Vestyn is a password manager you run yourself. Secrets are encrypted on your devices before sync, while your server handles accounts, vault membership, and ciphertext storage. Built for people who want polish without giving up control.
Self-hosting usually means trading polish for control. Vestyn refuses the trade — a native app and a clean web vault on top of infrastructure you fully own.
Your master password derives keys that never touch the network. The server receives encrypted vault data it cannot decrypt without a member’s keys.
A Docker image, Postgres, and a reverse proxy. Up in minutes on a VPS, a NAS, or the spare machine under your desk.
A real SwiftUI Mac app with Touch ID, menu-bar quick access, and system AutoFill. The web vault and browser-extension work share the same encryption core.
Unlock the app, reveal a single password, or fill a login with Touch ID. Biometric checks stay inside macOS; Vestyn never sees fingerprint data.
Invite family or a team to a shared vault. Keys are wrapped per member, so access is granted cryptographically — not just hidden behind a flag.
The protocol and clients are open source. Read the code, run the server, and follow each release from source to signed download.
Pull the container, point it at Postgres, and put it behind HTTPS. It only ever stores encrypted blobs and the metadata needed to sync them.
Your master password derives an encryption key on-device with Argon2id. The key stays local; the server gets a verifier it can't reverse.
Mac app or web vault — each decrypts locally after you authenticate. Sync moves ciphertext; plaintext item fields never travel.
The server is designed so it can't decrypt your vault contents. Keys are derived and held on your devices; the database stores authenticated ciphertext and the metadata needed for sync. Protect the host and backups as usual, but a database dump alone is not enough to read secrets.
Bring up the server with Docker Compose, open the web vault, and connect the Mac app to your own instance.