Local-first · GPL-3.0 · v1.1.0

The password manager that doesn't have a server to breach.

1Key lives only on your phone. No cloud. No account. No telemetry. No INTERNET permission in the manifest. Free, forever.

Download APK~16-22 MB per-ABI · Android 8+ Read white paper View source
Argon2id
m=64 MiB · t=3
AES-256-GCM
+ HKDF subkeys
0 network calls
0 trackers
API 26+
Targets Android 16
1Key vault home screen
0 network callsverified at runtime
Encrypted at restAES-256-GCM
£0 / foreverno premium tier
Why 1Key exists

Every mainstream password manager keeps your vault on their servers.

Mainstream managers charge £25-£100/year for autofill, TOTP, and export - features that should be commoditised by now. The pitch is convenience: sync, recovery, sharing. The bill is an encrypted blob sitting on someone else's machine, attached to your email, waiting for the next breach disclosure.

1Key takes the opposite trade. Your vault lives in one place - this phone - and never leaves unless you explicitly export it. You give up sync and recovery. In return: no vendor server in your threat model, no account to subpoena, no auth blob to brute-force offline, and no subscription.

Mainstream cost
£25-£100/ year

Premium tiers for autofill, TOTP, and exports - features that ship in 1Key's free build.

1Key cost
£0/ forever

GPL-3.0. One tier. The build you sideload is the full app.

What's inside

Eight things doing the work while you copy-paste.

A walk through the cryptographic and UX choices behind a vault that never phones home.

Argon2id KDF

m=64 MiB, t=3, p=1. Memory-hard derivation that flattens the GPU and ASIC speedup attackers expect from PBKDF2 or bcrypt.

Key derivation

AES-256-GCM + HKDF

Authenticated encryption with HKDF-SHA256 subkey separation. Each field is encrypted independently and bound by AAD to its row and column.

Symmetric encryption

Keystore-bound verifier

The password check sits in EncryptedSharedPreferences, not next to the database. A leaked SQLite file alone has no oracle to brute-force on devices with a working hardware Keystore.

Hardware-backed

TOTP in the same record

Your second factor lives next to the credential it protects. No app switching, no premium tier, no separate authenticator to set up.

2FA built-in

OCR credential capture

Point the camera at a card, screen, or printed token. On-device ML Kit extracts the text. Nothing uploads. Nothing trains a model elsewhere.

On-device ML

Encrypted backups (V5)

AES-256-GCM under Argon2id, with timestamp, vault-version counter, KDF parameters, and a Secret Key FLAGS byte all bound into the auth tag. V1-V4 still restore; manual exports now write V5.

Anti-rollback

Auto-detecting importer

Google Passwords, LastPass, KeePass, 1Password, Safari / iCloud Keychain, Dashlane, NordPass. Drop the CSV - no manual column mapping.

7 formats

Table-stakes UX

Categories, favourites, recycle bin, search, sort, autofill, biometric unlock. Free tier in 1Key is the only tier - there is nothing else to upsell.

Everything included

Full cryptographic architecture and threat model: read the white paper →

See it

Material 3, with the cloud-account bits removed.

Four screens. No onboarding to a server. No "verify your email." Set the master password, the vault opens.

Vault
Vault home
All items
All items list
2FA codes
2FA codes
Credential
Credential detail
Honest limits

Three rules. Read them before you commit.

These aren't an MVP backlog. They're the architecture working as designed.

01

One device.

No cross-device cloud sync. Lose the phone without a current backup, lose the vault. Encrypted backups (manual export or the optional Sync-to-folder feature) are your safety net - make them.

02

One password.

No recovery, no escrow, no reset link. Forget it without a backup, lose the vault. There is no admin who can help.

03

One developer.

No on-call, no SLA, no third-party security audit yet. The code is open - read it, build it, run whichever version works.

If you need cross-device sync, team sharing, or vendor recovery, choose a hosted manager. They exist for good reasons. 1Key is for users who deliberately want no vendor server in their threat model.

Should you use 1Key?

A two-column gut check.

Use 1Key ifThe architecture matches your threat model

  • You want a manager that never talks to a server
  • You're done paying £25-£100/year for autofill and TOTP
  • You can keep an encrypted backup somewhere safe
  • You're comfortable reading source or trusting community review

Don't use 1Key ifA hosted manager is the better fit

  • You need cross-device sync
  • You need to share credentials with a team
  • You can't reliably remember a strong master password
  • You need formal SOC 2 / ISO 27001 vendor compliance
Get it

Two ways in. Both reproducible.

Sideload the signed APK from GitHub Releases, or build from source in three commands. F-Droid distribution is planned.

Option 1 · Fast path

Install the signed APK

Latest release, signed with the developer's key. Verify the SHA-256 against the release notes before sideloading.

1Key_1.1.0_*_release.apk ~16 MB (armeabi-v7a) to ~22 MB (arm64-v8a / x86_64) · Android 8.0+ · arm64-v8a, armeabi-v7a, x86_64 (universal also available)
GitHub Releases →
F-Droid Reproducible build - distribution planned
Soon
Option 2 · Build it yourself

Three commands, no API keys

Clone, compile, install. No .env, no Firebase token, no service account.

~ / build 1key
$ git clone https://github.com/roufsyed/1Key
$ cd 1Key
$ ./gradlew assembleDebug
# → app/build/outputs/apk/debug/app-debug.apk
Documents

Read before you trust.

HTML

White paper

Cryptographic architecture and threat model.

 HTML

Privacy policy

What 1Key collects (nothing) and what it stores (locally).

 HTML

FAQ

Encryption, passwords, backups, sync - short answers.