Share secrets with the team. Not with us.
A zero-knowledge vault for the credentials your project actually runs on — production database URLs, AWS keys, client SFTP, the whole list. Encrypted in your browser, sealed with your master password, and wrapped per-collaborator so only the right people can open it.
Type a secret. Watch it get sealed in your browser.
A full WebCrypto demo: PBKDF2-SHA256 derives the KEK from your master password, RSA wraps the project DEK, and AES-GCM encrypts the secret — all on this page, all in your browser. The ciphertext is the only thing that would ever leave your machine.
Your master password never reaches our servers. Ever.
Logbook derives a Key-Encryption Key in your browser using PBKDF2-SHA256 with 200,000 iterations. That key wraps your private RSA-2048 key locally, and that private key in turn unwraps the per-project Data-Encryption Key. We literally cannot decrypt your secrets — no support agent, no rogue admin, no court order.
- AES-256-GCM authenticated encryption with per-record IVs
- PBKDF2-SHA256 · 200,000 iterations · per-user salt
- Memory zeroed via libsodium after every operation
Granting access does not leak your password.
Every project vault has its own random DEK. When you invite a teammate, Logbook wraps a copy of that DEK using their public key — so they can read the vault with their own master password, while yours stays private. Revoking is instant and per-user.
- Add or remove collaborators without re-encrypting the vault
- Revoke access in one click — wrapped DEK is destroyed
- Audit log of every unlock, share and rotation
Forget your password? You still own your vault.
On vault creation, Logbook generates a one-time recovery code that wraps the DEK separately. Stash it in your password manager or print it. If you lose your master password, the recovery code plus a new password restores access — without ever giving us a way in.
- 24-character code, formatted in groups of four
- Rotate or regenerate it any time
- No “contact support to reset” backdoor — by design
Built for project context, not browser autofill.
- Where credentials liveIn a personal vault, disconnected from the project they belong to.Inside the project that uses them — next to the tasks, notes and meetings that reference them.
- Onboarding a new teammateManually share each item, hope nothing leaks via Slack screenshots.Add them to the project — wrapped DEK is generated automatically, only the items they need.
- OffboardingRotate every shared password (and you will forget some).Revoke their wrapped DEK in one click. No re-encryption needed.
- Audit trailLimited or paid add-on.Every unlock, share, edit and rotation is logged at the project level.
Cryptography you can show your security team.
0-bit
AES-GCM data encryption
Authenticated, per-record IVs
0k
PBKDF2 iterations
SHA-256, per-user salt
0 min
Auto-lock window
DEK held in volatile memory only
0
Bytes of plaintext on our servers
We genuinely cannot read your vault
One vault, many workflows.
Production credentials, scoped to the project that owns them.
Stop pasting database URLs into Notion. Drop them into the Vault block of the project, and the only people who can unlock are the ones already on the project.
- Per-environment items (staging, prod, sandbox)
- Expiring credentials with renewal reminders
- CLI export to fill .env safely