PricingSecurityAboutContact Sign inStart free trial →
The person behind the vault

Built by a security analyst who got tired of the gap

Between consumer password managers that ignore enterprise realities and enterprise tools that are impossibly complex. HexVault is the platform that should have existed.

HV
HexVault
CYBERSECURITY ANALYST · SOLE DEVELOPER · FOUNDER

A cybersecurity analyst who has spent years working with organisations on credential security, access management, and incident response. Built HexVault after repeatedly seeing the same problems — personal credentials leaking into org vaults, no structured offboarding, single admins with unlimited unilateral power, and no cryptographic separation between trust domains. The platform is the answer to everything that was missing.

Zero-knowledge Cryptography Incident response Access management Threat modelling Python / Flask PostgreSQL

Why this exists and why it's different

Every organisation I worked with had the same problem. Credentials lived in the wrong place. Work passwords in personal vaults. No way to rotate everything when someone left. A single admin who could do anything without oversight. And consumer password managers that treated "team" as a folder permission, not an architectural boundary.

The enterprise tools that got the architecture right were priced and complexified out of reach for the organisations that needed them most. A 50-person company can't afford CyberArk. They shouldn't have to.

HexVault is built on a simple principle: the separation between personal, family, and organisation credentials should be cryptographic, not just a policy. When someone leaves, revoking their access should be mathematically complete, not dependent on an admin remembering to click the right button.

Every feature — the multi-party approval, the structured offboarding, the anomaly detection, the per-entry key derivation — comes directly from real incidents and gaps I encountered doing this work professionally.

v6.38
Current version, iterating fast
3
Cryptographic vault domains
AES‑256
Per-entry GCM encryption
0
Plaintext stored on our servers
Principles
The decisions that never change
01
Zero-knowledge, always

The server stores ciphertext. Only you hold the key. This is not a policy — it is the architecture. No feature will ever compromise this.

02
No single point of trust

Multi-party approval is not optional for sensitive operations. No admin, including the platform itself, should be able to act unilaterally on your credentials.

03
Honest about limitations

HexVault has not been independently audited yet. That is stated clearly. No feature is positioned beyond what the current architecture actually delivers.

04
Built to be replaced

Your data should always be exportable in a standard format. No lock-in. If something better comes along, you should be able to leave cleanly.

Build log
How we got here
Early 2025
The problem becomes undeniable

A third incident response engagement in six months where credentials were found in the wrong vault. The pattern was clear. No existing tool solved it correctly.

Mid 2025
Architecture first, code second

Six weeks spent designing the cryptographic separation model before writing a single line of application code. Per-entry key derivation, group key distribution, domain isolation.

Late 2025
Core vault ships

Personal vault, breach monitoring, TOTP storage, secure notes, WebAuthn. The foundation everything else builds on.

Early 2026
Enterprise features enter development

Multi-party approval, structured offboarding, anomaly detection, credential access logging, org vault schema. The governance layer that makes HexVault genuinely enterprise-grade.

Now
Active development, approaching launch

Family vault and organisation features in build. Independent security audit planned. Version 6.38 and climbing.

If this resonates,
try it

14 days free. No credit card. Your data encrypted client-side from the first entry.

Start free trial Get in touch