keevo
Sign in Get Keevo
Features

Six things, done right.

Vault, Generator, AutoFill, Sync, Recovery, Sharing. Every feature traces back to a primitive in the security model — and stops where the threat model says it should.

01 · Vault

Every secret has a home.

Logins, secure notes, API keys, credit cards, software licenses, identity documents. All client-side encrypted, all searchable, all yours.

  • Login
  • Secure note
  • API key
  • Credit card
  • Identity
  • License
  • Custom field
vault · 247 items encrypted
G
github.com
tuan@keevo.dev
login
O
openai.com
sk-proj-···7f3a
api key
V
VietcomBank — debit
9704 ···· ···· 4823
card
N
notion.so · workspace
tuanle
login
📓
Server SSH config
14 lines · markdown
note
Lê Anh Tuấn — passport
N1234567 · exp 2031
identity
generator CSPRNG
password passphrase PIN
9!Yh#4Mw&Pq2Vk@Rt7Nj^Lc
length22
✓ A-Z ✓ a-z ✓ 0-9 ✓ symbols ✗ ambiguous
strength144 bits · centuries to crack
02 · Generator

Real entropy. Real never-sent.

Backed by your operating system's CSPRNG. We don't have a "service" that "generates passwords for you" — generation is a single function call, on your device, taking your bytes from /dev/urandom.

  • Diceware EFF wordlist
  • NIST SP 800-90A
  • 22-char default
  • Pronounceable mode
03 · AutoFill

Fills exactly the right form. Refuses the wrong one.

iOS AutoFill API on iPhone. MV3 content scripts on Chrome. Both match by exact registrable domain — never by visual similarity, never with fuzzy matching that could leak credentials to a phishing clone.

  • iOS 17+ AutoFill
  • Chrome MV3
  • TOTP auto-paste
  • Phishing detection
Sign in to linear.app?
tuan@keevo.dev · 2FA paired
Fill
Refused: domain doesn't match
vault saved: linear.app
page asks: linear-app.support-login.io
Match logic (excerpt)
if (parseRegistrableDomain(page.url) !==
  parseRegistrableDomain(item.url)) {
    return REFUSE;
}
iOS
↑ push 2 deltas
✓ ack 12:04:33
↓ pull 0 deltas
● synced
Chrome
↓ pull 2 deltas
✓ ack 12:04:34
↑ push 0 deltas
● synced
relay
sync.keevo.tuanle.dev
stores ciphertext only
cannot decrypt
04 · Sync

Encrypted deltas, in order, idempotent.

Each change to the vault is sealed locally and pushed as a versioned delta. Other devices pull, verify the signature, decrypt locally, and replay. The relay sees a content-addressed ciphertext; nothing else.

  • CRDT-ordered
  • ed25519 signed
  • Self-host
  • EU region
05 · Sharing

Share an item without sharing your vault.

One-time encrypted links for guests (a contractor, a friend, IT). Persistent shares for teammates via a public-key handshake. Revoke any share and the recipient's local copy refuses to decrypt.

  • One-time link
  • Persistent share
  • X25519 handshake
  • Revocable
share · server SSH config active
Recipient
an.le@vibelab.dev
Public key fingerprint
SHA256:7c3a91 b32c ff44 8d e1 90
Share link
keevo.tuanle.dev/s/9F-K3-A7-XQ#k=···
Expires in 24h Revoke
▓░▓▓░░▓░▓
░▓░░▓▓░▓░
▓▓░▓░░▓▓░
░░▓▓░▓░░▓
▓░░▓▓▓░▓░
QR · v3.0
A4-9KZ-7FX-2BR-NMC-PLW
Recovery Kit · keep offline
06 · Recovery Kit

Print it. Store it. Forget it exists — until you need it.

Keevo can't email you a reset link, because we don't have anything to reset to. The Recovery Kit is your one-page failsafe — generated locally at signup, printed once, kept somewhere physically safe.

  • Printable PDF
  • QR + plaintext
  • YubiKey backup (Pro)

Set it up in 90 seconds.

Pick a Master Password, generate a Secret Key, print the Recovery Kit. You're done.

Get Keevo