Everything you need to stay secure

Keestash combines a zero-knowledge server with native clients for web and iOS. Every feature is designed around one principle: your data stays yours.

Built on a zero-knowledge foundation

Zero-Knowledge Encryption

Your master password is never transmitted or stored. All encryption and decryption happens on your device using AES-256-GCM. Keestash servers only ever store encrypted ciphertext — no keys, no plaintext.

End-to-End Encrypted Sync

Sync your vault across all devices without exposing plaintext to the server. Data is encrypted on the client before it ever leaves your browser or app.

Password Health Dashboard

A live donut chart shows your vault's security posture: breached passwords in red, weak passwords in orange, healthy ones in green. One view, immediate action.

Breach Detection (HIBP)

Integrated Have I Been Pwned monitoring checks your passwords against known data breaches. Only anonymised hashes leave your device — never the actual password.

Security Audit Log

Every login, share, and password change is recorded with timestamp and device information. Know exactly who accessed what and when — essential for compliance and team accountability.

Password Strength & Entropy

Visual entropy bar with real-time feedback as you type. Colour-coded strength indicator distinguishes numbers, symbols, and letters. Warnings trigger below a minimum entropy threshold.

Manage credentials the way you think

Hierarchical Folders

Organise credentials in nested folders with breadcrumb navigation. Drag-and-drop to move entries. Create deep folder hierarchies for complex organisations.

Full-Text Search

Search across credential names, usernames, and URLs in real time. Server-side search with debouncing keeps results fast even with large vaults.

File Attachments

Attach files to any credential — certificates, SSH keys, recovery codes. Attachments are stored encrypted and downloaded on demand with JWT-protected links.

Custom Fields

Add unlimited custom key-value fields to any credential. Store secret questions, PINs, licence keys, or anything else alongside the standard username and password.

Favourites

Star frequently-used credentials for instant access. Filter the vault to show only favourites in a single tap — on web, iOS, or via the home screen widget.

One-Tap Copy

Copy username, password, or any custom field with a single tap. Clipboard auto-clears after a configurable timeout (15s, 30s, 1 min) to prevent accidental exposure.

Generate strong passwords instantly

A fully configurable password generator is built into every entry point — the web app, iOS app, and the credential creation screen. Configure length, character sets, and ambiguity rules. Generated passwords are colour-coded by character type for easy reading.

  • Length slider from 8 to 64 characters
  • Toggle uppercase, lowercase, digits, and symbols
  • Exclude ambiguous characters (l, 1, O, 0)
  • Live entropy score with visual strength bar
  • Dedicated Generator tab in the iOS app
Password Generator
K4mX$!9rNw@#7vQp%^2jYz
Strong

Share without exposing secrets

User-to-User Sharing

Share individual credentials or entire folders with specific users inside your organisation. Revoke access instantly — no need to change the password.

Public Share Links

Generate a temporary, password-protected share link for any credential. Set an expiry (24h, 7 days, or never) and share it with anyone — no Keestash account required.

Organisations

Group users into organisations and manage access at scale. Assign credentials to organisations so the right teams always have access — even as membership changes.

Role-Based Access

Assign admin, manager, or member roles. Limit who can share, who can delete, and who can invite new users. Fine-grained control without complexity.

Native iOS experience

Face ID / Touch ID

Unlock your vault with biometrics. The master key is stored in the iOS Keychain — encrypted, tied to the device, never transmitted.

AutoFill in Safari & Apps

Keestash integrates with iOS AutoFill. Credentials appear in the keyboard bar when visiting a matching website or app — no copy-paste required.

Home Screen Widget

Add a Keestash widget to your home or lock screen. See recent credentials at a glance and tap to open directly — small and medium sizes supported.

Auto-Lock & Privacy

Configure auto-lock after 30 seconds, 1, 2, or 5 minutes. A blur overlay prevents screenshot leaks. Clipboard auto-clears after use. Security without thinking about it.

Self-Hosted Backend

Point the iOS app at your own Keestash server by entering a custom server URL in Settings. Full data sovereignty — all your devices, your infrastructure.

LDAP / Directory

Self-hosted instances can connect to Active Directory or LDAP. Users authenticate with their existing corporate credentials — no separate account setup required.

The server is open source. Deploy it your way.

The Keestash server is licensed under AGPLv3 and available on GitHub. It runs on any PHP 8.4+ host. The web app and iOS app are proprietary clients that connect to it — use our cloud or point them at your own instance.

PHP 8.4 + Mezzio

Built on PSR-15 middleware with a modular app ecosystem. Runs on any PHP 8.4+ server with MySQL or PostgreSQL. Docker configuration included.

Prometheus Metrics

Built-in Prometheus endpoint for monitoring. Grafana dashboards, alerts, and SLO tracking work out of the box with the included configuration.

Data Export Anytime

Export your entire vault as an encrypted backup at any time. You own your data — moving away from Keestash is always a one-click operation.

OpenAPI / Swagger

Full OpenAPI 3.0 specification with ~60 documented endpoints. Build your own client, integration, or automation on top of the Keestash API.

Rate Limiting

Built-in rate limiting on all API endpoints protects against brute-force attacks. Configurable per-route with Redis-backed counters for high-traffic deployments.

AGPLv3 Open Source

Every line of the server is on GitHub. Fork it, audit it, extend it. The copyleft licence ensures improvements to the network-facing code are always shared back.

Start securing your passwords today.

Free cloud trial — no credit card required. Or deploy the open source server yourself.