OOskar Karpiński
Back to projects
Archived open-source project

LibrePass — a self-hosted password manager

LibrePass was a password manager I developed to bring together a native Android application, a Spring Boot backend and encrypted synchronization. It took me through the complete product lifecycle — from interface design and offline operation to APIs, deployment and security boundaries.

01

Problem

A password manager must reconcile easy access to data on a device with protection from people and services that should not know its contents. A sign-in form and a database are not enough — the product must account for encryption, vault locking, offline operation and synchronization.

Self-hosting introduced another requirement: users should be able to operate their own server without the backend needing access to the vault's plaintext contents.

02

Solution

LibrePass was built as a set of cooperating open-source applications. The native Android client handled the vault and local data, while the Spring Boot backend provided accounts, communication, synchronization and encrypted data storage.

The project also covered Docker deployment, relational databases, integration tests, documentation and a prototype Svelte web client.

03

Architecture

The central decision was to separate client and server responsibilities. Operations involving sensitive vault contents happened on the client, while the backend stored encrypted data and handled infrastructure concerns.

On Android, the Jetpack Compose interface was separated from local state, persistence, biometrics and network communication. The server used Spring Boot, Hibernate and a relational database, while containerization simplified running the complete environment.

Android application

Web client

REST API

LibrePass server

Encrypted data

04

Client applications

The Android application was the most complete part of the system. It covered account creation and sign-in, adding and viewing entries, password generation, biometric access, automatic locking and offline operation.

The Svelte web client was intended to make the same vault available on larger screens. It remained a prototype that explored the browser interface without being presented as a finished product.

LibrePass web client prototype showing the password vault
LibrePass Android password entry details

05

Synchronization

Local persistence made the vault usable without internet access, but moved part of the complexity into synchronization. The client had to distinguish local data from server state and respond predictably to interrupted connections and changes waiting to be uploaded.

The project taught me that synchronization is part of product behaviour: it affects the data model, interface messages, error handling and decisions about conflicts between devices.

Local vault

Pending changes

Sync after reconnecting

LibrePass server

Encrypted payload

06

Security

LibrePass combined end-to-end encryption with password hashing, token handling, validation, request limiting, biometric access and automatic vault locking. These controls complemented each other across layers instead of relying on a single mechanism.

The project did not undergo an independent audit and is not presented as a production password manager. It documents practical learning about threat modelling, trust boundaries and sensitive data.

Client trust boundary

Plaintext only on the device

E2E

Encrypted transport

Infrastructure without vault contents

Encrypted payload

07

Challenges

The largest challenge was keeping the mobile interface, local state, encryption, authentication, synchronization and API coherent. Every decision in one layer affected the others — for example, the offline model determined data storage and client behaviour during network failures.

Developing the Android app, backend, deployment, documentation and web client in parallel also demonstrated the cost of maintaining many product surfaces alone. Archiving the project preserved it as an honestly documented case study.

What it taught me

Key takeaways

LibrePass required me to consider user experience, encryption, synchronization, backend boundaries, deployment and project scope as parts of one system.

01

Security is a process

Password manager security depends on encryption, password hashing, token handling, validation, automatic vault locking and clearly defined trust boundaries working together.

End-to-end encryptionAuthenticationValidation
02

Synchronization is product work

Offline operation and multi-device synchronization must remain predictable when connectivity disappears, local changes accumulate or devices modify the same data.

Offline-firstSynchronizationConflict handling
03

Mobile applications need architecture

The Android client helped me separate the Compose interface, local state, biometric access, persistence and synchronization instead of coupling them directly to the UI.

Jetpack ComposeMaterial 3Biometrics
04

Backend services need clear boundaries

The server handled authentication, APIs, request limits and encrypted payload storage, while sensitive vault operations remained a client responsibility.

Spring BootREST APIData model

Code and context

Explore the project repositories

The source code, documentation and development history of LibrePass remain public as reference material.