The server that stores your secrets is cryptographically incapable of reading them. Gako guarantees privacy by design, not by promise.
gako_ct_v1$f6b8911b...4e19
Gako stores passwords, API keys, certificates, and notes encrypted end-to-end. Everything that touches plaintext happens on your device; the server holds only opaque ciphertext. A complete compromise of the server — its database, its backups, or its administrators — reveals absolutely nothing.
Engineered with a relentless focus on cryptographic transparency, reliable performance, and simplified self-hosting.
No plaintext, no secret keys, and no means to derive them ever reach the server. What the server can and cannot see is explicitly enumerated, not hand-waved.
Removing someone's access is immediate and server-side — no re-encryption, no waiting on other clients, no shared keys to rotate.
Know exactly which secrets a departing user has seen, so you rotate what actually needs rotating — a concrete worklist instead of vague unease.
XChaCha20-Poly1305, X25519, Ed25519, and Argon2id, composed in well-trodden ways. No exotic cryptography in the core.
Every secret is signed by the device that wrote it and verified. A server that forges, alters, or rolls back data gets caught by your clients — not trusted.
One static binary serves both the API and the web app; it needs nothing but a data directory. Your secrets stay on your infrastructure — and unreadable even there.
From one user on one machine to a large organization with fine-grained, per-secret access control — same architecture, same security model.
Web, CLI, desktop, mobile, and browser extension — one cryptographic core shared by all, audited once instead of five times.
Zero-knowledge applies strictly to your secrets' content — not to all metadata. We map out the exact boundaries so you can perform real threat modeling.
The raw encrypted byte streams and their bucketed, padded approximate sizes.
The structural map of which user identities hold read or write access to each encrypted secret.
Log data of when specific client devices authenticate, fetch, or push secret updates.
Passwords, API keys, certificate values, usernames, URLs, and custom notes are strictly unreadable.
Authenticating to the server uses a one-way password hash, rendering the server unable to decrypt any user data even under complete compromise.
The absolute fundamental design of Gako is that the server is never sent any private key capable of decrypting any of the records it hosts.
A single unified cryptographic architecture serves three distinct, essential profiles seamlessly.
A fast, offline-first, private vault for individual credentials. Sync encrypted records safely over your self-hosted Gako instance with desktop, mobile, and web clients.
Secure secret collaboration across workspaces and departments. Enjoy fine-grained cryptographic role-based access control, cryptographic key isolation, and auditable trails.
Inject application secrets directly into container environments, CI/CD pipelines, and cloud instances dynamically. Eliminates hardcoded environment file clutter completely.
Gako is currently active in the design and prototyping phase. We are committed to an open, peer-reviewed, and fully transparent specification.
