foreach.studio

Crafting ideas into reality.

Our products

We design and build applications that embody our obsession with performance, security, and thoughtful UX. Vault is one of them.

Vault — foreach.studio

Zero-knowledge secrets built for your next launch.

Vault is a cohesive Next.js + Tailwind application with shared TypeScript crypto helpers. Encryption, approvals, and sync all happen in the browser so you launch with best-practice security from day one.

Visit vault app

Why vault stands out

Product-led security expressed through precise, minimal, and purposeful UI decisions.

Zero-knowledge security

Server only sees ciphertext

Master passwords and Vault Keys never leave the browser. Root Keys are derived locally with Argon2id and wrap the entire workspace with AES-GCM.

Always-encrypted sync

Offline-ready

Whole-vault encryption pairs with ETag-based versioning, so cached metadata keeps you working—even without network access.

Device trust you can govern

Per-device approvals

Email-verified magic links approve each browser, mint device-specific API keys, and let you revoke or rename any endpoint instantly.

Rich item templates

Structured + flexible

Purpose-built flows capture logins, payment cards, identities, Wi-Fi credentials, and more, each encrypted before syncing.

Security pillars

Proof-of-possession controls

Every sensitive mutation is signed with an HMAC derived from the vault proof key, preventing tampering.

Minimal server footprint

Only hashed tokens, encrypted blobs, and sync metadata touch SQLite—no plaintext secrets, ever.

Adaptive device governance

Rotate, rename, or revoke per-device API keys at will to restore trust if a device is lost.

Guided user journey

Sign up with confidence

Approve the first device with a magic link, then set a master password that never touches the server.

Unlock anywhere

Derive the Root Key locally to decrypt the cached vault bundle and stay productive offline.

Add & organize data

Store every credential type with tags and custom fields; every save re-encrypts client-side.

Extend to more devices

Request approval from an existing device, mint a new API key, and resume with the same encrypted payload.