14-day free trial — no card required

Your team’s credentials.
Locked down properly.

Stop sharing passwords over Slack. HexVault gives your team a zero-knowledge shared vault with structured offboarding, an AI that catches problems before they become incidents, and setup that takes an afternoon — not a project.

Start your team’s free trial — 14 days, no card needed
No card required· Cancel any time· Works for 1 to 100 people
Also available on the Chrome Web Store
HexGuard is watching
My Vault
Team Vault
87
Security Score
GH
Strong
AW
Medium
CF
Breached
PG
Strong
47
Entries
1
Breached
2
Weak
2FA
On
HexGuard resolved 3 issues
AES-256-GCM Encryption Zero-Knowledge Architecture HexGuard AI Security Live Breach Monitoring Enterprise SSO / SAML 2.0 TOTP Authenticator Audit Logging Password Policy Enforcement Family Vault Sharing AES-256-GCM Encryption Zero-Knowledge Architecture HexGuard AI Security Live Breach Monitoring Enterprise SSO / SAML 2.0 TOTP Authenticator Audit Logging Password Policy Enforcement Family Vault Sharing
Zero-knowledge by design
AES-256-GCM + per-entry HKDF
Set up in under an hour
UK-based · GDPR compliant
14-day free trial — no card
Made for you

Whether it’s just you
or your whole team.

HexVault works for a solo developer who wants proper personal security, and for a 150-person company that needs shared vaults, access controls, and a proper audit trail.

For individuals

Your digital life, properly secured.

One vault for every password, card, and note. Live breach alerts, built-in 2FA codes, a browser extension that actually works, and an AI that tells you exactly what’s at risk.

  • Unlimited passwords, notes & 2FA codes
  • Live breach monitoring (k-anonymity)
  • HexGuard AI security assistant
  • Encrypted one-time share links
  • Emergency vault access for someone you trust
From £3.99/month
Start free trial
Best for teams
For small teams

The security your team actually deserves.

Shared vaults with role permissions. Structured offboarding when someone leaves. JIT access for contractors. A daily AI briefing for your admin. Set up this afternoon.

  • Encrypted shared folders with folder RBAC
  • Offboarding workflow + credential rotation tasks
  • Just-in-time temporary access grants
  • Full audit log & compliance PDF export
  • Service accounts for CI/CD pipelines
  • SCIM provisioning (Okta, Azure AD, Google)
From £8.99/seat/month
Start team free trial
Real problems, real fixes

The three things that keep
IT admins up at night.

01
The problem

Someone leaves. You disable their account. But the AWS keys, Stripe live key, domain registrar login — they’ve seen all of it. You hope they didn’t copy anything.

HexVault fix

Offboarding workflow. When you remove a member, HexVault shows every credential they accessed in the last 90 days, creates rotation tasks with assignable owners, and revokes their cryptographic key.

02
The problem

Your contractor needed database access for a sprint. You added them two months ago. They’re still in there. You have no log of what they accessed.

HexVault fix

Just-in-time access. Grant temporary folder access for a defined window — 4 hours to 1 week. Expires automatically. Every access is logged. No more manual cleanup.

03
The problem

Your AWS root key hasn’t been rotated since 2021. Three ex-employees have seen your Stripe live key. You know you should fix this but there’s no system for it.

HexVault fix

Rotation enforcement. Set a rotation policy. HexVault tracks which credentials are overdue, who owns them, when last changed. HexGuard surfaces the list every morning.

HexGuard AI

The only AI that knows your actual vault.

Every other AI security tool answers generic questions. HexGuard queries your real vault data — breach counts, rotation gaps, access patterns, open alerts — and reasons from it. Specific intelligence, not generic advice.

Daily security briefing
Every morning: what’s breached, expiring, and overdue for rotation — specific to your vault, in plain English.
Alert explanation
When a security alert fires, one click explains what happened, why it matters, and exactly what to do next.
Context-grounded chat
Ask anything. HexGuard already knows your vault state — no describing your setup, no generic answers.
Try HexGuard free →
HG
HexGuard
AI Security Intelligence

Your vault is in reasonable shape — one item needs attention today.

🔴 Cloudflare — this credential appears in 847 known breach datasets. Change it and update any services using it.

🟡 AWS Console & PostgreSQL — both last rotated 4 months ago, outside your 90-day policy.

🟢 Everything else looks solid. Security score: 87.

Want me to walk you through fixing the Cloudflare breach?

Yes, fix Cloudflare
Show rotation gaps
Full report
Extension Security

The only extension
that stops phishing
before you type.

Every other password manager waits for you to try autofilling — then silently refuses because the domain doesn't match. HexVault's extension actively detects suspected phishing sites and warns you before your cursor reaches the password field.

Lookalike domain detection
paypa1.com vs paypal.com — we catch it. Scored against your actual saved credentials, not a generic blocklist.
HTTP autofill blocked
If a site asks for a password without HTTPS, we block autofill entirely and show a warning. No other extension does this by default.
Injected page warning
On suspicious pages, HexVault injects a red banner directly into the page — visible even before you open the extension popup.
⚠ http://paypa1.com/login
HexVault: This site looks like paypal.com — do not enter your password
Sign in
paypa1.com
HEXVAULT
!
paypa1.com Risk: High
Looks like paypal.com
"paypa1.com" closely matches a saved credential. This may be a phishing site.
01
The architecture
How your passwords
stay safe

Three steps, all on your device. The server never sees anything it can decrypt.

01

You enter your master password

Your password is passed through Argon2id with 64 MB of memory — making GPU attacks 1,000× more expensive. The derived key is marked non-extractable by your browser. No JavaScript can read it back.

Client only · never transmitted
02

Every entry is encrypted independently

Each password gets its own fresh 96-bit IV. AES-256-GCM encrypts and authenticates in one pass — any tampering is detected and rejected. The key lives only in your browser's memory.

AES-256-GCM · unique IV per entry
03

Server stores only ciphertext

We receive base64(ciphertext) and base64(IV). No master password, no encryption key, no plaintext — ever. A full database dump is computationally useless to an attacker.

Zero-knowledge · breach-proof
Read the full security architecture
Interactive Demo

SEE IT IN ACTION.

No account needed. Everything here runs in your browser — nothing is saved or transmitted.

hexvault.co.uk/app — demo mode
My Vault
4 passwords
Try the real thing — 14 days free
No credit card · Cancel any time
01
Why HexVault

ENCRYPTION THAT STARTS ON YOUR DEVICE.

Most tools encrypt on their servers. HexVault encrypts on yours — before anything leaves your browser. We receive ciphertext. Only ciphertext. There is no architectural path for us to read your passwords.

256
Bit AES-GCM
0
Data Sold
100%
Zero-Knowledge
Client-side encryption, always
Your master password derives an encryption key locally using Argon2id — the gold standard for password hashing. That key never leaves your device.
HexGuard actively improves your security
Our AI security engine doesn't just flag problems — it explains them plainly and fixes them with one click. No security expertise required.
Breach monitoring via k-anonymity
We check your passwords against billions of known breached credentials without ever sending the actual password. The maths protects you even from us.
Built for organisations that can't afford to get this wrong
Cryptographic separation between personal and org vaults. Multi-party approval pipelines. Structured offboarding. Built in — not bolted on. Ready for your compliance team.
02
Features

BUILT TO PROTECT.
DESIGNED TO USE.

HexGuard — Your Security Co-Pilot
HexGuard analyses your entire vault continuously — calculating a live security score, identifying weak and reused credentials, cross-referencing against breach databases, and fixing problems with a single click. Not a report. An engine that acts.core, identifies every risk, and resolves issues automatically. It explains everything in plain English and doesn't wait for you to ask. Set a goal of 100 — HexGuard helps you get there.
Pro, Family & Team
Zero-Knowledge Architecture
AES-256-GCM with per-entry key derivation. Your master password never reaches our servers — not in transit, not at rest. We hold ciphertext and mathematical noise. Nothing else.
Live Breach Monitoring
Continuous scanning against billions of known compromised credentials via k-anonymity — we check without ever sending your actual password. Alerted the moment a breach is detected, not after.
Built-In Authenticator
Store TOTP secrets alongside credentials. Live codes with countdown ring, encrypted the same as everything else. One less app, one less attack surface.
Family Vault Sharing
Share passwords with up to 5 family members. Per-member permissions. Individual vaults stay private.
Encrypted Share Links
One-time encrypted share links. Decryption key lives in the URL fragment — never reaches our server.
02
Why it matters
Most teams are one
departure away from a breach

Compare how your current setup stacks up against a properly secured team vault.

Situation Spreadsheet / Slack Basic password manager
HexVault Team
Sharing credentials Exposed in chat or email Shared folder, limited control Encrypted team vault, folder RBAC
Someone leaves Manual — usually missed Delete account, hope for the best Offboarding workflow + rotation tasks
Breach monitoring None Basic alerts, no triage Live monitoring + AI explanation
Audit trail None Limited or paid add-on Full credential access log
Encryption None — plaintext Varies — server-side often Zero-knowledge AES-256-GCM
Cyber insurance evidence None Screenshots at best One-click compliance PDF
Browser extension None Autofill only — no phishing detection Autofill + active phishing detection
Setup time Immediate Hours to days Under an hour
Full technical comparison on our security page →
03
Zero-Knowledge

WE CANNOT READ YOUR DATA.
BY DESIGN.

This is not a promise — it is a mathematical constraint. Without your master password, our database contains nothing useful to anyone.

01/
Your encryption key never leaves your device
Argon2id derives your key locally — memory-hard, GPU-resistant, computationally infeasible to brute-force. It never reaches our servers. Not in transit. Not at rest. Not ever.er transmitted.
02/
Every entry encrypted independently
AES-256-GCM with a unique random IV per entry, per-entry key derivation with a unique salt. One entry compromised tells an attacker nothing about any other. The vault is not a single encrypted blob — it is thousands of independent secrets.
03/
We hold meaningless ciphertext
Without your key, our database is indistinguishable from random data. There is no server-side path to your plaintext. Not even for us.
// On your device — never transmitted
masterKey = Argon2id(masterPassword, userSalt, {mem:64MB, iter:3})
entrySalt = crypto.getRandomValues(new Uint8Array(16))
entryKey = HKDF(masterKey, entrySalt, "entry-v1")
iv = crypto.getRandomValues(new Uint8Array(12))
ciphertext = AES_256_GCM(plaintext, entryKey, iv)
↓ only this reaches the server ↓
// Our database — per entry
stored = { ciphertext, iv, entrySalt }
↓ without masterPassword this is ↓
U29tZXRoaW5nIHVzZWxlc3MgdG8gYW55b25lIHdpdGhvdXQgeW91ciBtYXN0ZXIgcGFzc3dvcmQuIEV2ZW4gdXMu
Per-entry key derivation — one compromised entry reveals nothing else
Read the full technical architecture
04
ENTERPRISE
Enterprise

SECURITY YOUR
IT TEAM CAN ENFORCE.

Full visibility across your organisation's credential posture — without touching a single employee's personal vault. Two cryptographic domains. Zero ambiguity about what belongs to whom.oing the work.

SECURE BY DESIGN
A server breach exposes nothing readable. The encryption boundary is architectural — not a policy, not a promise, not a configuration option. It is the structure itself.lted on.
ADMIN CONTROLLED
Admins see every employee's credential health across org vaults only. Personal vaults are mathematically off-limits. Deprovision instantly — the org key rotation makes former-employee credentials worthless immediately.
AUDIT READY
Immutable audit trail across the entire credential lifecycle. Every access, every change, every approval. Timestamped, exportable, SIEM-ready. Compliance conversations made straightforward.
Admin Dashboard
Security scores, 2FA adoption, and breach exposure across all org vaults — personal vaults remain mathematically off-limits.
Password Policy Enforcement
Mandate minimum strength, rotation intervals, and 2FA. Non-compliance surfaced automatically.
SSO / SAML 2.0
Okta, Azure AD, Google Workspace, and any SAML 2.0 provider. SCIM provisioning for automatic account lifecycle.
Organisation-Wide Audit Logs
Every action logged and timestamped. CSV and SIEM export.
Structured Offboarding
Instant org key revocation on departure. Personal vault grace period. Former-employee credentials worthless within seconds.
Cryptographic Org Vaults
Org credentials encrypted with a separate org key — employees can use them, never own them. Org key stays with the organisation.
Multi-Party Approval
Destructive actions require multiple admin approvals with time-delay and cancellation windows. No single admin can act unilaterally.
Compliance Reporting
Exportable audit trails, per-employee security posture reports, and access reviews ready for SOC 2, ISO 27001, and Cyber Essentials.
Interested in Enterprise?
Let's Talk.
Org vaults, multi-party approval, structured offboarding, SSO, and audit logging. Pricing scales with your team. Get in touch to discuss early access and the product roadmap.
Register Interest Talk to Sales
Roadmap

WHAT'S BUILT. WHAT'S NEXT.

HexVault ships continuously. No fixed dates — we release when it's right, document everything, and move fast without breaking things that matter.

NOW
Live
Web Vault
Zero-knowledge AES-256-GCM with per-entry HKDF key derivation. Argon2id master key. Nothing leaves your device unencrypted.
All Plans
HexGuard AI Security
Live security score, automatic weak/reused/breached credential detection and one-click fixing.
Pro+
Live Breach Monitoring
Continuous k-anonymity scanning against billions of known compromised credentials.
All Plans
Built-In TOTP Authenticator
Store 2FA secrets alongside credentials with live countdown codes. One less app, one less attack surface.
All Plans
Browser Extension
Chrome, Firefox & Edge. Zero-knowledge autofill, save-on-detect, TOTP codes, and vault badge. Live on Chrome Web Store.
All Plans
Passkeys / WebAuthn
Register and authenticate with device biometrics or hardware security keys. Full FIDO2 / WebAuthn.
All Plans
Password Import
One-click migration from Chrome, Firefox, Bitwarden, 1Password, LastPass, and CSV. Your file never leaves your browser.
All Plans
Emergency Access
Grant trusted contacts time-delayed vault access. Cryptographically enforced — you have a window to deny any request.
Pro+
Cloud Backup
Automated encrypted vault backup to Google Drive, Dropbox, or OneDrive. Restore from any point with one click.
Pro+
Secure Send
Zero-knowledge one-time share links. Self-destructs after view or expiry. No account needed to receive.
All Plans
Family Vault
Shared vault for up to 6 members with per-person permission controls and zero-knowledge key sharing.
Family
IT Admin Dashboard
Real-time org security posture, member management, MPA approvals, audit log, SIEM export, and policy enforcement.
Enterprise
SSO / SAML 2.0
Okta, Azure AD, Google Workspace, and any SAML 2.0 provider. Live for enterprise plans.
Enterprise
COMING
Planned
Passkey-First Login
Replace the master password entirely with device biometrics as the primary authentication factor.
All Plans
Real-Time Breach Push
Server-sent events for instant push notification the moment a credential appears in a new breach dump — before the daily scan runs.
Pro+
AI-Assisted Password Fixing
One-click fix for every weak, reused, or breached credential in your vault — HexGuard navigates to the site and changes it automatically.
Pro+
Digital Estate Planning
Encrypted will message and digital asset registry, unlocked only by an approved emergency access grant.
Pro+
Advanced Analytics
Vault health trends over time, per-member risk scoring history, and exportable compliance dashboards for auditors.
Enterprise
SCIM Provisioning
Automate user provisioning and deprovisioning via SCIM 2.0. Plug directly into your IdP lifecycle management.
Enterprise
Self-Hosted / On-Premise
Deploy HexVault on your own infrastructure. Full feature parity, air-gapped support, and your data never leaves your servers.
Enterprise
Download

GET HEXVAULT
ON ANY DEVICE.

Native desktop apps for Windows, macOS and Linux. Mobile apps install straight from your browser — no App Store needed.

HexVault for Windows
Windows 10 or 11 · x64
Download for Windows Portable .zip · 117 MB
Extract and run HexVault.exe — no install needed
Desktop app coming soon — use the web app in the meantime
HexVault for Mac
macOS 12 Monterey or later · Intel x64
Download for macOS .zip · 103 MB
Extract and drag HexVault.app to Applications
Desktop app coming soon — use the web app in the meantime
HexVault for Linux
AppImage · .deb · .rpm · x64 & ARM64
Download AppImage .AppImage · 109 MB
.deb (Ubuntu/Debian) .rpm (Fedora/RHEL)
Desktop app coming soon — use the web app in the meantime
iPhone & Android
No App Store needed · installs from browser · fullscreen
Zero-knowledge — we never see your data
AES-256-GCM encrypted before leaving your device
Vault syncs automatically across all your devices
Pricing

STRAIGHTFORWARD PRICING.
NO FREE TIER. NO TRICKS.

Every plan is fully featured from day one. If you're serious about security, this tool is worth paying for. Try any plan for 14 days — no card required.

Monthly Annual Save 20%
Personal
£3.99/mo
£3.19/mo
Billed annually — save £9.60/yr
 
14-day free trial
Zero-knowledge encryption, AI security analysis, and breach monitoring. Everything you need — nothing you don't.
  • Unlimited passwords & secure notes
  • Zero-knowledge AES-256-GCM encryption
  • Live breach monitoring (k-anonymity)
  • Built-in TOTP authenticator
  • Encrypted one-time share links
  • Decoy entry (honeypot) alerts
Start free trial
Pro
£6.99/mo
£5.59/mo
Billed annually — save £16.80/yr
 
14-day free trial
The complete security intelligence suite. For individuals who treat security as seriously as it deserves.
  • Everything in Personal
  • HexGuard AI security engine
  • Full security analytics dashboard
  • Activity log & audit trail
  • PDF security reports
  • Emergency access
  • Priority support
Start free trial
Family
£9.99/mo
£7.99/mo
Billed annually — up to 6 members
 
14-day free trial
Full Pro for everyone at home. One subscription, shared family vault, plus separate private vaults for each member.
  • Everything in Pro
  • Up to 6 family members
  • Shared family vault
  • Individual private vaults
  • Family member management
  • Shared breach monitoring
Start free trial
Most popular for teams
Team
£8.99/seat/mo
£7.19/seat/mo
Billed annually — save 20% per seat
 
14-day free trial — no card required
Full HexVault for every team member. Zero-knowledge vault, offboarding workflow, AI breach alerts, and a full audit trail. Set up in under an hour.
  • Full Pro account per seat
  • Encrypted shared folders with role permissions
  • Structured offboarding + credential rotation
  • HexGuard AI security briefings
  • Team audit log & compliance PDF
  • Up to 50 members
Start 14-day free trial
Enterprise
Custom
Custom
 
 
For larger teams and organisations that need advanced controls, dedicated support, and custom deployment options.
  • Everything in Team
  • Enterprise SSO / SAML 2.0
  • SCIM provisioning & directory sync
  • Dedicated account manager
  • SLA & priority support
  • Unlimited members
Talk to us
Early Access

JOIN EARLY.
SHAPE WHAT WE BUILD.

HexVault is in active development. Early access members get founding pricing when we launch — and direct input on the product roadmap. One email when we go live. Nothing else.

Your email address
No card required · One email on launch · Founding member pricing
Why teams choose HexVault
Set up in under an hour
Import from LastPass, 1Password, or CSV. Invite your team by email. Done. No IT project, no agents, no consultants.
We literally cannot read your passwords
Everything is encrypted on your device before it reaches us. Not a privacy policy — a mathematical constraint.
UK company, UK data
Registered in England & Wales. Hosted in the UK. GDPR compliant, ICO registered. Your data doesn't leave the UK.
Know the moment something goes wrong
HexGuard monitors your team's credentials against breach databases 24/7 and alerts you before you'd otherwise find out.
Common questions
Frequently asked
HexVault's offboarding workflow shows you every credential that person accessed, creates rotation tasks for each one with assignable owners, and cryptographically revokes their access — all in one step. There's a configurable grace period for knowledge handover, and a final audit record is stored automatically when offboarding completes. Most teams complete a full offboarding in under 10 minutes.
Most teams are fully set up in under an hour. Import from LastPass, 1Password, Bitwarden, or a CSV file. Invite your team by email. Assign folders and roles. No agents to install, no IT project, no consultants required. The browser extension installs in seconds and starts autofilling immediately.
Yes. HexVault generates a one-click PDF compliance report showing your credential security posture — rotation compliance, breach exposure, 2FA coverage across the team, and your security score trend. This is accepted by insurers for cyber liability questionnaires and is suitable for ISO 27001 and Cyber Essentials audits.
Your master password never leaves your device. All encryption happens in your browser using Argon2id + AES-256-GCM before any data is transmitted. HexVault's servers receive only encrypted ciphertext — we have no mathematical ability to read your passwords, even if compelled by a court order or breached by an attacker.
HexVault uses Argon2id with 64 MB of memory per derivation attempt. 1Password uses PBKDF2, and Bitwarden defaults to 19 MB. This makes brute-forcing your master password roughly 1,000× more expensive per guess on modern GPU hardware. We're also UK-based, fully GDPR-compliant, and our client code is intentionally unminified so you can audit it.
Nothing — this is the core promise of zero-knowledge architecture. A server breach yields only AES-256-GCM ciphertext. Without your master password (which never left your device), decrypting it is computationally infeasible. Your account email and subscription status would be exposed, and we would notify you, but your actual passwords remain safe.
Yes. HexVault supports importing from 1Password, Bitwarden, LastPass, Dashlane, KeePass, and generic CSV. The import runs entirely client-side — your passwords are encrypted on device before upload, so the import itself is zero-knowledge too.
Yes. HexVault Ltd is registered in England and Wales. All data is hosted within the UK and EEA on encrypted volumes. We do not transfer personal data outside the UK/EEA without an adequacy decision or appropriate safeguards. We are registered with the ICO as a data controller.
No credit card required. You get full access to the Personal plan for 14 days, including unlimited password entries, breach monitoring, HexGuard AI, and two-factor authentication. After 14 days you choose a plan — or the free tier continues with limited entries.
Yes. HexVault supports WebAuthn / FIDO2 — Face ID, Touch ID, Windows Hello, and physical hardware keys like YubiKey. These are phishing-resistant by design, scoped to hexvault.co.uk so they cannot be replayed on a fake domain.
View all frequently asked questions →