Open Source · Self-Hostable · AGPL-3.0

Your passwords live here.Not on someone else's server.

Tengen is a self-hostable password manager. Encrypted at rest, runs on your machine, never leaves your network. Open source, always.

Self Host in 2 Minutes View on GitHub

Open Source ·AGPL-3.0 ·Built with FastAPI + React

AES-256-GCM Encrypted

100% Self Hosted

Open Source

No Cloud. Ever.

Docker Ready

Everything you need. Nothing you don't.

Tengen keeps things simple. No subscriptions, no telemetry, no nonsense.

Encrypted at Rest

AES-256-GCM encryption. Your master password never leaves your device.

Self Hosted

Runs entirely on your machine via Docker. Data never touches external servers.

Password Generator

Generate strong, customisable passwords instantly.

Strength Checker

Real-time password strength analysis powered by zxcvbn.

Breach Detection

HaveIBeenPwned integration. Know instantly if your passwords are compromised.

Tags & Filters

Organise your vault with tags, search, and sorting.

Dark & Light Mode

Because your eyes matter.

Docker Ready

One command. `docker compose up`. That's it.

Open Source

Fully auditable. No black boxes. Trust the code, not the promise.

Simple by design.

No SaaS accounts. No cloud setup. Just three steps.

Deploy

Pull the Docker image. Run docker compose up. Done in under 2 minutes.

$docker compose up -d

Set Up

Create your username and master password. Your encryption key is derived locally, never stored.

$# Runs at localhost:3000

Use It

Add passwords, generate new ones, check for breaches. Your data stays yours.

$# Your vault. Your machine.

Paranoid about security. By design.

Here's exactly how your data is protected. No marketing fluff.

Master password never stored

It's used only in memory to derive your encryption key. We don't store it, we can't retrieve it.

Argon2id key derivation

The gold standard for password hashing. Resistant to GPU and ASIC attacks.

AES-256-GCM encryption

Every vault entry is individually encrypted with authenticated encryption.

Unique IV per entry

No patterns, no shortcuts. Each encryption is completely independent.

Stolen database = useless

Even if someone takes your database file, it's mathematically useless without your master password.

encryption-flow.txt

Master Password
  │
  ├─ Argon2id + Salt A ──► Auth Hash (stored)
  │
  └─ Argon2id + Salt B ──► Encryption Key
                                  │         (memory only)
                          AES-256-GCM + IV
                                  │
                          Encrypted Vault Entry

Zero-knowledge architecture. Tengen operates on your machine. There are no external APIs involved in encryption or decryption.

Up and running in 2 minutes.

No cloud accounts. No API keys. Just Docker.

zsh

$git clone https://github.com/smadabat1/Tengen

$cd tengen

$cp .env.example .env

$docker compose up -d

▶Running on http://localhost:3000

Open and you're done

Navigate to http://localhost:3000 and create your vault.

Your data, your disk

Vault lives in /app/data/tengen.db on your machine. That's it.

Open source. Always.

Tengen is licensed under AGPL-3.0. Every line of code is public. Audit it, fork it, contribute to it. Security software should never be a black box.

Star on GitHub Buy me a coffee

If Tengen saves you time or gives you peace of mind, any support is appreciated.