AliasVault: Open-Source E2EE Password & (Email) Alias Manager

Hi everyone, happy to share that the new version 0.19.0 has just been released and with it quite a few nice platform usability improvements.

The stand-out new feature which was requested by multiple users (including @JG) is that the browser extension is now capable of full vault mutation, this means you can now easily create and edit credentials right in the browser without needing to login to the web app.

This release also contains various other usability tweaks to the web app and mobile apps which were requested by readers here and on Discord.

0.19.0: browser extension now supports full vault edit capabilities1440×1200 175 KB

AliasVault 0.19.0

1. Browser extension mutation capabilities: The browser extension now supports full vault mutation: create, update, and delete credentials directly in the extension UI. This feature, backported from the iOS and Android apps, removes the need to log into the web app for everyday credential management, making the browser extension significantly more powerful and independent.
2. Quality-of-life improvements: various improvements across the platform, such as adding long-press support for quick actions to the mobile app, improved loading animations in the web app, update app icons for better contrast, and more.
3. Security enhancements: This updates enforces new HTTP security headers in the nginx reverse proxy docker image to improve out-of-the-box hardening for self-hosted users.

Read the full release notes on the AliasVault blog: AliasVault 0.19.0 Released | AliasVault

The coming releases will focus on better on-boarding for new users, improved email interface capabilities, and datamodel improvements to make AliasVault more flexible in terms of the types of data it can store and autofill (including Passkey support).

Thanks again to everyone for trying out AliasVault and for your suggestions on how to improve it even further!

Hey!

A few more things I’ve been meaning to update you on but I was waiting for a new update before doing that hoping they’d be fixed. But having tested this new updated a bit this morning, here are some more existing issues that I feel require an immediate fix (as it is more closely related to the fixes and improvements you have just made and are currently making, so I hope you can prioritize this).

1. When within an account on the extension and you’re editing/copying details, I want the extension to remain open on that page/account in the same state as I leave it after I copy and go elsewhere to paste things. I don’t the extension to “close” and force me to find the account again and go back to the same state I had it in when doing whatever account management I need to do. Persistent state of the extension is what I need. Hope all that makes sense. I’m not sure what the right phrase or word to use here is.
2. I still cannot view my TOTP seed token/code in the extension when I want to edit any account details. Why? It makes little to no sense for me/anyone to not have access to their seed token. Please see to this and ensure one can edit, add, manage TOTP/2FA seed codes within the extension as it is on Proton Pass/1Password/Bitwarden. This inability actually annoyed me a lot a week ago. I had to manually manage with so many clicks on the web version and even then the way it was set up did not make sense from a usability POV. Hope you see and understand what and how I mean.
3. Thanks for adding a notes section within each account. However, it’s implementation is perplexing. When editing, the notes appear at the bottom of the page to add any notes. But when you do and save, it appears on top of all other account details. ?? I’m confused why this is. I feel it should still appear at the bottom where it was showing when editing. It going from the very bottom to the very top is a weird design choice if you ask me. Please rethink on this.
4. There are a few more improvements that are missing but I’m guessing you surely do have it noted on your end to make happen so I wont repeat them again but only to let you know to also focus on email viewing/management part of AliasVault on/with/through the extension AND on the web version. This would make actually using email aliasing (and not just password management) with AliasVault more worth it.

Thank you for the update! I have already noticed some of the tiny improvements being made (that I did not explicitly mention) and the extension also feels a little more stable.

As always, let me know if you have follow up questions from any of the aforementioned. Thanks again.

Hi @JG, thanks for your continued testing, I really appreciate it!

I released bugfix version 0.19.1 yesterday which addresses a few minor bugs, and also adds improved functionality for points #1 and #3 you mentioned:

• The browser extension now remembers the last page you were visiting before it closes, and will automatically go back to that page when the browser extension reopens (within a certain time). It now also remembers form edits in progress for credential creation and editing. So this should make it a lot easier for multiple copy/pastes during data entry.
• Notes section in browser extension and mobile app is now shown on bottom in view mode, to match the edit mode.

For your last point, yes I have noted all issues that have been reported before (including email management improvements). Some of these require additional changes to other systems before they can be fully implemented. Therefore each of the next releases will group related changes together so they can all be addressed and tested properly.

There’s still plenty of work to do, but I do think it’s exciting to see how much progress has already been made in the last few months, and many more progress will be made in the coming weeks/months. So thanks again for your persistence in using and testing AliasVault, great suggestions that really help shape AliasVault and makes it better for everyone!

Thank you so much for getting back. I truly do appreciate the improvements. I should have explicitly mentioned that in my last comment. And I’m glad to see AliasVault improve as much and as quickly it is which underscores your efforts for the same.

I’ll keep testing as you keep improving and will get back when I have more substantial things to talk about. Thank you again.

I keep my AliasVault (AV for short) credentials in KeePass. But right now, in order to log in to AV, I have to copy both my username and password (for example, UUU—PPP), paste them into the AV username field (UUU—PPP), and then cut/paste the password (PPP), then delete ‘—’ (without ’ ') from username field to put them into the AV password field. This is not a good security measure.

I think a good number of people use password managers for this as well.

Can you allow AV open in a new window? You can check this https://community.bitwarden.com/uploads/default/original/3X/7/8/78b813dd74283290db9c3e7077804dae4c5fae82.png

Thank you.

I’m sorry, but I don’t understand the point of this tool. Why would I need it if I already have SimpleLogin and Bitwarden?

Because this tool is offering what that combination is offering all in one tool. Also, more options are always a good thing and we need competition in the privacy space with similar and different tools.

Also, the way you say it implies that you’re following a faulty logic to say the least. It’s like asking, why do I need to eat different kinds of food when one kind of food exists. Silly, no?

Hi @suvubi,

Thanks for your suggestion. I assume you’re talking about the browser extension for the login process, correct? Assuming you do, I agree it’s a good idea to add an “open in new tab” button to the login page. This button already exists for the credential and email detail pages to “pop out” the extension. But having it on the login page too so autofilling multiple fields from a different password manager makes sense. I’ll include this in the next release.

You may find this article interesting as it covers the issues with Copyleft+CLA: Redirecting to: /concerns/copyleft-cla

It’s arguably worse than being closed source in some ways, because it creates a significant power imbalance with the illusion of openness. Closed source on the other hand is at least upfront about the power imbalance and makes no illusions.

Copyleft without a CLA on the other hand is a much more balanced playing field. The project owners must abide by the terms of the license (say the AGPL) for external contributions, and reciprocally, external contributors must abide by the terms of the license for contributions from the project owners.

Hi @RoyalOughtness and @anonymous261, thanks for your feedback and suggestions regarding AliasVault’s open-source license and use of a CLA (Contributor License Agreement).

I did some more reading on this topic, and agree with the sentiment that a CLA sends the wrong message and can create power imbalances. I have now updated the CONTRIBUTING.md to remove the CLA template entirely and clarify that no CLA is required for AliasVault contributions:

License and Contributions
AliasVault is licensed under the GNU Affero General Public License v3.0 (AGPLv3). By submitting code, documentation, or other contributions to this project, you agree that:

1. Your contribution will be licensed under the same AGPLv3 license as the project
2. You have the legal right to grant this license (e.g., you are the author, or have permission)
3. You understand that your contribution will be made public under the AGPLv3 terms
4. You are not expected to provide support or warranties for your contribution

There is no Contributor License Agreement (CLA) required. We believe in a balanced open source model where all contributors are treated equally under the terms of the AGPLv3.

By using AGPLv3 without a CLA, AliasVault remains fully open and fair for everyone: all contributors (including myself) are equally bound to share any changes under the same license, ensuring true software freedom and transparency.

I’m proud to say that with this, AliasVault is one of the only fully open-source password managers (both client and server) that is 100% licensed under AGPLv3 with no CLA strings attached.

Unlike:

• Bitwarden – AGPLv3 but with a CLA
• Vaultwarden – no CLA, but only server-side; Bitwarden’s clients are still required which are under their own CLA
• Proton Pass – open source client apps, but closed source server
• 1Password – fully closed source

I’m committed to position AliasVault as a genuinely open, transparent, and user-respecting alternative and to set an example going forward. Thanks again for the feedback!

Hey ! First of all thank you for working on this project ! Still did not try it but if I understood correctly it brings something new to other PM (aliases integrated with password manager).
Edit: verified and yes Bitwarden can create aliases through others services’ APIs but yours wholly integrates both !

Do you have updates on this ?

I think this is the only hard requirement AliasVault does not fulfil before we start considering it.

Best regards

Also : what will happen to AliasVault if you can’t keep working on it tomorrow ? You seem to be the only person running AliasVault (the hosted version)

Another comment : Thrilling, love that after showing AV’s strenghts compared to SimpleLogin, you also point out two weaknesses of AV compared to SL. GOAT. Love this.

Oops : I was about to try your service but I saw that AliasVault aliases can’t be used to reply or send emails… This is a serious issue for me.

I see that you plan to add phone numbers aliases. Can you precise wdym ? One-time phone numbers or phone numbers rentals ? Would it be similar to SMSPool.net ? To say the least, this type of business doesn’t run itself and you seem alone on AliasVault. So if you plan to do email aliases, phone number aliases, password manager, password generator, identity generator, … won’t it be too much ?

This would be like combining strongphrases.net, Addy.io, Bitwarden ans SMSPool. Alone.

Hi @mangomango,

Thanks for your questions and your interest in AliasVault! You asked multiple questions, so let me try and address your points one by one:

1. Security audit update
Yes a few weeks ago I mentioned I’d be able to share an update soon. In the meantime I did receive feedback: and unfortunately, AliasVault was not selected for the grant that would’ve funded the audit. That said, my goal is still to have a proper third-party security audit completed before v1.0 is released (planned for end of this year). The main challenge now is funding, and I’m actively exploring alternative ways to secure that. I’ve already reached out to several other parties so I hope something will come out of that.

2. Email reply/send support
Yes, replying or sending emails via AliasVault aliases isn’t possible yet. This feature is however on the roadmap for v1.0 and will be implemented in the coming weeks/months. Email sending and delivery is quite delicate though, especially for self-hosting in terms of IP reputation, so this requires some more attention for how it can be properly introduced.

3. Phone number aliases
This feature is still in the concept phase. I see value in both one-time/burner numbers (e.g. for account verifications) and longer-term, privacy-friendly number rentals/reservations. It could end up similar to services like SMSPool, but whether this becomes a tightly integrated AliasVault feature or a separate service is still under consideration. Various countries have different rules about anonymous phone numbers, so that may also affect regional availability. I’ll be coming back on this.

4. Solo vs. big team
AliasVault is indeed run by myself for now. Sustainability is a fair concern, but it’s worth remembering that many popular services from big companies have been abandoned too. For examples in the email/domain space, think of Google Inbox, Google Domains, Firefox Send, etc. The size of a team or company isn’t a guarantee of longevity. In fact, VC backed companies might be forced to shut down or pivot if their product isn’t showing multi-digit growth YoY. Being smaller has it’s benefits allowing for more flexibility and fewer external pressures.

For context: my other free service SpamOK, a temporary email platform, has been online and maintained for over 12 years already.

But for anyone that is concerned about long-term availability of a hosted service: that’s exactly why I decided to make AliasVault fully open-source and easy to self-host. Unlike some alternatives that either don’t offer self-hosting or make it unnecessarily complicated, AliasVault gives you full control and flexibility.

And as the project grows, or if like-minded people with the right skills who believe in its mission want to get involved, I would be very happy to bring them on board. But regardless, I’m staying focused and continuing to push AliasVault forward.

Hi @lanedirt

If you could include a Fill & Submit option, that would be fantastic. This saves us one click. And because many people dislike this, I propose making it optional.

I’m now utilizing RoboForm due of its excellent auto-fill and submit feature. Simply select the item you require, and it will automatically access the website and enter your credentials before clicking submit, log in, sign in, or something similar. You’re logged in with only one click.

Hope you take the time to consider this. Thanks.

Hi again

Here’s another update from me from my experience using it thus far after the recent updates. These are my wishlist items so please fit them in your list of priorities as you work on improving the tool.

1. While AliasVault is now more than a MVP, I’m starting to feel the need to more and more want some polish all around - from a design POV and workflow POV. And while the new update did make it more “usable”, I still feel it lacks more stability with snappy actions and quick saves and faster opening of the web version.
2. I’m now really starting the feel the need for better email management. Atleast once if not twice I week I have the need to response to emails I receive but I can’t just yet. Please also focus on improving the email side of things. This primarily includes, better email management all around, replies via aliases, and custom names that one can set to each alias when you reply to the receiver sees that name. In other words, incorporate the features and functionality that Simplelogin has. Reverse aliasing would be fantastic too.
3. When within an account, you see a very short list of recent emails on that alias. I want the ability to expand and view all emails sent to that particular alias within account details page view itself. Right now, I have to go hunting for it manually in the main Email view which is annoying to say the least.

I think more and more of the smaller improvements and features are becoming a noticeable issue now - as I have been using it and if one is to continue only relying on AliasVault.

Please see to these as best and soon as you can. And get back should anything be unclear. Thanks again!

@suvubi Thanks for your suggestion. I’ll check how RoboForm has implemented this and look into if this could also work for AliasVault. I’ve added it to the list.

@JG Thanks for testing the recent updates! Re:

1. I agree, some things might still be rough around the edges, but with every release things are improving, and I’m working as fast as I can to push improved features out. The slow loading of the web version on some clients is a known issue and, in hindsight, a downside of the used WebAssembly technology. Not that much that can be done at this time to improve this except a full rewrite (which can happen in the future, but will take quite some time). If you have any specific ideas or examples of where you feel the experience could be more polished (beyond what’s already on our roadmap), I’d love to hear them.
2. The replying to email feature will probably take a bit of time before this can be rolled out, as there are quite a lot of contingencies that need to be dealt with for it to work properly. I’m estimating this will become available near the v1.0 release later this year.
3. Being able to load more emails on the credentials page should be a quick fix and will indeed make it more useful, I’ll try and get that included with the next release!

–

Furthermore as a general update, last week AliasVault version 0.20.0 has been released with the following updated features:

1. LastPass and generic CSV import: Added support to import credentials from LastPass password manager. Additionally a generic CSV import has been added which provides a template file, enabling bulk importing data from any third-party system into AliasVault.
2. Email view improvements: The email view in the web app has been improved for desktop (large) screens, which now adds a sidebar. This makes it easier to browser through received emails. The email page now also auto-refreshes when new emails have been received.
3. Self-host improvements: the install.sh script has been updated with automatic dependency checks, ensuring smoother installations and quicker detection of any issues in self-hosted environments. Also the official installation instructions have been updated to provide more details and troubleshooting steps.
4. Misc tweaks: Updated admin panel with more statistics and filter options. Add identity generator gender setting, allowing you to specify an explicit gender for newly generated aliases. Several smaller tweaks to browser extension and mobile apps.

I’ve also been working on publishing the AliasVault Android app on the F-Droid app store. It initially took some time to set up the repository to meet F-Droid’s requirements, but after some tinkering the submission was finally accepted two days ago. So I expect AliasVault to be available on F-Droid somewhere later this week and will update this thread once it’s published.

@lanedirt
Thank you for noticing and adding this to the list. I’ve also discovered that the offer to launch browser extensions in new windows has been implemented in the latest release.