← All apps
Security · Credentials

Password Manager

Hardware-backed password manager

Release-with-approval for credentials. Passwords are sealed to the device and released, encrypted in transit, only after you approve.

View the code

Last updated Jul 2026

Passport Prime

Credential list

Overview

A hardware-backed password manager that runs natively on Passport Prime. Credentials are sealed to the device and never leave it: the browser remains the client, and Passport releases a password, encrypted in transit, only after you approve the request on-screen.

It exists to show third-party developers that Passport Prime is a general-purpose release-with-approval mechanism, not just a Bitcoin signer. The KeyOS app holds origin-bound credential records; a Chromium MV3 extension detects login forms, verifies the requesting origin authoritatively from the tab URL, and relays release requests over WebUSB. Every release routes through an on-device approval gate.

What it does

  • Credentials sealed at rest with AES-256-GCM under a key derived (HKDF) from the device app seed.
  • Every release routes through an on-device hold-to-confirm screen showing the requesting origin, with an approval timeout; a reject releases nothing.
  • Handles multiple logins per site, with account selection at release time.
  • Origin is derived from sender.tab.url in the background worker, never page-supplied, with exact-origin matching.
  • Encrypted in transit: an X25519 ECDH session derives an AES-256-GCM key, so the secret never crosses USB in plaintext.
  • Portable encrypted backups: export under a PBKDF2-HMAC-SHA256 passphrase key, restore to new hardware without the device seed.
  • WebUSB with no driver install: vendor-class interface with WebUSB + MS OS 2.0 descriptors, claimed natively by Chromium.
  • All credential, origin, session, and protocol logic lives in host-testable logic/ crates.

Technical breakdown

How the proof-of-concept is built, for developers evaluating the platform.

01

Release-with-approval

Records (origin, username, password, label) are sealed under an app-seed-derived key and stored on the KeyOS filesystem. A website login is brokered to the device, which releases the credential only after explicit approval through the Approver trait (logic/vaults-bridge-core/src/approval.rs), the same primitive a Bitcoin signer uses, generalised to arbitrary secrets.

02

Origin verification & session

The MV3 background worker derives the origin from sender.tab.url (strict scheme + host + port, no path) and is the gate against content-script spoofing. Each session is an ephemeral X25519 ECDH handshake → HKDF-SHA256 → AES-256-GCM key, with a per-request monotonic nonce to reject replays. Methods: ping, establish_session, list_origins, list_credentials, release_credential, store_credential, generate_password, cancel.

03

At-rest sealing & backups

The master key (security.app_seed() → HKDF) is held in Zeroizing memory and dropped immediately after keystore construction. Vaults export under a separate PBKDF2-HMAC-SHA256 key from a user passphrase, so a backup survives device loss and is independent of the device seed.

Dig into the source

README, architecture notes, and the wire protocol live in the repo.

BitcoinQnA/passport-passwords

More on Passport Prime