Your secrets. Your device.
Zero-knowledge.

LockerApp keeps your secrets local. Encryption and key derivation run entirely on your device. Zero-knowledge by design.

LockerApp
What we're building

LockerApp: local-first vault
for your credentials and secrets

LockerApp keeps your vault entirely on your device.
Encryption, key derivation, and decryption
execute locally inside a hardened Rust kernel.

NO SERVER. NO BACKDOOR.NO CLOUD DEPENDENCYZERO-KNOWLEDGE BY DESIGN.

Unlock with a strong passphrase (120+ bits of entropy),
or optionally enable SmolKey for faster access.
Post-quantum cryptographic support is on the roadmap.

LockerApp product
Supported OS: Linux, macOS, Windows Supported OS: Linux, macOS, Windows Supported OS: Linux, macOS, Windows

System Architecture — How LockerApp Works

The diagram below illustrates how authentication, device identity,
and encrypted backups interact,
without relying on cloud synchronization or centralized servers.

LockerApp system architecture

LockerApp is built around a simple principle:
your vault remains local, and every device must be explicitly trusted.

Cryptographic sovereignty for your digital life. /

Frequently Asked Questions

No. LockerApp is local-first. Your vault file remains on your device. All encryption, key derivation, and decryption operations occur locally inside the Rust kernel. No secrets are transmitted externally unless you explicitly enable optional encrypted backup features.

If an attacker gains access to your encrypted vault file, they would still need to brute-force your passphrase offline. The strength of your passphrase determines resistance. If your device is compromised while the vault is unlocked, decrypted data in memory may be exposed — which is why short auto-lock timeouts and device hygiene are critical.

The passphrase is your primary root secret and the only credential capable of fully re-wrapping the vault's encryption key. SmolKey is an optional convenience unlock method that wraps the same vault key independently. It improves usability but does not replace the passphrase in terms of entropy or authority.

No. LockerApp is zero-knowledge by design. There is no password reset, no backdoor, and no recovery service. If the passphrase is lost and no backup exists, the vault cannot be decrypted. Users are responsible for secure offline backups of their passphrase.

LockerApp is designed with forward compatibility in mind. The current vault encryption model relies on modern, memory-hard key derivation and authenticated encryption primitives that remain secure against classical attacks.

As NIST-standardized post-quantum algorithms (such as CRYSTALS-Kyber and CRYSTALS-Dilithium) mature and reach stable deployment standards, LockerApp's architecture allows integration of post-quantum primitives into the key-wrapping and vault encryption layers without redesigning the overall vault format.

Post-quantum readiness is part of the long-term roadmap to ensure vault security remains resilient beyond the 2030 transition horizon.