediately ban users)

Hi @unseen,

Thanks a lot for trying out AliasVault and taking the time to write up your ideas and suggestions! I appreciate it a lot!

Re: email sent by PrivacyGuides not being received on aliases: I’m not sure why this doesn’t work for you. Some websites due utilize block lists where they classify “temp” or “alias” email addresses as “bad”, and therefore don’t send emails to them. I’m not sure if PrivacyGuides is doing this too. Currently all cloud aliases are using @aliasvault.net, I’ll add more domains later on (the software already supports it) to make them available to users and which should improve deliverability.

In response to your feedback:

1. Good point, will indeed be a good idea to add some more explanation on the settings page to explain the differences between private and public domains. The difference is already described in the installation docs for self-hosted use, but not for cloud-hosted users. I’ll add this to the list!

2. Makes sense too to prefill the https suffix or not require it to make adding new credentials quicker. Thanks for the suggestion, adding it to the list too.

3. +1, good to make this behavior in browser extension and mobile app the same as how the web app does it already with a domain chooser.

4. Glad you like it! Thanks for the suggestion, I’ll look into the random word input for if/how this could be integrated into AliasVault.

5. and 6) Yes AliasVault could indeed be technically classified as an email service provider due the built-in alias feature. You’re correct about how the encryption works. When AliasVault receives an email its in plain text (due to how SMTP works), however directly upon receiving the email contents are immediately encrypted in memory with the users public key (private key is part of the users encrypted vault itself), and then saved to the database. After this, no one can read the email contents except the user themselves. If governments or other official bodies would demand that AliasVault hand over certain data, then the full vault including email contents itself is safe as its unreadable how its stored.

I’ve (unfortunately) already had experience with government data requests through my other public email service SpamOK. For AliasVault, my core privacy principle is simple: I cannot disclose what I don’t have or what doesn’t exist. Since AliasVault is designed to maximize privacy and minimize stored user data and avoid unnecessary retention, even if requests come in, we aim to have nothing meaningful to hand over.

@lanedirt I’ve been following the updates to AliasVault and just wanted to say I’m happy to see that you implemented changes related to the clickjacking vulnerabilities in various password managers that were recently disclosed.

Looking forward to there being enough momentum for AliasVault to be able to get a security audit in the future. I know it hasn’t been feasible just yet.

Hi everyone,

After a few more weeks of steady progress, I’m excited to announce that AliasVault 0.22.0 is now live. This update brings new features, security improvements and other general improvements that make using AliasVault even easier day-to-day. I’m also happy to give you an update on the usage numbers so far, which are growing each month:

• 1.3k+ GitHub Stars
• 4k+ Cloud user registrations
• 20k+ Email aliases created (on cloud version)
• 14k+ Self-hosted downloads

What’s new in version 0.22.0:

0.22.01440×1200 257 KB

• Multilanguage: AliasVault is now available in 6 languages (English, Dutch, German, Finnish, Italian, Simplified Chinese). This is thanks to our amazing community contributors on Crowdin. The translations are available across the web app, browser extension, and mobile apps. Want to help make AliasVault available in your native language? Learn how here.

• Security: Added clickjacking protections + automatic clipboard clearing across web, extension, and mobile.

• Self-host: New optional all-in-one Docker image, improved admin panel with username changes, better logs, and stats.

• Usability: Added Dropbox Passwords importer, improved KeePass CSV imports, new auto-lock options, better autofill detection, and alias domain chooser on iOS.

• Improvements: Service URL input more flexible, reorganized extension settings, updated UI styling, and better error messages for self-host users.

–

@paulrudy Thanks for staying up-to-date and noticing, the update with additional protection measures against clickjacking went live yesterday indeed :-).

For an update on the security audit: I have been continuing efforts to secure sponsorships for an external security audit as we’re approaching v1.0. Some of my earlier attempts a few months back didn’t succeed due to high demand in those programs, but I’ve reached out to more parties last week and plan to re-apply for certain grants in the coming weeks. The goal is still to have the audit done around the time v1.0 is ready. If anyone has suggestions for organizations or initiatives that are open to support open-source security projects like AliasVault, I’d be very interested to hear them.

–

Thanks also to @unseen for your feedback: 0.22.0 implements your suggestions: #1, #2 and #3 (clearer public vs private domain explanation, improved URL handling, and iOS/Android alias domain selector)

–

To everyone: your support and ideas keep driving AliasVault forward. Looking forward to hearing your thoughts on this release.

Thanks for sharing the update. I just updated the add on. And while I have since moved back to Proton Pass after trying AliasVault for a month or two there (and sharing all my feedback and suggestions) - I continue to look forward to all improvements including to the ones still pending (though I am hoping they are coming soon).