Zero-trust P2P password manager with graph-native secrets and AI-native MCP
- π Zero-knowledge encryption β Master password never leaves your device
- π No cloud dependencies β P2P sync with your own devices only
- π‘οΈ Enterprise-grade crypto β Argon2 + AES-256-GCM
- π± Cross-platform β Desktop (Rust/Tauri) + Browser extensions
- π P2P sync β PluresDB CRDT replication for device-to-device synchronization
- πΌ Enterprise ready β Azure Key Vault integration
- πΈοΈ Graph-native secrets β Relationship-first secret management with groups, tags, and dependency tracking
- π€ AI-native MCP β Model Context Protocol server for AI agent integration
# Initialize a new vault
cargo run -- init --name "My Secure Vault"
# Add a credential
cargo run -- add --title "GitHub" --username "myuser"
# Get a credential
cargo run -- get --title "GitHub"
# List all credentials
cargo run -- listPlures Vault introduces relationship-first secret management. Secrets aren't flat entries β they form a graph of relationships:
# Create organizational groups and tags
cargo run -- graph add-group --label "Work"
cargo run -- graph add-tag --label "critical"
# Link credentials to groups and tags
cargo run -- graph link-group --credential <CRED_UUID> --group <GROUP_UUID>
cargo run -- graph link-tag --credential <CRED_UUID> --tag <TAG_UUID>
# Add dependencies between credentials
cargo run -- graph add-dep --source <APP_UUID> --target <DB_UUID>
# Analyze rotation impact β what breaks if a secret changes?
cargo run -- graph impact --credential <DB_UUID>
# View the full secret graph
cargo run -- graph show| Type | Description |
|---|---|
DependsOn |
Secret A depends on Secret B (e.g., app depends on DB credential) |
GroupMember |
Secret belongs to an organizational group |
TaggedWith |
Secret has a classification tag |
DerivedFrom |
Secret is derived from another (e.g., API key from master) |
SharedWith |
Secret is shared with an environment/service |
Supersedes |
Secret replaces an older version |
BundledWith |
Secrets are used together (e.g., username + password + 2FA) |
Plures Vault includes a Model Context Protocol (MCP) server, allowing AI agents to interact with the vault programmatically:
# Start MCP server (reads JSON-RPC from stdin)
cargo run -- mcp-serve| Tool | Description |
|---|---|
vault_list_credentials |
List all credential titles |
vault_get_credential |
Get a specific credential by title |
vault_add_credential |
Add a new credential |
vault_delete_credential |
Delete a credential |
vault_search |
Search credentials by query |
vault_status |
Get vault status information |
| URI | Description |
|---|---|
vault://credentials |
List of all credentials |
vault://status |
Current vault status |
Master Password (device-only)
β Argon2
Derived Master Key (memory-only)
β AES-256-GCM
PluresDB CRDT Store (encrypted at rest)
β Graph Layer (relationships, groups, tags)
β MCP Server (AI-native tool interface)
β P2P Sync (GUN protocol / relay)
Encrypted Sync to Your Devices
| Crate | Description |
|---|---|
vault-core |
Core vault operations backed by PluresDB |
vault-crypto |
AES-256-GCM encryption + Argon2 key derivation |
vault-graph |
Graph-native secret relationship management |
vault-mcp |
MCP (Model Context Protocol) server for AI integration |
vault-sync |
P2P sync via PluresDB CRDT replication |
vault-akv |
Azure Key Vault bidirectional sync |
- β Phase 1: Core Vault β Production-ready CLI with PluresDB backend
- β Phase 2: Graph-Native Secrets β Relationship-first secret management
- β Phase 3: AI-Native MCP β Model Context Protocol server
- β Phase 4: P2P Sync β PluresDB CRDT replication with GUN protocol
- π Phase 5: GUI + Browser Extensions β In development
- π Phase 6: Enterprise Features β Azure KV sync, multi-partition licensing
vs 1Password/Bitwarden:
- No subscription fees for personal use
- No cloud servers to compromise
- Your data stays on your devices
- Graph-native secret relationships
- AI-native MCP integration
vs local solutions:
- Secure P2P sync across devices
- Professional encryption standards
- Enterprise integration available
- Relationship-aware secret management
- Personal: 1 sync partition free forever
- Scale: $10/month per additional sync partition (NOT per user!)
Why this is better:
- Small teams: Share 1 partition = $0/month (vs $10/user elsewhere)
- Enterprise: Pay per logical boundary, not headcount
- Personal: Add family partition for just $10/month total
- Master passwords are never stored or transmitted
- All data encrypted with AES-256-GCM before storage
- Argon2 key derivation with secure salting
- Memory safety with automatic secrets cleanup (zeroize)
- PluresDB CRDT store with conflict-free replication
- Open source for transparency
- Azure Key Vault integration for centralized secret management
- Team credential sharing with granular permissions
- Comprehensive audit logging and compliance reporting
- SSO integration and enterprise policy enforcement
Made by Plures β Building the future of privacy-first infrastructure