Centilio Vault is a self-hosted, zero-knowledge password manager for businesses that don't want their secrets sitting on someone else's server. Your master password and vault data never leave your browser in plaintext. Ever.
Numbers from organizations running Centilio Vault on their own infrastructure.
0+
Items encrypted
0+
Organizations protected
0+
MFA-enforced sessions
Most password managers are a black box. Centilio Vault inverts the relationship: the master password and item plaintext never leave the client. The server holds ciphertexts, BCrypt-stretched login proofs, and nothing else.
Your master password becomes a key in your browser via Argon2id (memory-hard, attack-resistant). The password itself never crosses the wire.
Each vault item gets a random 256-bit DEK. Items are AES-GCM-encrypted in your browser before upload.
If our database is stolen the attacker gets ciphertexts and the schema. Your secrets stay yours.
The features below are shipping today on every Vault deployment. No premium tier, no upsell. See the full catalog for the rest.
We can't read your vault and we can't lose it for you, because we never have it. Run Vault on your own infrastructure or let us host it — either way, the cryptographic boundary lands in your browser, not our database.
A Chrome MV3 extension fills credentials with a single click. A native companion app gates that with Touch ID or Face ID, and seals the key-encryption-key in your OS keychain when you walk away.
Share credentials inside an organization with role-based access. Every login, every reveal, every share is recorded — searchable, exportable, audit-friendly. Compliance reviews stop being a 3-week archaeology project.
Multi-factor auth is on the vault itself, not bolted on. The built-in generator produces strong passwords that match your org's policy — length, character classes, exclusions — so the weakest link in your security stops being human creativity.
Pick what fits your team. We're not the right answer for everyone — but if these are the trade-offs you care about, you'll find Vault stacks up.
| Feature | Centilio Vault | LastPass | 1Password | Bitwarden |
|---|---|---|---|---|
| Zero-knowledge by architecture | ||||
| Self-hostable | — | — | Yes | |
| Open-source (MIT) | — | — | Yes | |
| Native biometric companion | Mobile only | Mobile only | Mobile only | |
| No degraded free tier | Free self-host | — | — | Limited |
| Audit-log SIEM export | Enterprise | Enterprise | Self-host | |
| Public threat model | — | Partial | ||
| Public security findings log | — | — | — |
Comparison reflects our reading of public docs as of 2026. Don't take our word for it — verify each row.
Full threat model and key-flow diagrams live in the public repo.
Key derivation
Argon2id
m=64 MB, t=3, p=4 — memory-hard, GPU-resistant
Item encryption
AES-256-GCM
Per-item DEKs, wrapped under user KEK
Key wrapping
HKDF-derived KEK
Org-salted, info-tagged; never leaves the client
Server side
BCrypt(SMK)
Login proofs only — never the master key
Session
JWT 15 min + refresh 30 d
Short-lived access tokens; refresh rotation
Open source
MIT-licensed
Audit the code; vendor independence
Quotes from security leads who've put Vault through their procurement process.
“We moved off LastPass after the 2022 breach and shopped every option. Vault was the only one where the security architecture stood up to our pen-test team's review.”
Priya Patel
CISO, mid-market fintech
Tell us about your team and what you're storing today. We'll scope a Vault deployment that fits — managed, self-hosted, or a hybrid in between.
Or email us directly at [email protected]