Zero-Knowledge Encryption
Your master password is never transmitted or stored. All encryption and decryption happens on your device using AES-256-GCM. Keestash servers only ever store encrypted ciphertext — no keys, no plaintext.
Features
Everything you need to stay secure
Keestash combines a zero-knowledge server with native clients for web and iOS. Every feature is designed around one principle: your data stays yours.
Core Security
Built on a zero-knowledge foundation
End-to-End Encrypted Sync
Sync your vault across all devices without exposing plaintext to the server. Data is encrypted on the client before it ever leaves your browser or app.
Password Health Dashboard
A live donut chart shows your vault's security posture: breached passwords in red, weak passwords in orange, healthy ones in green. One view, immediate action.
Breach Detection (HIBP)
Integrated Have I Been Pwned monitoring checks your passwords against known data breaches. Only anonymised hashes leave your device — never the actual password.
Security Audit Log
Every login, share, and password change is recorded with timestamp and device information. Know exactly who accessed what and when — essential for compliance and team accountability.
Password Strength & Entropy
Visual entropy bar with real-time feedback as you type. Colour-coded strength indicator distinguishes numbers, symbols, and letters. Warnings trigger below a minimum entropy threshold.
Vault
Manage credentials the way you think
Hierarchical Folders
Organise credentials in nested folders with breadcrumb navigation. Drag-and-drop to move entries. Create deep folder hierarchies for complex organisations.
Full-Text Search
Search across credential names, usernames, and URLs in real time. Server-side search with debouncing keeps results fast even with large vaults.
File Attachments
Attach files to any credential — certificates, SSH keys, recovery codes. Attachments are stored encrypted and downloaded on demand with JWT-protected links.
Custom Fields
Add unlimited custom key-value fields to any credential. Store secret questions, PINs, licence keys, or anything else alongside the standard username and password.
Favourites
Star frequently-used credentials for instant access. Filter the vault to show only favourites in a single tap — on web, iOS, or via the home screen widget.
One-Tap Copy
Copy username, password, or any custom field with a single tap. Clipboard auto-clears after a configurable timeout (15s, 30s, 1 min) to prevent accidental exposure.
Generator
Generate strong passwords instantly
A fully configurable password generator is built into every entry point — the web app, iOS app, and the credential creation screen. Configure length, character sets, and ambiguity rules. Generated passwords are colour-coded by character type for easy reading.
- Length slider from 8 to 64 characters
- Toggle uppercase, lowercase, digits, and symbols
- Exclude ambiguous characters (l, 1, O, 0)
- Live entropy score with visual strength bar
- Dedicated Generator tab in the iOS app
Password Generator
K4mX$!9rNw@#7vQp%^2jYz
Strong
Sharing
Share without exposing secrets
User-to-User Sharing
Share individual credentials or entire folders with specific users inside your organisation. Revoke access instantly — no need to change the password.
Public Share Links
Generate a temporary, password-protected share link for any credential. Set an expiry (24h, 7 days, or never) and share it with anyone — no Keestash account required.
Organisations
Group users into organisations and manage access at scale. Assign credentials to organisations so the right teams always have access — even as membership changes.
Role-Based Access
Assign admin, manager, or member roles. Limit who can share, who can delete, and who can invite new users. Fine-grained control without complexity.
iOS App
Native iOS experience
Face ID / Touch ID
Unlock your vault with biometrics. The master key is stored in the iOS Keychain — encrypted, tied to the device, never transmitted.
AutoFill in Safari & Apps
Keestash integrates with iOS AutoFill. Credentials appear in the keyboard bar when visiting a matching website or app — no copy-paste required.
Home Screen Widget
Add a Keestash widget to your home or lock screen. See recent credentials at a glance and tap to open directly — small and medium sizes supported.
Auto-Lock & Privacy
Configure auto-lock after 30 seconds, 1, 2, or 5 minutes. A blur overlay prevents screenshot leaks. Clipboard auto-clears after use. Security without thinking about it.
Self-Hosted Backend
Point the iOS app at your own Keestash server by entering a custom server URL in Settings. Full data sovereignty — all your devices, your infrastructure.
LDAP / Directory
Self-hosted instances can connect to Active Directory or LDAP. Users authenticate with their existing corporate credentials — no separate account setup required.
Open Source Server
The server is open source. Deploy it your way.
The Keestash server is licensed under AGPLv3 and available on GitHub. It runs on any PHP 8.4+ host. The web app and iOS app are proprietary clients that connect to it — use our cloud or point them at your own instance.
PHP 8.4 + Mezzio
Built on PSR-15 middleware with a modular app ecosystem. Runs on any PHP 8.4+ server with MySQL or PostgreSQL. Docker configuration included.
Prometheus Metrics
Built-in Prometheus endpoint for monitoring. Grafana dashboards, alerts, and SLO tracking work out of the box with the included configuration.
Data Export Anytime
Export your entire vault as an encrypted backup at any time. You own your data — moving away from Keestash is always a one-click operation.
OpenAPI / Swagger
Full OpenAPI 3.0 specification with ~60 documented endpoints. Build your own client, integration, or automation on top of the Keestash API.
Rate Limiting
Built-in rate limiting on all API endpoints protects against brute-force attacks. Configurable per-route with Redis-backed counters for high-traffic deployments.
AGPLv3 Open Source
Every line of the server is on GitHub. Fork it, audit it, extend it. The copyleft licence ensures improvements to the network-facing code are always shared back.
Ready to try it?
Start securing your passwords today.
Free cloud trial — no credit card required. Or deploy the open source server yourself.