diff --git a/rust/vetkeys/password_manager/README.md b/rust/vetkeys/password_manager/README.md
new file mode 100644
index 000000000..d44ee8663
--- /dev/null
+++ b/rust/vetkeys/password_manager/README.md
@@ -0,0 +1,59 @@
+# VetKey Password Manager
+
+| Motoko backend | [![](https://icp.ninja/assets/open.svg)](http://icp.ninja/editor?g=https://github.com/dfinity/examples/tree/master/rust/vetkeys/password_manager/motoko)|
+| --- | --- |
+| Rust backend | [![](https://icp.ninja/assets/open.svg)](http://icp.ninja/editor?g=https://github.com/dfinity/examples/tree/master/rust/vetkeys/password_manager/rust) |
+
+The **VetKey Password Manager** is an example application demonstrating how to use **VetKeys** and **Encrypted Maps** to build a secure, decentralized password manager on the **Internet Computer (IC)**. This application allows users to create password vaults, store encrypted passwords, and share vaults with other users via their **Internet Identity Principal**.
+
+## Features
+
+- **Secure Password Storage**: Uses VetKey to encrypt passwords before storing them in Encrypted Maps.
+- **Vault-Based Organization**: Users can create multiple vaults, each containing multiple passwords.
+- **Access Control**: Vaults can be shared with other users via their **Internet Identity Principal**.
+
+## Setup
+
+### Prerequisites
+
+- [Local Internet Computer dev environment](https://internetcomputer.org/docs/building-apps/getting-started/install)
+- [npm](https://www.npmjs.com/package/npm)
+
+### (Optionally) Choose a Different Master Key
+
+This example uses `test_key_1` by default. To use a different [available master key](https://internetcomputer.org/docs/building-apps/network-features/vetkeys/api#available-master-keys), change the `"init_arg": "(\"test_key_1\")"` line in `dfx.json` to the desired key before running `dfx deploy` in the next step.
+
+### Deploy the Canisters Locally
+If you want to deploy this project locally with a Motoko backend, then run:
+```bash
+dfx start --background && dfx deploy
+```
+from the `motoko` folder.
+
+To use the Rust backend instead of Motoko, run the same command in the `rust` folder.
+
+## Running the Project
+
+### Backend
+
+The backend consists of an **Encrypted Maps**-enabled canister that securely stores passwords. It is automatically deployed with `dfx deploy`.
+
+### Frontend
+
+The frontend is a **Svelte** application providing a user-friendly interface for managing vaults and passwords.
+
+To run the frontend in development mode with hot reloading:
+
+```bash
+npm run dev
+```
+
+## Limitations
+
+This example dapp does not implement key rotation, which is strongly recommended in a production environment.
+Key rotation involves periodically changing encryption keys and re-encrypting data to enhance security.
+In a production dapp, key rotation would be useful to limit the impact of potential key compromise if a malicious party gains access to a key, or to limit access when users are added or removed from note sharing.
+
+## Additional Resources
+
+- **[Password Manager with Metadata](../password_manager_with_metadata/)** - If you need to store additional metadata alongside passwords.
diff --git a/rust/vetkeys/password_manager/frontend/.prettierignore b/rust/vetkeys/password_manager/frontend/.prettierignore
new file mode 100644
index 000000000..987c28939
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/.prettierignore
@@ -0,0 +1,7 @@
+# Ignore artifacts:
+build
+coverage
+dist
+README.md
+**/declarations/
+
diff --git a/rust/vetkeys/password_manager/frontend/.prettierrc b/rust/vetkeys/password_manager/frontend/.prettierrc
new file mode 100644
index 000000000..2b9bd83ee
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/.prettierrc
@@ -0,0 +1,5 @@
+{
+    "plugins": ["prettier-plugin-svelte"],
+    "tabWidth": 4,
+    "overrides": [{ "files": ["*.svelte"], "options": { "parser": "svelte" } }]
+}
diff --git a/rust/vetkeys/password_manager/frontend/README.md b/rust/vetkeys/password_manager/frontend/README.md
new file mode 100644
index 000000000..134a1abb0
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/README.md
@@ -0,0 +1,17 @@
+# VetKD Password Manager frontend
+Uses the defaults provided by the devkit to implement a VetKD-based password
+manager. This utilizes the encrypted maps canister example to realize the
+password manager, i.e., there is no dedicated canister implementation, only the
+frontend implementation that uses all defaults from the SDK.
+
+## Step 1: Deploy `encrypted_maps_example` canister and the internet identity canister.
+
+## Step 2: Tell `frontend` what canisters to communicate with, so the following environment variables must be defined. For a local deployment, one can run `deploy_locally.sh` from that folder.
+* `CANISTER_ID_IC_VETKEYS_ENCRYPTED_MAPS_CANISTER`
+
+## Step 3: Deploy frontend. This returns a link that can be used to access the frontend from the asset canister.
+```shell
+dfx deploy www
+```
+Note: if this returns a URL with the IP `0.0.0.0` and the fronetned does not
+work, a potential fix is to replace it with `localhost`.
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/frontend/eslint.config.mjs b/rust/vetkeys/password_manager/frontend/eslint.config.mjs
new file mode 100644
index 000000000..96aee8e5c
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/eslint.config.mjs
@@ -0,0 +1,56 @@
+// @ts-check
+
+import eslint from "@eslint/js";
+import eslintPluginPrettierRecommended from "eslint-plugin-prettier/recommended";
+import globals from "globals";
+import tseslint from "typescript-eslint";
+import svelteConfig from "./svelte.config.js";
+import svelte from "eslint-plugin-svelte";
+
+export default tseslint.config(
+    eslint.configs.recommended,
+    tseslint.configs.recommendedTypeChecked,
+    ...svelte.configs.recommended,
+    eslintPluginPrettierRecommended,
+    {
+        languageOptions: {
+            parserOptions: {
+                projectService: {
+                    defaultProject: "./tsconfig.json",
+                },
+                tsconfigRootDir: import.meta.dirname,
+            },
+            globals: {
+                ...globals.browser,
+                ...globals.es2020,
+            },
+        },
+    },
+    {
+        files: ["**/*.svelte", "**/*.svelte.ts", "**/*.svelte.js"],
+        languageOptions: {
+            parserOptions: {
+                projectService: true,
+                extraFileExtensions: [".svelte"],
+                parser: tseslint.parser,
+                svelteConfig,
+            },
+        },
+    },
+    {
+        ignores: [
+            "dist/",
+            "src/declarations",
+            "*.config.js",
+            "*.config.cjs",
+            "*.config.mjs",
+            "*.config.ts",
+        ],
+    },
+    {
+        rules: {
+            "@typescript-eslint/no-unsafe-argument": "off",
+            "@typescript-eslint/no-unsafe-member-access": "off",
+        },
+    },
+);
diff --git a/rust/vetkeys/password_manager/frontend/index.html b/rust/vetkeys/password_manager/frontend/index.html
new file mode 100644
index 000000000..89d2ddc2a
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/index.html
@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <title>VetKeys Password Manager</title>
+    </head>
+    <body>
+        <div id="app"></div>
+        <script type="module" src="/src/main.ts"></script>
+        <link rel="stylesheet" href="./bundle.css" />
+    </body>
+</html>
diff --git a/rust/vetkeys/password_manager/frontend/package.json b/rust/vetkeys/password_manager/frontend/package.json
new file mode 100644
index 000000000..2c2bd3812
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/package.json
@@ -0,0 +1,47 @@
+{
+  "name": "password-manager-frontend",
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "lint": "eslint",
+    "prettier": "prettier --write .",
+    "prettier-check": "prettier --check .",
+    "preview": "vite preview"
+  },
+  "devDependencies": {
+    "@rollup/plugin-typescript": "^12.1.2",
+    "@tsconfig/svelte": "^5.0.4",
+    "@typewriter/delta": "^1.2.4",
+    "daisyui": "^4.12.23",
+    "eslint-config-prettier": "^10.1.5",
+    "eslint-plugin-prettier": "^5.2.6",
+    "eslint-plugin-svelte": "^3.5.1",
+    "globals": "^16.0.0",
+    "prettier-plugin-svelte": "^3.4.0",
+    "svelte": "^4.2.19",
+    "tslib": "^2.8.1",
+    "typescript-eslint": "^8.35.1",
+    "vite": "^5.4.21",
+    "vite-plugin-environment": "^1.1.3"
+  },
+  "dependencies": {
+    "@dfinity/agent": "^2.3.0",
+    "@dfinity/auth-client": "^2.3.0",
+    "@dfinity/candid": "^2.3.0",
+    "@dfinity/identity": "^2.3.0",
+    "@dfinity/principal": "^2.3.0",
+    "@dfinity/vetkeys": "^0.3.0",
+    "@popperjs/core": "^2.11.8",
+    "@sveltejs/vite-plugin-svelte": "^3.0.2",
+    "@tailwindcss/postcss": "^4.0.6",
+    "@tailwindcss/vite": "^4.0.0",
+    "autoprefixer": "^10.4.20",
+    "rollup-plugin-css-only": "^4.5.2",
+    "svelte-icons": "^2.1.0",
+    "svelte-spa-router": "^4.0.1",
+    "tailwindcss": "^3.0.17",
+    "typewriter-editor": "^0.9.4"
+  }
+}
diff --git a/rust/vetkeys/password_manager/frontend/public/.ic-assets.json5 b/rust/vetkeys/password_manager/frontend/public/.ic-assets.json5
new file mode 100644
index 000000000..a57140a5e
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/public/.ic-assets.json5
@@ -0,0 +1,10 @@
+[
+    {
+        match: "**/*",
+        security_policy: "hardened",
+        headers: {
+            "Content-Security-Policy": "default-src 'self';script-src 'self';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",
+        },
+        allow_raw_access: false
+    },
+]
diff --git a/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_label-stripe-dark-text.png b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_label-stripe-dark-text.png
new file mode 100644
index 000000000..1a227a2b0
Binary files /dev/null and b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_label-stripe-dark-text.png differ
diff --git a/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_label-stripe-white-text.png b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_label-stripe-white-text.png
new file mode 100644
index 000000000..e1da19855
Binary files /dev/null and b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_label-stripe-white-text.png differ
diff --git a/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_transparent-dark-text.png b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_transparent-dark-text.png
new file mode 100644
index 000000000..90029c464
Binary files /dev/null and b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_transparent-dark-text.png differ
diff --git a/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_transparent-white-text.png b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_transparent-white-text.png
new file mode 100644
index 000000000..f1a2d8081
Binary files /dev/null and b/rust/vetkeys/password_manager/frontend/public/img/ic-badge-powered-by-crypto_transparent-white-text.png differ
diff --git a/rust/vetkeys/password_manager/frontend/public/vite.svg b/rust/vetkeys/password_manager/frontend/public/vite.svg
new file mode 100644
index 000000000..e7b8dfb1b
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/public/vite.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="31.88" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 257"><defs><linearGradient id="IconifyId1813088fe1fbc01fb466" x1="-.828%" x2="57.636%" y1="7.652%" y2="78.411%"><stop offset="0%" stop-color="#41D1FF"></stop><stop offset="100%" stop-color="#BD34FE"></stop></linearGradient><linearGradient id="IconifyId1813088fe1fbc01fb467" x1="43.376%" x2="50.316%" y1="2.242%" y2="89.03%"><stop offset="0%" stop-color="#FFEA83"></stop><stop offset="8.333%" stop-color="#FFDD35"></stop><stop offset="100%" stop-color="#FFA800"></stop></linearGradient></defs><path fill="url(#IconifyId1813088fe1fbc01fb466)" d="M255.153 37.938L134.897 252.976c-2.483 4.44-8.862 4.466-11.382.048L.875 37.958c-2.746-4.814 1.371-10.646 6.827-9.67l120.385 21.517a6.537 6.537 0 0 0 2.322-.004l117.867-21.483c5.438-.991 9.574 4.796 6.877 9.62Z"></path><path fill="url(#IconifyId1813088fe1fbc01fb467)" d="M185.432.063L96.44 17.501a3.268 3.268 0 0 0-2.634 3.014l-5.474 92.456a3.268 3.268 0 0 0 3.997 3.378l24.777-5.718c2.318-.535 4.413 1.507 3.936 3.838l-7.361 36.047c-.495 2.426 1.782 4.5 4.151 3.78l15.304-4.649c2.372-.72 4.652 1.36 4.15 3.788l-11.698 56.621c-.732 3.542 3.979 5.473 5.943 2.437l1.313-2.028l72.516-144.72c1.215-2.423-.88-5.186-3.54-4.672l-25.505 4.922c-2.396.462-4.435-1.77-3.759-4.114l16.646-57.705c.677-2.35-1.37-4.583-3.769-4.113Z"></path></svg>
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/frontend/src/App.svelte b/rust/vetkeys/password_manager/frontend/src/App.svelte
new file mode 100644
index 000000000..ed34e5e20
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/App.svelte
@@ -0,0 +1,13 @@
+<script lang="ts">
+    import Hero from "./components/Hero.svelte";
+    import LayoutAuthenticated from "./components/LayoutAuthenticated.svelte";
+    import Notifications from "./components/Notifications.svelte";
+    import { auth } from "./store/auth";
+</script>
+
+{#if $auth.state === "initialized"}
+    <LayoutAuthenticated />
+{:else}
+    <Hero auth={$auth} />
+{/if}
+<Notifications />
diff --git a/rust/vetkeys/password_manager/frontend/src/app.css b/rust/vetkeys/password_manager/frontend/src/app.css
new file mode 100644
index 000000000..b5c61c956
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/app.css
@@ -0,0 +1,3 @@
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
diff --git a/rust/vetkeys/password_manager/frontend/src/assets/svelte.svg b/rust/vetkeys/password_manager/frontend/src/assets/svelte.svg
new file mode 100644
index 000000000..c5e08481f
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/assets/svelte.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="26.6" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 308"><path fill="#FF3E00" d="M239.682 40.707C211.113-.182 154.69-12.301 113.895 13.69L42.247 59.356a82.198 82.198 0 0 0-37.135 55.056a86.566 86.566 0 0 0 8.536 55.576a82.425 82.425 0 0 0-12.296 30.719a87.596 87.596 0 0 0 14.964 66.244c28.574 40.893 84.997 53.007 125.787 27.016l71.648-45.664a82.182 82.182 0 0 0 37.135-55.057a86.601 86.601 0 0 0-8.53-55.577a82.409 82.409 0 0 0 12.29-30.718a87.573 87.573 0 0 0-14.963-66.244"></path><path fill="#FFF" d="M106.889 270.841c-23.102 6.007-47.497-3.036-61.103-22.648a52.685 52.685 0 0 1-9.003-39.85a49.978 49.978 0 0 1 1.713-6.693l1.35-4.115l3.671 2.697a92.447 92.447 0 0 0 28.036 14.007l2.663.808l-.245 2.659a16.067 16.067 0 0 0 2.89 10.656a17.143 17.143 0 0 0 18.397 6.828a15.786 15.786 0 0 0 4.403-1.935l71.67-45.672a14.922 14.922 0 0 0 6.734-9.977a15.923 15.923 0 0 0-2.713-12.011a17.156 17.156 0 0 0-18.404-6.832a15.78 15.78 0 0 0-4.396 1.933l-27.35 17.434a52.298 52.298 0 0 1-14.553 6.391c-23.101 6.007-47.497-3.036-61.101-22.649a52.681 52.681 0 0 1-9.004-39.849a49.428 49.428 0 0 1 22.34-33.114l71.664-45.677a52.218 52.218 0 0 1 14.563-6.398c23.101-6.007 47.497 3.036 61.101 22.648a52.685 52.685 0 0 1 9.004 39.85a50.559 50.559 0 0 1-1.713 6.692l-1.35 4.116l-3.67-2.693a92.373 92.373 0 0 0-28.037-14.013l-2.664-.809l.246-2.658a16.099 16.099 0 0 0-2.89-10.656a17.143 17.143 0 0 0-18.398-6.828a15.786 15.786 0 0 0-4.402 1.935l-71.67 45.674a14.898 14.898 0 0 0-6.73 9.975a15.9 15.9 0 0 0 2.709 12.012a17.156 17.156 0 0 0 18.404 6.832a15.841 15.841 0 0 0 4.402-1.935l27.345-17.427a52.147 52.147 0 0 1 14.552-6.397c23.101-6.006 47.497 3.037 61.102 22.65a52.681 52.681 0 0 1 9.003 39.848a49.453 49.453 0 0 1-22.34 33.12l-71.664 45.673a52.218 52.218 0 0 1-14.563 6.398"></path></svg>
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Disclaimer.svelte b/rust/vetkeys/password_manager/frontend/src/components/Disclaimer.svelte
new file mode 100644
index 000000000..2ded84f8f
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Disclaimer.svelte
@@ -0,0 +1,26 @@
+<script lang="ts">
+    import { fly } from "svelte/transition";
+    import DisclaimerCopy from "./DisclaimerCopy.svelte";
+    let isDismissed = !!window.localStorage.getItem("disclaimer-dismissed");
+
+    function dismiss() {
+        window.localStorage.setItem("disclaimer-dismissed", "yes");
+        isDismissed = true;
+    }
+</script>
+
+{#if !isDismissed}
+    <div
+        class="sticky bottom-0 p-4 text-xs bg-base-300 mt-4 sm:flex"
+        out:fly={{ y: 50 }}
+    >
+        <p class="opacity-90 sm:flex-1">
+            <DisclaimerCopy />
+        </p>
+
+        <button
+            class="btn btn-outline btn-xs sm:btn-sm sm:self-start mt-4 sm:mt-0 sm:ml-4 opacity-90"
+            on:click={dismiss}>I understand</button
+        >
+    </div>
+{/if}
diff --git a/rust/vetkeys/password_manager/frontend/src/components/DisclaimerCopy.svelte b/rust/vetkeys/password_manager/frontend/src/components/DisclaimerCopy.svelte
new file mode 100644
index 000000000..336ffde7d
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/DisclaimerCopy.svelte
@@ -0,0 +1,5 @@
+<script lang="ts"></script>
+
+<strong>Disclaimer:</strong> This sample dapp is intended exclusively for experimental
+purpose. You are advised not to use this dapp for storing your critical data such
+as keys or passwords.
diff --git a/rust/vetkeys/password_manager/frontend/src/components/EditPassword.svelte b/rust/vetkeys/password_manager/frontend/src/components/EditPassword.svelte
new file mode 100644
index 000000000..73cc65f46
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/EditPassword.svelte
@@ -0,0 +1,309 @@
+<script lang="ts">
+    import { replace, location, link } from "svelte-spa-router";
+    import { Editor, placeholder } from "typewriter-editor";
+    import { type PasswordModel } from "../lib/password";
+    import {
+        vaultsStore,
+        refreshVaults,
+        updatePassword,
+    } from "../store/vaults";
+    import Header from "./Header.svelte";
+    import PasswordEditor from "./PasswordEditor.svelte";
+    // @ts-expect-error: svelte-icons have some problems with ts declarations
+    import Trash from "svelte-icons/fa/FaTrash.svelte";
+    import { addNotification, showError } from "../store/notifications";
+    import { auth } from "../store/auth";
+    import Spinner from "./Spinner.svelte";
+    import { onDestroy } from "svelte";
+    import { Principal } from "@dfinity/principal";
+    import type { AccessRights } from "@dfinity/vetkeys/encrypted_maps";
+
+    export let currentRoute = "";
+    const unsubscribe = location.subscribe((value) => {
+        currentRoute = value;
+    });
+    onDestroy(unsubscribe);
+
+    export let vaultOwner = "";
+
+    let editedPassword: PasswordModel = {
+        parentVaultName: "",
+        owner: Principal.managementCanister(),
+        passwordName: "",
+        content: "",
+    };
+    let originalPassword: PasswordModel;
+    let editor: Editor;
+    let updating = false;
+    let deleting = false;
+    let accessRights: AccessRights = { Read: null };
+
+    async function save() {
+        if (
+            $auth.state !== "initialized" ||
+            $vaultsStore.state !== "loaded" ||
+            vaultOwner.length === 0 ||
+            !originalPassword
+        ) {
+            return;
+        }
+
+        editedPassword.owner = Principal.fromText(vaultOwner);
+
+        let move = false;
+
+        if (
+            editedPassword.parentVaultName !==
+                originalPassword.parentVaultName ||
+            editedPassword.owner.compareTo(originalPassword.owner) !== "eq"
+        ) {
+            move = true;
+            // user should have access in the new vault
+            const vault = $vaultsStore.list.find(
+                (v) =>
+                    v.owner.compareTo(editedPassword.owner) === "eq" &&
+                    v.name === editedPassword.parentVaultName,
+            );
+            const me = $auth.client.getIdentity().getPrincipal();
+            const accessRights =
+                vault && vault.users.find((u) => u[0].compareTo(me) === "eq");
+            const authorized = accessRights && "Read" in accessRights[1];
+
+            if (editedPassword.owner.compareTo(me) !== "eq" && !authorized) {
+                addNotification({
+                    type: "error",
+                    message: "unauthorized",
+                });
+                return;
+            }
+        } else if (
+            editedPassword.passwordName != originalPassword.passwordName
+        ) {
+            move = true;
+        } else {
+            move = false;
+        }
+        const html = editor.getText();
+        updating = true;
+
+        if (move) {
+            await $auth.encryptedMaps
+                .removeEncryptedValue(
+                    originalPassword.owner,
+                    new TextEncoder().encode(originalPassword.parentVaultName),
+                    new TextEncoder().encode(originalPassword.passwordName),
+                )
+                .catch((e) => {
+                    deleting = false;
+                    showError(e, "Could not delete password for moving it.");
+                    return;
+                });
+
+            await updatePassword(
+                {
+                    ...editedPassword,
+                    content: html,
+                },
+                $auth.encryptedMaps,
+            )
+                .catch((e) => {
+                    showError(e, "Could not update password.");
+                })
+                .finally(() => {
+                    updating = false;
+                });
+        } else {
+            await updatePassword(
+                {
+                    ...editedPassword,
+                    content: html,
+                },
+                $auth.encryptedMaps,
+            )
+                .catch((e) => {
+                    showError(e, "Could not update password.");
+                })
+                .finally(() => {
+                    updating = false;
+                });
+        }
+
+        addNotification({
+            type: "success",
+            message: "Password saved successfully",
+        });
+
+        await refreshVaults($auth.encryptedMaps).catch((e) =>
+            showError(e, "Could not refresh passwords."),
+        );
+
+        if (move) {
+            void replace(
+                "/edit/vaults/" +
+                    editedPassword.owner.toText() +
+                    "/" +
+                    editedPassword.parentVaultName +
+                    "/" +
+                    editedPassword.passwordName,
+            );
+        }
+    }
+
+    async function deletePassword() {
+        if ($auth.state !== "initialized") {
+            return;
+        }
+        deleting = true;
+        await $auth.encryptedMaps
+            .removeEncryptedValue(
+                editedPassword.owner,
+                new TextEncoder().encode(editedPassword.parentVaultName),
+                new TextEncoder().encode(editedPassword.passwordName),
+            )
+            .catch((e) => {
+                deleting = false;
+                showError(e, "Could not delete password.");
+            });
+
+        await refreshVaults($auth.encryptedMaps)
+            .catch((e) => showError(e, "Could not refresh passwords."))
+            .finally(() => {
+                addNotification({
+                    type: "success",
+                    message: "Password deleted successfully",
+                });
+                void replace("/vaults");
+            });
+    }
+
+    $: {
+        if (
+            $vaultsStore.state === "loaded" &&
+            editedPassword.passwordName.length === 0 &&
+            currentRoute.split("/").length > 2 &&
+            $auth.state === "initialized"
+        ) {
+            const split = currentRoute.split("/");
+            vaultOwner = split[split.length - 3];
+            const parentVaultName = split[split.length - 2];
+            const passwordName = split[split.length - 1];
+            const searchedForPassword = $vaultsStore.list
+                .find(
+                    (v) =>
+                        v.owner.compareTo(Principal.fromText(vaultOwner)) ===
+                            "eq" && v.name === parentVaultName,
+                )
+                ?.passwords.find((p) => p[0] === passwordName);
+
+            if (searchedForPassword) {
+                editedPassword = { ...searchedForPassword[1] };
+            }
+
+            const myPrincipal = $auth.client.getIdentity().getPrincipal();
+
+            if (editedPassword.owner.compareTo(myPrincipal) === "eq") {
+                accessRights = { ReadWriteManage: null };
+            } else {
+                const foundAccessRights = $vaultsStore.list
+                    .find(
+                        (v) =>
+                            v.owner.compareTo(editedPassword.owner) === "eq" &&
+                            v.name === editedPassword.parentVaultName,
+                    )
+                    ?.users.find((u) => u[0].compareTo(myPrincipal) === "eq");
+
+                if (foundAccessRights) {
+                    accessRights = foundAccessRights[1];
+                }
+            }
+
+            editor = new Editor({
+                modules: {
+                    placeholder: placeholder("Start typing..."),
+                },
+                html: editedPassword.content,
+            });
+
+            originalPassword = { ...editedPassword };
+        }
+    }
+</script>
+
+{#if editedPassword.parentVaultName.length > 0}
+    <Header>
+        <span slot="title"> Edit password </span>
+        <button
+            slot="actions"
+            class="btn btn-ghost {deleting ? 'loading' : ''} {'Read' in
+                accessRights}
+                ? 'hidden'
+                : ''}"
+            on:click={deletePassword}
+            disabled={updating || deleting}
+        >
+            {#if !deleting}
+                <span class="w-6 h-6 p-1"><Trash /></span>
+            {/if}
+
+            {deleting ? "Deleting..." : ""}
+        </button>
+    </Header>
+    <main class="p-4">
+        {#if $vaultsStore.state === "loaded"}
+            <div class="mb-3">
+                <input
+                    type="text"
+                    bind:value={vaultOwner}
+                    placeholder="Enter vault owner"
+                    class="input input-bordered w-full mb-3"
+                />
+                <input
+                    type="text"
+                    bind:value={editedPassword.parentVaultName}
+                    placeholder="Enter vault name"
+                    class="input input-bordered w-full"
+                />
+                <input
+                    type="text"
+                    bind:value={editedPassword.passwordName}
+                    placeholder="Enter password name"
+                    class="input input-bordered w-full"
+                />
+            </div>
+            <PasswordEditor
+                {editor}
+                disabled={updating || deleting}
+                class="mb-3"
+            />
+
+            <a
+                href={`/vaults/${editedPassword.owner.toText()}/${editedPassword.parentVaultName}`}
+                use:link
+                class="btn btn-primary"
+            >
+                Back
+            </a>
+
+            <button
+                class="btn mt-4 btn-primary {updating ? 'loading' : ''}"
+                disabled={updating || deleting}
+                on:click={save}>{updating ? "Saving..." : "Save"}</button
+            >
+            <hr class="mt-10" />
+        {:else if $vaultsStore.state === "loading"}
+            Loading password...
+        {/if}
+    </main>
+{:else}
+    <Header>
+        <span slot="title"> Edit password </span>
+    </Header>
+    <main class="p-4">
+        {#if $vaultsStore.state === "loading"}
+            <Spinner />
+            Loading password...
+        {:else if $vaultsStore.state === "loaded"}
+            <div class="alert alert-error">Could not find password.</div>
+        {/if}
+    </main>
+{/if}
diff --git a/rust/vetkeys/password_manager/frontend/src/components/EditVault.svelte b/rust/vetkeys/password_manager/frontend/src/components/EditVault.svelte
new file mode 100644
index 000000000..5c156fcc8
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/EditVault.svelte
@@ -0,0 +1,86 @@
+<script lang="ts">
+    import { type VaultModel } from "../lib/vault";
+    import { vaultsStore } from "../store/vaults";
+    import Header from "./Header.svelte";
+    import SharingEditor from "./SharingEditor.svelte";
+    // @ts-expect-error: svelte-icons have some problems with ts declarations
+    import Trash from "svelte-icons/fa/FaTrash.svelte";
+    import { auth } from "../store/auth";
+    import Spinner from "./Spinner.svelte";
+
+    export let currentRoute = "";
+
+    let editedVault: VaultModel;
+    let updating = false;
+    let deleting = false;
+    let canManage = false;
+
+    function deleteVault() {}
+
+    $: {
+        if (
+            $auth.state === "initialized" &&
+            $vaultsStore.state === "loaded" &&
+            !editedVault
+        ) {
+            const vault = $vaultsStore.list.find(
+                (vault) => vault.name === currentRoute,
+            );
+
+            if (vault) {
+                editedVault = { ...vault };
+                const me = $auth.client.getIdentity().getPrincipal();
+                if (vault.owner.compareTo(me) === "eq") {
+                    canManage = true;
+                } else {
+                    const user = vault.users.find(
+                        ([p]) => p.compareTo(me) === "eq",
+                    );
+                    if (user) {
+                        canManage = "ReadWriteManage" in user[1];
+                    }
+                }
+            }
+        }
+    }
+</script>
+
+{#if editedVault}
+    <Header>
+        <span slot="title"> Edit vault </span>
+        <button
+            slot="actions"
+            class="btn btn-ghost {deleting ? 'loading' : ''} {!canManage
+                ? 'hidden'
+                : ''}"
+            on:click={deleteVault}
+            disabled={updating || deleting}
+        >
+            {#if !deleting}
+                <span class="w-6 h-6 p-1"><Trash /></span>
+            {/if}
+
+            {deleting ? "Deleting..." : ""}
+        </button>
+    </Header>
+    <main class="p-4">
+        {#if $vaultsStore.state === "loaded"}
+            <hr class="mt-10" />
+            <SharingEditor {editedVault} {canManage} />
+        {:else if $vaultsStore.state === "loading"}
+            Loading vaults...
+        {/if}
+    </main>
+{:else}
+    <Header>
+        <span slot="title"> Edit vault </span>
+    </Header>
+    <main class="p-4">
+        {#if $vaultsStore.state === "loading"}
+            <Spinner />
+            Loading vault...
+        {:else if $vaultsStore.state === "loaded"}
+            <div class="alert alert-error">Could not find vault.</div>
+        {/if}
+    </main>
+{/if}
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Header.svelte b/rust/vetkeys/password_manager/frontend/src/components/Header.svelte
new file mode 100644
index 000000000..9245e48b6
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Header.svelte
@@ -0,0 +1,27 @@
+<script lang="ts"></script>
+
+<div class="w-full navbar bg-base-100 border-b border-base-300">
+    <div class="flex-none lg:hidden">
+        <label for="my-drawer-3" class="btn btn-square btn-ghost">
+            <svg
+                xmlns="http://www.w3.org/2000/svg"
+                fill="none"
+                viewBox="0 0 24 24"
+                class="inline-block w-6 h-6 stroke-current"
+            >
+                <path
+                    stroke-linecap="round"
+                    stroke-linejoin="round"
+                    stroke-width="2"
+                    d="M4 6h16M4 12h16M4 18h16"
+                />
+            </svg>
+        </label>
+    </div>
+    <div class="flex-1 px-2 mx-2 font-bold text-lg">
+        <slot name="title" />
+    </div>
+    <div>
+        <slot name="actions" />
+    </div>
+</div>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Hero.svelte b/rust/vetkeys/password_manager/frontend/src/components/Hero.svelte
new file mode 100644
index 000000000..3f7ba7b22
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Hero.svelte
@@ -0,0 +1,60 @@
+<script lang="ts">
+    import { type AuthState, login } from "../store/auth";
+    import DisclaimerCopy from "./DisclaimerCopy.svelte";
+    import Spinner from "./Spinner.svelte";
+
+    export let auth: Extract<
+        AuthState,
+        {
+            state: "initializing-auth" | "initialized" | "anonymous" | "error";
+        }
+    >;
+</script>
+
+<div class="hero min-h-screen pt-8 sm:pt-0 content-start sm:content-center">
+    <div class="text-center hero-content">
+        <div class="max-w-xl">
+            <h1
+                class="mb-5 text-4xl sm:text-5xl font-bold text-primary dark:text-white"
+            >
+                Password Manager
+            </h1>
+            <p class="mb-5 text-xl font-semibold">
+                Your private passwords on the Internet Computer.
+            </p>
+            <p class="mb-5">
+                A safe place to store your personal lists, thoughts, ideas or
+                passphrases and much more...
+            </p>
+
+            {#if auth.state === "initializing-auth"}
+                <div class="text-lg font-semibold mt-8">
+                    <Spinner />
+                    Initializing...
+                </div>
+            {:else if auth.state === "anonymous"}
+                <button class="btn btn-primary" on:click={() => login()}
+                    >Please login to start storing passwords</button
+                >
+            {:else if auth.state === "error"}
+                <div class="text-lg font-semibold mt-8">An error occurred.</div>
+            {/if}
+
+            <div class="text-xs mt-8 sm:mt-12 opacity-75 mb-12 sm:mb-32">
+                <DisclaimerCopy />
+            </div>
+        </div>
+    </div>
+    <div class="fixed bottom-0 text-center left-0 right-0 pb-4 sm:pb-8">
+        <img
+            src="/img/ic-badge-powered-by-crypto_label-stripe-white-text.png"
+            alt="Powered by the Internet Computer"
+            class="hidden dark:inline h-4"
+        />
+        <img
+            src="/img/ic-badge-powered-by-crypto_label-stripe-dark-text.png"
+            alt="Powered by the Internet Computer"
+            class="dark:hidden inline h-4"
+        />
+    </div>
+</div>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/LayoutAuthenticated.svelte b/rust/vetkeys/password_manager/frontend/src/components/LayoutAuthenticated.svelte
new file mode 100644
index 000000000..090735f21
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/LayoutAuthenticated.svelte
@@ -0,0 +1,29 @@
+<script lang="ts">
+    import Router from "svelte-spa-router";
+    import "../store/vaults";
+    import Password from "./Password.svelte";
+    import NewPassword from "./NewPassword.svelte";
+    import Vaults from "./Vaults.svelte";
+    import Vault from "./Vault.svelte";
+    import EditVault from "./EditVault.svelte";
+    import EditPassword from "./EditPassword.svelte";
+    import { wrap } from "svelte-spa-router/wrap";
+    import SidebarLayout from "./SidebarLayout.svelte";
+
+    const routes = {
+        "/": wrap({ component: NewPassword }),
+        "/vaults": wrap({ component: Vaults }),
+        "/vaults/:vaultOwner/:VaultName": wrap({ component: Vault }),
+        "/edit/vaults/:vaultOwner/:VaultName": wrap({ component: EditVault }),
+        "/vaults/:vaultOwner/:VaultName/:passwordName": wrap({
+            component: Password,
+        }),
+        "/edit/vaults/:vaultOwner/:VaultName/:passwordName": wrap({
+            component: EditPassword,
+        }),
+    };
+</script>
+
+<SidebarLayout>
+    <Router {routes} />
+</SidebarLayout>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/NewPassword.svelte b/rust/vetkeys/password_manager/frontend/src/components/NewPassword.svelte
new file mode 100644
index 000000000..7270bc0bb
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/NewPassword.svelte
@@ -0,0 +1,108 @@
+<script lang="ts">
+    import { onDestroy } from "svelte";
+    import { Editor, placeholder } from "typewriter-editor";
+    import { passwordFromContent } from "../lib/password";
+    import { auth } from "../store/auth";
+    import { draft } from "../store/draft";
+    import { addPassword, refreshVaults } from "../store/vaults";
+    import { addNotification, showError } from "../store/notifications";
+    import Header from "./Header.svelte";
+    import PasswordEditor from "./PasswordEditor.svelte";
+    import { Principal } from "@dfinity/principal";
+
+    let creating = false;
+    let vaultOwner =
+        $auth.state === "initialized"
+            ? $auth.client.getIdentity().getPrincipal().toText()
+            : Principal.anonymous().toText();
+    let vaultName = "";
+    let passwordName = "";
+
+    const editor = new Editor({
+        modules: {
+            placeholder: placeholder("Enter password..."),
+        },
+        html: $draft.content,
+    });
+
+    async function add() {
+        if ($auth.state !== "initialized") {
+            return;
+        }
+
+        creating = true;
+
+        await addPassword(
+            passwordFromContent(
+                Principal.fromText(vaultOwner),
+                vaultName,
+                passwordName,
+                editor.getText(),
+            ),
+            $auth.encryptedMaps,
+        )
+            .catch((e) => {
+                showError(e, "Could not add password.");
+            })
+            .finally(() => {
+                creating = false;
+            });
+
+        // if creation was successful, reset the editor
+        editor.setHTML("");
+
+        addNotification({
+            type: "success",
+            message: "Password added successfully",
+        });
+
+        // refresh passwords in the background
+        refreshVaults($auth.encryptedMaps).catch((e) =>
+            showError(e, "Could not refresh passwords."),
+        );
+    }
+
+    function saveDraft() {
+        draft.set({
+            content: editor.getText(),
+        });
+    }
+
+    onDestroy(saveDraft);
+</script>
+
+<svelte:window on:beforeunload={saveDraft} />
+
+<Header>
+    <span slot="title"> New password </span>
+</Header>
+
+<main class="p-4">
+    <!-- Add these input fields -->
+    <div class="mb-3">
+        <input
+            type="text"
+            bind:value={vaultOwner}
+            placeholder="Enter vault owner"
+            class="input input-bordered w-full mb-3"
+        />
+        <input
+            type="text"
+            bind:value={vaultName}
+            placeholder="Enter vault name"
+            class="input input-bordered w-full"
+        />
+        <input
+            type="text"
+            bind:value={passwordName}
+            placeholder="Enter password name"
+            class="input input-bordered w-full"
+        />
+    </div>
+    <PasswordEditor {editor} class="mb-3" disabled={creating} />
+    <button
+        class="btn mt-6 btn-primary {creating ? 'loading' : ''}"
+        disabled={creating}
+        on:click={add}>{creating ? "Adding..." : "Add password"}</button
+    >
+</main>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Notifications.svelte b/rust/vetkeys/password_manager/frontend/src/components/Notifications.svelte
new file mode 100644
index 000000000..af1b01eb5
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Notifications.svelte
@@ -0,0 +1,22 @@
+<script lang="ts">
+    import { type Notification, notifications } from "../store/notifications";
+    import { fly, fade } from "svelte/transition";
+
+    const classMap: Record<Notification["type"], string> = {
+        info: "alert-info",
+        error: "alert-error",
+        success: "alert-success",
+    };
+</script>
+
+<div class="absolute right-4 bottom-4 flex flex-col max-w-xs space-y-4">
+    {#each $notifications as n (n.id)}
+        <div
+            class="alert {classMap[n.type]} bg-opacity-100 text-white"
+            in:fly={{ x: 100, duration: 200 }}
+            out:fade
+        >
+            <p>{n.message}</p>
+        </div>
+    {/each}
+</div>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Password.svelte b/rust/vetkeys/password_manager/frontend/src/components/Password.svelte
new file mode 100644
index 000000000..9b30c30a2
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Password.svelte
@@ -0,0 +1,106 @@
+<script lang="ts">
+    import { type PasswordModel, summarize } from "../lib/password";
+    import { link, location } from "svelte-spa-router";
+    import { vaultsStore } from "../store/vaults";
+    import { Principal } from "@dfinity/principal";
+    import { onDestroy } from "svelte";
+    import Spinner from "./Spinner.svelte";
+    import Header from "./Header.svelte";
+
+    export let currentRoute = "";
+    const unsubscribe = location.subscribe((value) => {
+        currentRoute = value;
+    });
+    onDestroy(unsubscribe);
+
+    export let password: PasswordModel = {
+        parentVaultName: "",
+        owner: Principal.anonymous(),
+        passwordName: "",
+        content: "",
+    };
+
+    export let passwordSummary = "";
+
+    $: {
+        if (
+            $vaultsStore.state === "loaded" &&
+            password.passwordName.length === 0 &&
+            currentRoute.split("/").length > 2
+        ) {
+            const split = currentRoute.split("/");
+            const vaultOwner = Principal.fromText(split[split.length - 3]);
+            const parentVaultName = split[split.length - 2];
+            const passwordName = split[split.length - 1];
+            const searchedForPassword = $vaultsStore.list
+                .find(
+                    (v) =>
+                        v.owner.compareTo(vaultOwner) === "eq" &&
+                        v.name === parentVaultName,
+                )
+                .passwords.find((p) => p[0] === passwordName);
+
+            if (searchedForPassword) {
+                password = searchedForPassword[1];
+                passwordSummary += summarize(password);
+            } else {
+                passwordSummary =
+                    "could not find password " +
+                    passwordName +
+                    " in vault " +
+                    parentVaultName +
+                    " owned by " +
+                    vaultOwner.toText();
+            }
+        }
+    }
+</script>
+
+<Header>
+    <span slot="title" class="flex items-center gap-2 h-full">
+        Password: {password.passwordName}
+    </span>
+    <svelte:fragment slot="actions">
+        {#if $vaultsStore.state === "loaded" && $vaultsStore.list.length > 0}
+            <a class="btn btn-primary" href="/" use:link>New password</a>
+        {/if}
+    </svelte:fragment>
+</Header>
+
+<main class="p-4 pb-24 relative min-h-screen flex flex-col">
+    {#if $vaultsStore.state === "loading"}
+        <Spinner />
+        Loading password...
+    {:else if $vaultsStore.state === "loaded"}
+        {#if password.parentVaultName === ""}
+            <div class="text-center pt-8 italic">
+                There is no such password in this vault.
+            </div>
+            <div class="text-center pt-8">
+                <a href="/" use:link class="btn btn-primary"
+                    >Add a new password</a
+                >
+            </div>
+        {:else}
+            <div
+                class="grid grid-cols-1 sm:grid-cols-2 md:grid-cols-3 gap-3 max-w-7xl"
+            >
+                <div class="pointer-events-none">
+                    <h2 class="text-lg font-bold mb-2 line-clamp-3">
+                        {password.passwordName}: "{password.content}"
+                    </h2>
+                </div>
+            </div>
+        {/if}
+        <div class="flex-grow"></div>
+        <div class="text-center">
+            <a
+                href={`/vaults/${password.owner.toText()}/${password.parentVaultName}`}
+                use:link
+                class="btn btn-primary"
+            >
+                Go back to vault
+            </a>
+        </div>
+    {/if}
+</main>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/PasswordEditor.svelte b/rust/vetkeys/password_manager/frontend/src/components/PasswordEditor.svelte
new file mode 100644
index 000000000..a27c1ba12
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/PasswordEditor.svelte
@@ -0,0 +1,68 @@
+<script lang="ts">
+    import type { Editor } from "typewriter-editor";
+    import asRoot from "typewriter-editor/lib/asRoot.js";
+    import BubbleMenu from "typewriter-editor/lib/BubbleMenu.svelte";
+    import Heading from "svelte-icons/fa/FaHeading.svelte";
+    import Bold from "svelte-icons/fa/FaBold.svelte";
+    import Italic from "svelte-icons/fa/FaItalic.svelte";
+    import FaListUl from "svelte-icons/fa/FaListUl.svelte";
+
+    export let editor: Editor;
+    export let disabled: boolean = false;
+
+    let classNames: string = "";
+    export { classNames as class };
+
+    function focus(el: HTMLElement) {
+        el.focus();
+    }
+
+    $: editor.enabled = !disabled;
+</script>
+
+<BubbleMenu for={null} {editor} let:commands offset={8}>
+    <div class="btn-group">
+        <button class="btn btn-sm" on:click={commands.header1}>
+            <span class="w-6 h-6 p-1"><Heading /></span>
+        </button>
+        <button class="btn btn-sm" on:click={commands.bulletList}>
+            <span class="w-6 h-6 p-1"><FaListUl /></span>
+        </button>
+        <button class="btn btn-sm" on:click={commands.bold}>
+            <span class="w-6 h-6 p-1"><Bold /></span>
+        </button>
+        <button class="btn btn-sm" on:click={commands.italic}>
+            <span class="w-6 h-6 p-1"><Italic /></span>
+        </button>
+    </div>
+</BubbleMenu>
+
+<div
+    use:asRoot={editor}
+    class="p-4 min-h-[16rem] textarea border-base-300 {classNames} {disabled
+        ? 'opacity-50'
+        : ''}"
+    use:focus
+/>
+
+<style>
+    .textarea :global(.placeholder) {
+        position: relative;
+    }
+    .textarea :global(.placeholder::before) {
+        position: absolute;
+        left: 0;
+        right: 0;
+        opacity: 0.75;
+        content: attr(data-placeholder);
+    }
+
+    .textarea :global(h1) {
+        font-size: 2rem;
+        margin-bottom: 12px;
+    }
+    .textarea :global(ul) {
+        list-style: disc;
+        padding-left: 24px;
+    }
+</style>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Passwords.svelte b/rust/vetkeys/password_manager/frontend/src/components/Passwords.svelte
new file mode 100644
index 000000000..70e7f30b3
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Passwords.svelte
@@ -0,0 +1,79 @@
+<script lang="ts">
+    import { type VaultModel } from "../lib/vault";
+    import { vaultsStore } from "../store/vaults";
+    import Header from "./Header.svelte";
+    import Password from "./Password.svelte";
+    import Spinner from "./Spinner.svelte";
+    import { link } from "svelte-spa-router";
+
+    let filter = "";
+    let filteredVaults: VaultModel[];
+
+    $: searchIndex =
+        $vaultsStore.state === "loaded"
+            ? $vaultsStore.list.map((vault) => {
+                  const div = document.createElement("div");
+                  div.innerHTML = Array.from(vault.passwords.values())
+                      .map((password) => password[0])
+                      .join(" xx ");
+                  const content = div.innerText;
+                  return [content].join("/#delimiter#/").toLowerCase();
+              })
+            : [];
+
+    $: {
+        if ($vaultsStore.state === "loaded") {
+            if (filter.length > 0) {
+                filteredVaults = $vaultsStore.list.filter((_, i) => {
+                    return searchIndex[i].includes(filter.toLowerCase());
+                });
+            } else {
+                filteredVaults = $vaultsStore.list;
+            }
+        }
+    }
+</script>
+
+<Header>
+    <span slot="title"> Your passwords </span>
+    <svelte:fragment slot="actions">
+        {#if $vaultsStore.state === "loaded" && $vaultsStore.list.length > 0}
+            <a class="btn btn-primary" use:link href="/">New Password</a>
+        {/if}
+    </svelte:fragment>
+</Header>
+<main class="p-4">
+    {#if $vaultsStore.state === "loading"}
+        <Spinner />
+        Loading passwords...
+    {:else if $vaultsStore.state === "loaded"}
+        {#if $vaultsStore.list.length > 0}
+            <div class="mb-6">
+                <input
+                    bind:value={filter}
+                    class="bg-transparent text-base {filter.length > 0
+                        ? 'border'
+                        : ''} rounded-lg h-8 px-3"
+                    placeholder="Filter notes..."
+                />
+            </div>
+
+            <div
+                class="grid grid-cols-1 sm:grid-cols-2 md:grid-cols-3 gap-3 max-w-7xl"
+            >
+                {#each filteredVaults as vault (vault.name)}
+                    {#each Array.from(vault.passwords.map(([, password]) => password)) as password (password.passwordName)}
+                        <Password {password} />
+                    {/each}
+                {/each}
+            </div>
+        {:else}
+            <div class="text-center pt-8 italic">You don't have any notes.</div>
+            <div class="text-center pt-8">
+                <a href="/" use:link class="btn btn-primary">Add a note</a>
+            </div>
+        {/if}
+    {:else if $vaultsStore.state === "error"}
+        <div class="alert alert-error">Could not load passwords.</div>
+    {/if}
+</main>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/SharingEditor.svelte b/rust/vetkeys/password_manager/frontend/src/components/SharingEditor.svelte
new file mode 100644
index 000000000..53d6b644f
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/SharingEditor.svelte
@@ -0,0 +1,218 @@
+<script lang="ts">
+    import type { VaultModel } from "../lib/vault";
+    import { auth } from "../store/auth";
+    import {
+        addUser,
+        refreshVaults,
+        removeUser,
+        vaultsStore,
+    } from "../store/vaults";
+    import { addNotification, showError } from "../store/notifications";
+    import { Principal } from "@dfinity/principal";
+    import type { AccessRights } from "@dfinity/vetkeys/encrypted_maps";
+
+    export let editedVault: VaultModel;
+    export let canManage = false;
+    export let currentRoute = "";
+
+    let newSharing: string = "";
+    let newSharingInput: HTMLInputElement;
+    let adding = false;
+    let removing = false;
+
+    async function add() {
+        if ($auth.state !== "initialized") {
+            throw new Error("not logged in");
+        }
+        adding = true;
+        let accessRights: AccessRights = { Read: null };
+
+        const selectElement = document.getElementById(
+            "access-rights-select",
+        ) as HTMLSelectElement;
+        const selectedIndex = selectElement.selectedIndex;
+        const selectedValue = selectElement.options[selectedIndex].value;
+
+        if (selectedValue === "ReadWrite") {
+            accessRights = { ReadWrite: null };
+        } else if (selectedValue === "ReadWriteManage") {
+            accessRights = { ReadWriteManage: null };
+        }
+
+        try {
+            await addUser(
+                editedVault.owner,
+                editedVault.name,
+                Principal.fromText(newSharing),
+                accessRights,
+                $auth.encryptedMaps,
+            );
+            addNotification({
+                type: "success",
+                message: "User successfully added",
+            });
+            editedVault.users.push([
+                Principal.fromText(newSharing),
+                accessRights,
+            ]);
+            newSharing = "";
+            newSharingInput.focus();
+        } catch (e) {
+            showError(e, "Could not add user.");
+        } finally {
+            adding = false;
+        }
+        await refreshVaults($auth.encryptedMaps).catch((e) =>
+            showError(e, "Could not refresh vaults."),
+        );
+    }
+
+    async function remove(sharing: Principal) {
+        if ($auth.state !== "initialized") {
+            throw new Error("not logged in");
+        }
+        removing = true;
+        try {
+            await removeUser(
+                editedVault.owner,
+                editedVault.name,
+                sharing,
+                $auth.encryptedMaps,
+            );
+            editedVault.users = editedVault.users.filter((user) =>
+                user[0].compareTo(sharing),
+            );
+            addNotification({
+                type: "success",
+                message: "User successfully removed",
+            });
+        } catch (e) {
+            showError(e, "Could not remove user.");
+        } finally {
+            removing = false;
+        }
+        await refreshVaults($auth.encryptedMaps).catch((e) =>
+            showError(e, "Could not refresh vaults."),
+        );
+    }
+
+    function onKeyPress(e: KeyboardEvent) {
+        if (
+            e.key === "Enter" &&
+            !editedVault.users.find(
+                (user) =>
+                    user[0].compareTo(Principal.fromText(newSharing)) === "eq",
+            )
+        ) {
+            void add();
+        }
+    }
+
+    export function accessRightsToString(ar: AccessRights) {
+        if ("ReadWriteManage" in ar) {
+            return "read, write, manage";
+        } else if ("ReadWrite" in ar) {
+            return "read, write";
+        } else if ("Read" in ar) {
+            return "read";
+        } else {
+            throw new Error("unknown access rights");
+        }
+    }
+
+    $: {
+        if ($vaultsStore.state === "loaded" && !editedVault) {
+            const split = currentRoute.split("/");
+            const vaultOwnewr = Principal.fromText(split[split.length - 2]);
+            const vaultName = split[split.length - 1];
+            const vault = $vaultsStore.list.find(
+                (vault) =>
+                    vault.owner === vaultOwnewr && vault.name === vaultName,
+            );
+            if (vault) {
+                editedVault = vault;
+            }
+        }
+    }
+</script>
+
+<p class="text-lg font-bold">Users</p>
+{#if canManage}
+    <p class="mt-1">
+        Add users by their principal to allow them viewing or editing the vault.
+    </p>
+{:else}
+    <p class="mt-3">
+        This vault is <span class="font-bold">shared</span> with you. It is
+        owned by <span class="italic font-bold">{editedVault.owner}</span>.
+    </p>
+    <p class="mt-3">Users with whom the vault is shared:</p>
+{/if}
+<div class="flex flex-wrap space-x-2 mt-2">
+    {#each editedVault.users as sharing (sharing[0].toText())}
+        <button
+            class="btn btn-outline btn-sm flex items-center"
+            on:click={() => {
+                void remove(sharing[0]);
+            }}
+            disabled={adding || removing || !canManage}
+        >
+            <span>{accessRightsToString(sharing[1])} {sharing[0]}</span>
+            <svg
+                xmlns="http://www.w3.org/2000/svg"
+                fill="none"
+                viewBox="0 0 24 24"
+                class="inline-block w-4 h-4 stroke-current"
+            >
+                <path
+                    stroke-linecap="round"
+                    stroke-linejoin="round"
+                    stroke-width="2"
+                    d="M6 18L18 6M6 6l12 12"
+                />
+            </svg>
+        </button>
+    {/each}
+    <input
+        bind:value={newSharing}
+        placeholder="Add principal..."
+        class="bg-transparent text-base rounded-lg h-8 px-3 w-auto {adding ||
+        removing
+            ? 'opacity-50'
+            : ''} 
+          {!canManage ? 'hidden' : ''}"
+        bind:this={newSharingInput}
+        on:keypress={onKeyPress}
+        disabled={adding}
+    />
+    <select
+        name="access-rights"
+        id="access-rights-select"
+        disabled={(newSharing !== "" &&
+            !!editedVault.users.find(
+                (user) =>
+                    user[0].compareTo(Principal.fromText(newSharing)) === "eq",
+            )) ||
+            adding ||
+            removing}
+        hidden={!canManage}
+    >
+        <option value="Read">read</option>
+        <option value="ReadWrite">read-write</option>
+        <option value="ReadWriteManage">read-write-manage</option>
+    </select>
+    <button
+        class="btn btn-sm btn-ghost
+          {!canManage ? 'hidden' : ''}
+          {adding || removing ? 'loading' : ''}"
+        on:click={add}
+        disabled={(newSharing !== "" &&
+            !!editedVault.users.find(
+                (user) =>
+                    user[0].compareTo(Principal.fromText(newSharing)) === "eq",
+            )) ||
+            adding ||
+            removing}
+        >{adding ? "Adding..." : removing ? "Removing... " : "Add"}</button
+    >
+</div>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/SidebarLayout.svelte b/rust/vetkeys/password_manager/frontend/src/components/SidebarLayout.svelte
new file mode 100644
index 000000000..94959e666
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/SidebarLayout.svelte
@@ -0,0 +1,81 @@
+<script lang="ts">
+    import { auth, logout } from "../store/auth";
+    import FaPlusSquare from "svelte-icons/fa/FaPlusSquare.svelte";
+    import GoDatabase from "svelte-icons/go/GoDatabase.svelte";
+    import FaDoorOpen from "svelte-icons/fa/FaDoorOpen.svelte";
+    import Disclaimer from "./Disclaimer.svelte";
+    import { Principal } from "@dfinity/principal";
+    import { link } from "svelte-spa-router";
+</script>
+
+<div class="bg-base-200 drawer drawer-mobile lg:drawer-open">
+    <input id="my-drawer-3" type="checkbox" class="drawer-toggle" />
+    <div class="flex flex-col drawer-content lg:!z-[1000]">
+        <div class="flex-1">
+            <slot />
+        </div>
+        <Disclaimer />
+    </div>
+    <div class="drawer-side">
+        <label for="my-drawer-3" class="drawer-overlay" />
+        <aside
+            class="flex flex-col justify-between border-r border-base-300 bg-base-100
+    text-base-content w-64 sm:w-80 h-full"
+        >
+            <div
+                class="sticky h-16 py-4 pl-5 text-2xl font-bold border-b border-base-300 text-primary dark:text-white"
+            >
+                VetKD Password Manager
+            </div>
+            <div class="border-b">
+                <div class="pl-4">My Principal:</div>
+                <div class="pl-4">
+                    {$auth.state === "initialized"
+                        ? $auth.client.getIdentity().getPrincipal().toText()
+                        : Principal.anonymous().toText()}
+                </div>
+            </div>
+            <ul
+                class="p-4 overflow-y-auto menu w-full bg-base-100 flex-1 flex flex-col"
+            >
+                <li>
+                    <a href="/" use:link>
+                        <span class="w-6 h-6 p-1 mr-2">
+                            <FaPlusSquare />
+                        </span>
+                        New password
+                    </a>
+                </li>
+                <li>
+                    <a href="/vaults" use:link>
+                        <span class="w-6 h-6 p-1 mr-2">
+                            <GoDatabase />
+                        </span>
+                        Your vaults</a
+                    >
+                </li>
+                <li class="flex-1 bg-transparent" />
+                <li>
+                    <button on:click={() => logout()}>
+                        <span class="w-6 h-6 p-1 mr-2">
+                            <FaDoorOpen />
+                        </span>
+                        Log out</button
+                    >
+                </li>
+            </ul>
+            <div class="px-5 pb-4">
+                <img
+                    src="/img/ic-badge-powered-by-crypto_transparent-white-text.png"
+                    alt="Powered by the Internet Computer"
+                    class="hidden dark:inline"
+                />
+                <img
+                    src="/img/ic-badge-powered-by-crypto_transparent-dark-text.png"
+                    alt="Powered by the Internet Computer"
+                    class="dark:hidden inline"
+                />
+            </div>
+        </aside>
+    </div>
+</div>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Spinner.svelte b/rust/vetkeys/password_manager/frontend/src/components/Spinner.svelte
new file mode 100644
index 000000000..cc26ba251
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Spinner.svelte
@@ -0,0 +1,5 @@
+<script lang="ts"></script>
+
+<span
+    class="inline-block h-4 w-4 rounded-full mr-2 border-2 animate-spin border-b-current border-r-current border-t-transparent border-l-transparent"
+/>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Vault.svelte b/rust/vetkeys/password_manager/frontend/src/components/Vault.svelte
new file mode 100644
index 000000000..5c578a5fa
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Vault.svelte
@@ -0,0 +1,143 @@
+<script lang="ts">
+    import { type VaultModel, summarize } from "../lib/vault";
+    import { link, location } from "svelte-spa-router";
+    import { onDestroy } from "svelte";
+    import { vaultsStore } from "../store/vaults";
+    import { Principal } from "@dfinity/principal";
+    import Header from "./Header.svelte";
+    import Spinner from "./Spinner.svelte";
+    // @ts-expect-error: svelte-icons have some problems with ts declarations
+    import GiOpenTreasureChest from "svelte-icons/gi/GiOpenTreasureChest.svelte";
+    import { auth } from "../store/auth";
+    import SharingEditor from "./SharingEditor.svelte";
+    import type { AccessRights } from "@dfinity/vetkeys/encrypted_maps";
+
+    export let vault: VaultModel = {
+        name: "",
+        owner: Principal.managementCanister(),
+        passwords: [],
+        users: [],
+    };
+    export let vaultSummary: string = "";
+    export let accessRights: AccessRights = { Read: null };
+
+    export let currentRoute = "";
+    const unsubscribeCurrentRoute = location.subscribe((value) => {
+        currentRoute = value;
+    });
+    onDestroy(unsubscribeCurrentRoute);
+
+    $: {
+        if (
+            $vaultsStore.state === "loaded" &&
+            $auth.state === "initialized" &&
+            vault.name.length === 0 &&
+            currentRoute.split("/").length > 2
+        ) {
+            const split = currentRoute.split("/");
+            const vaultOwner = Principal.fromText(split[split.length - 2]);
+            const vaultName = split[split.length - 1];
+            const searchedForVault = $vaultsStore.list.find(
+                (v) =>
+                    v.owner.compareTo(vaultOwner) === "eq" &&
+                    v.name === vaultName,
+            );
+            if (searchedForVault) {
+                vault = searchedForVault;
+                vaultSummary += summarize(vault);
+                const me = $auth.client.getIdentity().getPrincipal();
+                if (vault.owner.compareTo(me) === "eq") {
+                    accessRights = { ReadWriteManage: null };
+                } else {
+                    const foundAccessRights = vault.users.find(
+                        (user) => user[0].compareTo(me) === "eq",
+                    );
+                    if (foundAccessRights) {
+                        accessRights = foundAccessRights[1];
+                    }
+                }
+            } else {
+                vaultSummary =
+                    "could not find vault " +
+                    vaultName +
+                    " owned by " +
+                    vaultOwner.toText();
+            }
+        }
+    }
+</script>
+
+<Header>
+    <span slot="title" class="flex items-center gap-2 h-full">
+        <span style="width: 64px; height: 64px;" class="inline-block">
+            <GiOpenTreasureChest />
+        </span>
+        Vault: {vault.name}
+    </span>
+    <svelte:fragment slot="actions">
+        {#if $vaultsStore.state === "loaded" && $vaultsStore.list.length > 0}
+            <a class="btn btn-primary" href="/" use:link>New password</a>
+        {/if}
+    </svelte:fragment>
+</Header>
+
+<main class="p-4 pb-24 relative min-h-screen flex flex-col">
+    {#if $vaultsStore.state === "loading"}
+        <Spinner />
+        Loading vault...
+    {:else if $vaultsStore.state === "loaded"}
+        <div class="pointer-events-none">
+            <h2 class="text-lg font-bold mb-2 line-clamp-3">
+                {vaultSummary}
+            </h2>
+        </div>
+        <div class="mt-5"></div>
+        <SharingEditor
+            editedVault={vault}
+            canManage={"ReadWriteManage" in accessRights}
+        />
+
+        <div class="mt-5"></div>
+
+        <div class="pointer-events-none">
+            <h2 class="text-lg font-bold mb-2 line-clamp-3">Passwords</h2>
+        </div>
+        {#if vault.passwords.length === 0}
+            <div class="text-center pt-8 italic">
+                You don't have any passwords in this vault.
+            </div>
+            <div class="text-center pt-8">
+                <a href="/" use:link class="btn btn-primary"
+                    >Add a new password</a
+                >
+            </div>
+        {:else}
+            <div
+                class="grid grid-cols-1 sm:grid-cols-2 md:grid-cols-3 gap-3
+            max-w-7xl"
+            >
+                {#each vault.passwords as password ((password[1].owner, password[1].parentVaultName, password[1].passwordName))}
+                    <a
+                        class="p-4 rounded-md border border-base-300 dark:border-base-300 bg-base
+dark:bg-base-100 hover:-translate-y-2 transition-transform"
+                        use:link
+                        href={`/edit/vaults/${vault.owner.toText()}/${vault.name}/${password[1].passwordName}`}
+                    >
+                        <div class="pointer-events-none">
+                            <h2 class="text-lg font-bold mb-2 line-clamp-3">
+                                {password[1].passwordName}: "{password[1]
+                                    .content}"
+                            </h2>
+                        </div>
+                    </a>
+                {/each}
+            </div>
+        {/if}
+        <div class="flex-grow"></div>
+        <div class="text-center">
+            <a href="/vaults" use:link class="btn btn-primary">
+                Back to overview
+            </a>
+        </div>
+    {/if}
+</main>
diff --git a/rust/vetkeys/password_manager/frontend/src/components/Vaults.svelte b/rust/vetkeys/password_manager/frontend/src/components/Vaults.svelte
new file mode 100644
index 000000000..fc99e9b3f
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/components/Vaults.svelte
@@ -0,0 +1,90 @@
+<script lang="ts">
+    import { type VaultModel } from "../lib/vault";
+    import { vaultsStore } from "../store/vaults";
+    import Header from "./Header.svelte";
+    import Spinner from "./Spinner.svelte";
+    import { link } from "svelte-spa-router";
+
+    let filter = "";
+    let filteredVaults: VaultModel[];
+
+    $: searchIndex =
+        $vaultsStore.state === "loaded"
+            ? $vaultsStore.list.map((vault) => {
+                  const div = document.createElement("div");
+                  div.innerHTML += vault.name;
+
+                  const content = div.innerText;
+                  return [content].join("/#delimiter#/").toLowerCase();
+              })
+            : [];
+
+    $: {
+        if ($vaultsStore.state === "loaded") {
+            if (filter.length > 0) {
+                filteredVaults = $vaultsStore.list.filter((_, i) => {
+                    return searchIndex[i].includes(filter.toLowerCase());
+                });
+            } else {
+                filteredVaults = $vaultsStore.list;
+            }
+        }
+    }
+</script>
+
+<Header>
+    <span slot="title"> Your vaults </span>
+    <svelte:fragment slot="actions">
+        {#if $vaultsStore.state === "loaded" && $vaultsStore.list.length > 0}
+            <a class="btn btn-primary" href="/" use:link>New password</a>
+        {/if}
+    </svelte:fragment>
+</Header>
+<main class="p-4">
+    {#if $vaultsStore.state === "loading"}
+        <Spinner />
+        Loading vaults...
+    {:else if $vaultsStore.state === "loaded"}
+        {#if $vaultsStore.list.length > 0}
+            <div class="mb-6">
+                <input
+                    bind:value={filter}
+                    class="bg-transparent text-base {filter.length > 0
+                        ? 'border'
+                        : ''} rounded-lg h-8 px-3"
+                    placeholder="Filter vaults by name..."
+                />
+            </div>
+
+            <div
+                class="grid grid-cols-1 sm:grid-cols-2 md:grid-cols-3 gap-3 max-w-7xl"
+            >
+                {#each filteredVaults as vault ([vault.owner, vault.name])}
+                    <a
+                        class="p-4 rounded-md border border-base-300 dark:border-base-300 bg-base
+dark:bg-base-100 hover:-translate-y-2 transition-transform"
+                        use:link
+                        href={`/vaults/${vault.owner.toText()}/${vault.name}`}
+                    >
+                        <div class="pointer-events-none">
+                            <h2 class="text-lg font-bold mb-2 line-clamp-3">
+                                "{vault.name}" owned by {vault.owner.toText()}
+                            </h2>
+                        </div>
+                    </a>
+                {/each}
+            </div>
+        {:else}
+            <div class="text-center pt-8 italic">
+                You don't have any vaults.
+            </div>
+            <div class="text-center pt-8">
+                <a href="/" use:link class="btn btn-primary"
+                    >Add a new password</a
+                >
+            </div>
+        {/if}
+    {:else if $vaultsStore.state === "error"}
+        <div class="alert alert-error">Could not load vaults.</div>
+    {/if}
+</main>
diff --git a/rust/vetkeys/password_manager/frontend/src/lib/encrypted_maps.ts b/rust/vetkeys/password_manager/frontend/src/lib/encrypted_maps.ts
new file mode 100644
index 000000000..2b2c7e071
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/lib/encrypted_maps.ts
@@ -0,0 +1,43 @@
+import "./init.ts";
+import { HttpAgent, type HttpAgentOptions } from "@dfinity/agent";
+import {
+    DefaultEncryptedMapsClient,
+    EncryptedMaps,
+} from "@dfinity/vetkeys/encrypted_maps";
+
+export async function createEncryptedMaps(
+    agentOptions?: HttpAgentOptions,
+): Promise<EncryptedMaps> {
+    const host =
+        process.env.DFX_NETWORK === "ic"
+            ? `https://${process.env.CANISTER_ID_IC_VETKEYS_ENCRYPTED_MAPS_CANISTER}.ic0.app`
+            : "http://localhost:4943";
+    const hostOptions = { host };
+
+    if (!agentOptions) {
+        agentOptions = hostOptions;
+    } else {
+        agentOptions.host = hostOptions.host;
+    }
+
+    const agent = await HttpAgent.create({ ...agentOptions });
+    // Fetch root key for certificate validation during development
+    if (process.env.NODE_ENV !== "production") {
+        console.log(`Dev environment - fetching root key...`);
+
+        agent.fetchRootKey().catch((err) => {
+            console.warn(
+                "Unable to fetch root key. Check to ensure that your local replica is running",
+            );
+            console.error(err);
+        });
+    }
+
+    // Creates an actor with using the candid interface and the HttpAgent
+    return new EncryptedMaps(
+        new DefaultEncryptedMapsClient(
+            agent,
+            process.env.CANISTER_ID_IC_VETKEYS_ENCRYPTED_MAPS_CANISTER,
+        ),
+    );
+}
diff --git a/rust/vetkeys/password_manager/frontend/src/lib/init.ts b/rust/vetkeys/password_manager/frontend/src/lib/init.ts
new file mode 100644
index 000000000..062c8af94
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/lib/init.ts
@@ -0,0 +1 @@
+window.global ||= window;
diff --git a/rust/vetkeys/password_manager/frontend/src/lib/password.ts b/rust/vetkeys/password_manager/frontend/src/lib/password.ts
new file mode 100644
index 000000000..e37c46204
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/lib/password.ts
@@ -0,0 +1,56 @@
+import type { Principal } from "@dfinity/principal";
+
+export interface PasswordModel {
+    owner: Principal;
+    parentVaultName: string;
+    passwordName: string;
+    content: string;
+}
+
+export function passwordFromContent(
+    owner: Principal,
+    parentVaultName: string,
+    passwordName: string,
+    content: string,
+): PasswordModel {
+    return {
+        owner,
+        parentVaultName,
+        passwordName,
+        content,
+    };
+}
+
+export function summarize(note: PasswordModel, maxLength = 50) {
+    const div = document.createElement("div");
+    div.innerHTML = note.content;
+
+    let text = div.innerText;
+    const title = extractTitleFromDomEl(div);
+    if (title) {
+        text = text.replace(title, "");
+    }
+
+    return text.slice(0, maxLength) + (text.length > maxLength ? "..." : "");
+}
+
+function extractTitleFromDomEl(el: HTMLElement): string {
+    const title = el.querySelector("h1");
+    if (title) {
+        return title.innerText;
+    }
+
+    const blockElements = el.querySelectorAll("h1,h2,p,li");
+    for (const el of blockElements) {
+        if (el.textContent && el.textContent.trim().length > 0) {
+            return el.textContent.trim();
+        }
+    }
+    return "";
+}
+
+export function extractTitle(html: string) {
+    const div = document.createElement("div");
+    div.innerHTML = html;
+    return extractTitleFromDomEl(div);
+}
diff --git a/rust/vetkeys/password_manager/frontend/src/lib/sleep.ts b/rust/vetkeys/password_manager/frontend/src/lib/sleep.ts
new file mode 100644
index 000000000..38caca0c1
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/lib/sleep.ts
@@ -0,0 +1,3 @@
+export function sleep(ms: number) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
diff --git a/rust/vetkeys/password_manager/frontend/src/lib/vault.ts b/rust/vetkeys/password_manager/frontend/src/lib/vault.ts
new file mode 100644
index 000000000..02dc5b712
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/lib/vault.ts
@@ -0,0 +1,60 @@
+import type { Principal } from "@dfinity/principal";
+import type { PasswordModel } from "./password";
+import type { AccessRights } from "@dfinity/vetkeys/encrypted_maps";
+
+export interface VaultModel {
+    owner: Principal;
+    name: string;
+    passwords: Array<[string, PasswordModel]>;
+    users: Array<[Principal, AccessRights]>;
+}
+
+export function vaultFromContent(
+    owner: Principal,
+    name: string,
+    passwords: Array<[string, PasswordModel]>,
+    users: Array<[Principal, AccessRights]>,
+): VaultModel {
+    return { owner, name, passwords, users };
+}
+
+export function summarize(vault: VaultModel, maxLength = 1500) {
+    const div = document.createElement("div");
+
+    div.innerHTML +=
+        "Owner: " +
+        vault.owner.toString() +
+        ", " +
+        vault.users.length +
+        " users";
+    div.innerHTML += ", " + vault.passwords.length + " passwords.\n";
+
+    let text = div.innerText;
+    const title = extractTitleFromDomEl(div);
+    if (title) {
+        text = text.replace(title, "");
+    }
+
+    return text.slice(0, maxLength) + (text.length > maxLength ? "..." : "");
+}
+
+function extractTitleFromDomEl(el: HTMLElement): string {
+    const title = el.querySelector("h1");
+    if (title) {
+        return title.innerText;
+    }
+
+    const blockElements = el.querySelectorAll("h1,h2,p,li");
+    for (const el of blockElements) {
+        if (el.textContent && el.textContent?.trim().length > 0) {
+            return el.textContent.trim();
+        }
+    }
+    return "";
+}
+
+export function extractTitle(html: string) {
+    const div = document.createElement("div");
+    div.innerHTML = html;
+    return extractTitleFromDomEl(div);
+}
diff --git a/rust/vetkeys/password_manager/frontend/src/main.ts b/rust/vetkeys/password_manager/frontend/src/main.ts
new file mode 100644
index 000000000..ff634fcc2
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/main.ts
@@ -0,0 +1,8 @@
+import "./app.css";
+import App from "./App.svelte";
+
+const app = new App({
+    target: document.body,
+});
+
+export default app;
diff --git a/rust/vetkeys/password_manager/frontend/src/store/auth.ts b/rust/vetkeys/password_manager/frontend/src/store/auth.ts
new file mode 100644
index 000000000..ec6547c8b
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/store/auth.ts
@@ -0,0 +1,116 @@
+import "../lib/init.ts";
+import { get, writable } from "svelte/store";
+import { AuthClient } from "@dfinity/auth-client";
+import type { JsonnableDelegationChain } from "@dfinity/identity/lib/cjs/identity/delegation";
+import { replace } from "svelte-spa-router";
+import { createEncryptedMaps } from "../lib/encrypted_maps.js";
+import { EncryptedMaps } from "@dfinity/vetkeys/encrypted_maps";
+
+export type AuthState =
+    | {
+          state: "initializing-auth";
+      }
+    | {
+          state: "anonymous";
+          client: AuthClient;
+      }
+    | {
+          state: "initialized";
+          encryptedMaps: EncryptedMaps;
+          client: AuthClient;
+      }
+    | {
+          state: "error";
+          error: string;
+      };
+
+export const auth = writable<AuthState>({
+    state: "initializing-auth",
+});
+
+async function initAuth() {
+    const client = await AuthClient.create();
+    if (await client.isAuthenticated()) {
+        void authenticate(client);
+    } else {
+        auth.update(() => ({
+            state: "anonymous",
+            client,
+        }));
+    }
+}
+
+void initAuth();
+
+export function login() {
+    const currentAuth = get(auth);
+
+    if (currentAuth.state === "anonymous") {
+        void currentAuth.client.login({
+            maxTimeToLive: BigInt(1800) * BigInt(1_000_000_000),
+            identityProvider:
+                process.env.DFX_NETWORK === "ic"
+                    ? "https://identity.ic0.app/#authorize"
+                    : `http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:4943/#authorize`,
+            onSuccess: () => authenticate(currentAuth.client),
+        });
+    }
+}
+
+export async function logout() {
+    const currentAuth = get(auth);
+
+    if (currentAuth.state === "initialized") {
+        await currentAuth.client.logout();
+        auth.update(() => ({
+            state: "anonymous",
+            client: currentAuth.client,
+        }));
+        void replace("/");
+    }
+}
+
+export async function authenticate(client: AuthClient) {
+    handleSessionTimeout();
+
+    try {
+        const encryptedMaps = await createEncryptedMaps({
+            identity: client.getIdentity(),
+        });
+
+        auth.update(() => ({
+            state: "initialized",
+            encryptedMaps,
+            client,
+        }));
+    } catch (e) {
+        auth.update(() => ({
+            state: "error",
+            error: (e as Error).message || "An error occurred",
+        }));
+    }
+}
+
+// set a timer when the II session will expire and log the user out
+function handleSessionTimeout() {
+    // upon login the localstorage items may not be set, wait for next tick
+    setTimeout(() => {
+        try {
+            const delegation = JSON.parse(
+                window.localStorage.getItem("ic-delegation") || "{}",
+            ) as JsonnableDelegationChain;
+
+            const expirationTimeMs =
+                Number.parseInt(
+                    delegation.delegations[0].delegation.expiration,
+                    16,
+                ) / 1000000;
+
+            setTimeout(() => {
+                void logout();
+            }, expirationTimeMs - Date.now());
+        } catch {
+            console.error("Could not handle delegation expiry.");
+        }
+    });
+}
diff --git a/rust/vetkeys/password_manager/frontend/src/store/draft.ts b/rust/vetkeys/password_manager/frontend/src/store/draft.ts
new file mode 100644
index 000000000..05835819e
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/store/draft.ts
@@ -0,0 +1,36 @@
+import { writable } from "svelte/store";
+import { auth } from "./auth";
+
+interface DraftModel {
+    content: string;
+}
+
+let initialDraft: DraftModel = {
+    content: "",
+};
+
+try {
+    const getDraft = localStorage.getItem("draft");
+    if (getDraft) {
+        const savedDraft: DraftModel = JSON.parse(getDraft) as DraftModel;
+        if ("content" in savedDraft && "tags" in savedDraft) {
+            initialDraft = savedDraft;
+        }
+    } else {
+        throw new Error("Draft not found");
+    }
+} catch {
+    // ignore error
+}
+
+export const draft = writable<DraftModel>(initialDraft);
+
+draft.subscribe((draft) => {
+    localStorage.setItem("draft", JSON.stringify(draft));
+});
+
+auth.subscribe(($auth) => {
+    if ($auth.state === "anonymous") {
+        draft.set(initialDraft);
+    }
+});
diff --git a/rust/vetkeys/password_manager/frontend/src/store/notifications.ts b/rust/vetkeys/password_manager/frontend/src/store/notifications.ts
new file mode 100644
index 000000000..d87630153
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/store/notifications.ts
@@ -0,0 +1,30 @@
+import { writable } from "svelte/store";
+
+export interface Notification {
+    type: "error" | "info" | "success";
+    message: string;
+    id: number;
+}
+
+export type NewNotification = Omit<Notification, "id">;
+
+let nextId = 0;
+
+export const notifications = writable<Notification[]>([]);
+
+export function addNotification(notification: NewNotification, timeout = 2000) {
+    const id = nextId++;
+
+    notifications.update(($n) => [...$n, { ...notification, id }]);
+
+    setTimeout(() => {
+        notifications.update(($n) => $n.filter((n) => n.id != id));
+    }, timeout);
+}
+
+export function showError(e: Error, message: string): never {
+    addNotification({ type: "error", message });
+    console.error(e);
+    console.error(e.stack);
+    throw e;
+}
diff --git a/rust/vetkeys/password_manager/frontend/src/store/vaults.ts b/rust/vetkeys/password_manager/frontend/src/store/vaults.ts
new file mode 100644
index 000000000..0abfadf65
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/store/vaults.ts
@@ -0,0 +1,166 @@
+import { writable } from "svelte/store";
+import { passwordFromContent, type PasswordModel } from "../lib/password";
+import { vaultFromContent, type VaultModel } from "../lib/vault";
+import { auth } from "./auth";
+import { showError } from "./notifications";
+import {
+    type AccessRights,
+    EncryptedMaps,
+} from "@dfinity/vetkeys/encrypted_maps";
+import type { Principal } from "@dfinity/principal";
+
+export const vaultsStore = writable<
+    | {
+          state: "uninitialized";
+      }
+    | {
+          state: "loading";
+      }
+    | {
+          state: "loaded";
+          list: VaultModel[];
+      }
+    | {
+          state: "error";
+      }
+>({ state: "uninitialized" });
+
+let vaultPollerHandle: ReturnType<typeof setInterval> | null;
+
+function updateVaults(vaults: VaultModel[]) {
+    vaultsStore.set({
+        state: "loaded",
+        list: vaults,
+    });
+}
+
+export async function refreshVaults(encryptedMaps: EncryptedMaps) {
+    const allMaps = await encryptedMaps.getAllAccessibleMaps();
+    const vaults = allMaps.map((mapData) => {
+        const vaultName = new TextDecoder().decode(mapData.mapName);
+        const passwords = new Array<[string, PasswordModel]>();
+        for (const [passwordNameBytes, data] of mapData.keyvals) {
+            const passwordName = new TextDecoder().decode(passwordNameBytes);
+            const passwordContent = new TextDecoder().decode(
+                Uint8Array.from(data),
+            );
+            const password = passwordFromContent(
+                mapData.mapOwner,
+                vaultName,
+                passwordName,
+                passwordContent,
+            );
+            passwords.push([passwordName, password]);
+        }
+        return vaultFromContent(
+            mapData.mapOwner,
+            vaultName,
+            passwords,
+            mapData.accessControl,
+        );
+    });
+
+    updateVaults(vaults);
+}
+
+export async function addPassword(
+    password: PasswordModel,
+    encryptedMaps: EncryptedMaps,
+) {
+    await encryptedMaps.setValue(
+        password.owner,
+        new TextEncoder().encode(password.parentVaultName),
+        new TextEncoder().encode(password.passwordName),
+        new TextEncoder().encode(password.content),
+    );
+}
+
+export async function removePassword(
+    password: PasswordModel,
+    encryptedMaps: EncryptedMaps,
+) {
+    await encryptedMaps.removeEncryptedValue(
+        password.owner,
+        new TextEncoder().encode(password.parentVaultName),
+        new TextEncoder().encode(password.passwordName),
+    );
+}
+
+export async function updatePassword(
+    password: PasswordModel,
+    encryptedMaps: EncryptedMaps,
+) {
+    await encryptedMaps.setValue(
+        password.owner,
+        new TextEncoder().encode(password.parentVaultName),
+        new TextEncoder().encode(password.passwordName),
+        new TextEncoder().encode(password.content),
+    );
+}
+
+export async function addUser(
+    owner: Principal,
+    vaultName: string,
+    user: Principal,
+    userRights: AccessRights,
+    encryptedMaps: EncryptedMaps,
+) {
+    await encryptedMaps.setUserRights(
+        owner,
+        new TextEncoder().encode(vaultName),
+        user,
+        userRights,
+    );
+}
+
+export async function removeUser(
+    owner: Principal,
+    vaultName: string,
+    user: Principal,
+    encryptedMaps: EncryptedMaps,
+) {
+    await encryptedMaps.removeUser(
+        owner,
+        new TextEncoder().encode(vaultName),
+        user,
+    );
+}
+
+auth.subscribe((auth) => {
+    void (async () => {
+        if (auth && auth.state === "initialized") {
+            if (vaultPollerHandle !== null) {
+                clearInterval(vaultPollerHandle);
+                vaultPollerHandle = null;
+            }
+
+            vaultsStore.set({
+                state: "loading",
+            });
+            try {
+                await refreshVaults(auth.encryptedMaps).catch((e: Error) =>
+                    showError(e, "Could not poll vaults."),
+                );
+
+                vaultPollerHandle = setInterval(() => {
+                    void (async () => {
+                        await refreshVaults(auth.encryptedMaps).catch(
+                            (e: Error) =>
+                                showError(e, "Could not poll vaults."),
+                        );
+                    });
+                }, 3000);
+            } catch {
+                vaultsStore.set({
+                    state: "error",
+                });
+            }
+        } else if (auth.state === "anonymous" && vaultPollerHandle !== null) {
+            clearInterval(vaultPollerHandle);
+            vaultPollerHandle = null;
+            vaultsStore.set({
+                state: "uninitialized",
+            });
+        }
+    })();
+});
diff --git a/rust/vetkeys/password_manager/frontend/src/vite-env.d.ts b/rust/vetkeys/password_manager/frontend/src/vite-env.d.ts
new file mode 100644
index 000000000..4078e7476
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/src/vite-env.d.ts
@@ -0,0 +1,2 @@
+/// <reference types="svelte" />
+/// <reference types="vite/client" />
diff --git a/rust/vetkeys/password_manager/frontend/svelte.config.js b/rust/vetkeys/password_manager/frontend/svelte.config.js
new file mode 100644
index 000000000..b0683fd24
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/svelte.config.js
@@ -0,0 +1,7 @@
+import { vitePreprocess } from '@sveltejs/vite-plugin-svelte'
+
+export default {
+  // Consult https://svelte.dev/docs#compile-time-svelte-preprocess
+  // for more information about preprocessors
+  preprocess: vitePreprocess(),
+}
diff --git a/rust/vetkeys/password_manager/frontend/tailwind.config.cjs b/rust/vetkeys/password_manager/frontend/tailwind.config.cjs
new file mode 100644
index 000000000..4bcec2567
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/tailwind.config.cjs
@@ -0,0 +1,6 @@
+import daisyui from "daisyui";
+
+export default {
+    content: ["./index.html", "./src/**/*.{svelte,js,ts,jsx,tsx}"],
+    plugins: [daisyui],
+};
diff --git a/rust/vetkeys/password_manager/frontend/tsconfig.json b/rust/vetkeys/password_manager/frontend/tsconfig.json
new file mode 100644
index 000000000..2f9865d46
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/tsconfig.json
@@ -0,0 +1,25 @@
+{
+    "extends": "@tsconfig/svelte/tsconfig.json",
+    "compilerOptions": {
+      "target": "ES2020",
+      "useDefineForClassFields": true,
+      "module": "ES2020",
+      "lib": [
+        "ES2020",
+        "DOM",
+        "DOM.Iterable"
+      ],
+      "skipLibCheck": true,
+      /* Bundler mode */
+      "moduleResolution": "bundler",
+      "allowImportingTsExtensions": true,
+      "isolatedModules": true,
+      "moduleDetection": "force",
+      "noEmit": true,
+      "noUncheckedSideEffectImports": true
+    },
+    "include": [
+      "src"
+    ]
+  }
+  
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/frontend/vite.config.ts b/rust/vetkeys/password_manager/frontend/vite.config.ts
new file mode 100644
index 000000000..811003329
--- /dev/null
+++ b/rust/vetkeys/password_manager/frontend/vite.config.ts
@@ -0,0 +1,44 @@
+import { defineConfig } from 'vite'
+import { svelte } from '@sveltejs/vite-plugin-svelte'
+import tailwindcss from 'tailwindcss'
+import autoprefixer from "autoprefixer";
+import css from 'rollup-plugin-css-only';
+import typescript from '@rollup/plugin-typescript';
+import environment from 'vite-plugin-environment';
+import path from 'path';
+
+// https://vite.dev/config/
+export default defineConfig({
+  plugins: [
+    svelte(),
+    css({ output: "bundle.css" }),
+    typescript({
+      inlineSources: true,
+    }),
+    environment("all", { prefix: "CANISTER_" }),
+    environment("all", { prefix: "DFX_" }),
+  ],
+  css: {
+    postcss: {
+      plugins: [autoprefixer(), tailwindcss()],
+    }
+  },
+  build: {
+    sourcemap: true,
+    rollupOptions: {
+      output: {
+        inlineDynamicImports: true,
+      },
+    },
+  },
+  resolve: {
+    alias: {
+      'ic_vetkeys': path.resolve(__dirname, '../../../frontend/ic_vetkeys/src'),
+      'ic_vetkeys/encrypted_maps': path.resolve(__dirname, '../../../frontend/ic_vetkeys/src/encrypted_maps'),
+    }
+  },
+  root: "./",
+  server: {
+    hmr: false
+  }
+})
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/motoko/backend/.prettierrc b/rust/vetkeys/password_manager/motoko/backend/.prettierrc
new file mode 100644
index 000000000..a42bc32c3
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/backend/.prettierrc
@@ -0,0 +1,8 @@
+{
+    "overrides": [{
+      "files": "*.mo",
+      "options": {
+        "tabWidth": 4
+      }
+    }]
+  }
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/motoko/backend/Makefile b/rust/vetkeys/password_manager/motoko/backend/Makefile
new file mode 100644
index 000000000..ffaeb9642
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/backend/Makefile
@@ -0,0 +1,14 @@
+PWD:=$(shell pwd)
+
+.PHONY: compile-wasm
+.SILENT: compile-wasm
+compile-wasm:
+	icp build
+
+# Test the APIs of this canister using the respective Rust canister tests.
+# This has the advantage that the tests are consistent (less room for bugs by having only one implementation of the tests) and the checked expected behavior is consistent across Rust and Motoko.
+.PHONY: test
+.SILENT: test
+test: compile-wasm
+	@echo "Testing Motoko canister WASM: $(PWD)/.icp/cache/artifacts/ic_vetkeys_encrypted_maps_canister"
+	CUSTOM_WASM_PATH=$(PWD)/.icp/cache/artifacts/ic_vetkeys_encrypted_maps_canister cargo test -p ic-vetkeys-encrypted-maps-canister
diff --git a/rust/vetkeys/password_manager/motoko/backend/README.md b/rust/vetkeys/password_manager/motoko/backend/README.md
new file mode 100644
index 000000000..71f0ac924
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/backend/README.md
@@ -0,0 +1,7 @@
+# ic-vetkeys-encrypted-maps-canister
+
+The canister implemented in this folder directly exposes the methods of the encrypted maps.
+This is useful for:
+
+1. running canister tests
+2. implementing dapps that only require encrypted maps
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/motoko/backend/icp.yaml b/rust/vetkeys/password_manager/motoko/backend/icp.yaml
new file mode 100644
index 000000000..b4101fe9c
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/backend/icp.yaml
@@ -0,0 +1,7 @@
+canisters:
+  - name: ic_vetkeys_encrypted_maps_canister
+    recipe:
+      type: "@dfinity/motoko@v4.1.0"
+      configuration:
+        main: src/Main.mo
+        args: --enhanced-orthogonal-persistence
diff --git a/rust/vetkeys/password_manager/motoko/backend/mops.toml b/rust/vetkeys/password_manager/motoko/backend/mops.toml
new file mode 100644
index 000000000..8cc38c25d
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/backend/mops.toml
@@ -0,0 +1,16 @@
+[toolchain]
+moc = "1.5.0"
+
+[package]
+name = "ic-vetkeys-encrypted-maps-canister"
+version = "0.1.0"
+repository = "https://github.com/dfinity/vetkeys/backend/mo/canisters/ic_vetkeys_encrypted_maps_canister"
+keywords = [
+  "vetkeys,vetkd,encryption,privacy,signature,BLS,key ",
+  "derivation,IBE"
+]
+license = "Apache-2.0"
+
+[dependencies]
+base = "0.14.6"
+ic-vetkeys = "0.4.0"
diff --git a/rust/vetkeys/password_manager/motoko/backend/src/Main.mo b/rust/vetkeys/password_manager/motoko/backend/src/Main.mo
new file mode 100644
index 000000000..ad0c468bf
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/backend/src/Main.mo
@@ -0,0 +1,221 @@
+import IcVetkeys "mo:ic-vetkeys";
+import Types "mo:ic-vetkeys/Types";
+import Principal "mo:base/Principal";
+import Text "mo:base/Text";
+import Blob "mo:base/Blob";
+import Result "mo:base/Result";
+import Array "mo:base/Array";
+
+persistent actor class (keyName : Text) {
+    let encryptedMapsState = IcVetkeys.EncryptedMaps.newEncryptedMapsState<Types.AccessRights>({ curve = #bls12_381_g2; name = keyName }, "password_manager_example_dapp");
+    transient let encryptedMaps = IcVetkeys.EncryptedMaps.EncryptedMaps<Types.AccessRights>(encryptedMapsState, Types.accessRightsOperations());
+
+    /// In this canister, we use the `ByteBuf` type to represent blobs. The reason is that we want to be consistent with the Rust canister implementation.
+    /// Unfortunately, the `Blob` type cannot be serialized/deserialized in the current Rust implementation efficiently without nesting it in another type.
+    public type ByteBuf = { inner : Blob };
+
+    public type EncryptedMapData = {
+        map_owner : Principal;
+        map_name : ByteBuf;
+        keyvals : [(ByteBuf, ByteBuf)];
+        access_control : [(Principal, Types.AccessRights)];
+    };
+
+    /// The result type compatible with Rust's `Result`.
+    public type Result<Ok, Err> = {
+        #Ok : Ok;
+        #Err : Err;
+    };
+
+    public query (msg) func get_accessible_shared_map_names() : async [(Principal, ByteBuf)] {
+        Array.map<(Principal, Blob), (Principal, ByteBuf)>(
+            encryptedMaps.getAccessibleSharedMapNames(msg.caller),
+
+            func((principal, blob) : (Principal, Blob)) {
+                (principal, { inner = blob });
+            },
+        );
+    };
+
+    public query (msg) func get_shared_user_access_for_map(
+        map_owner : Principal,
+        map_name : ByteBuf,
+    ) : async Result<[(Principal, Types.AccessRights)], Text> {
+        convertResult(encryptedMaps.getSharedUserAccessForMap(msg.caller, (map_owner, map_name.inner)));
+    };
+
+    public query (msg) func get_encrypted_values_for_map(
+        map_owner : Principal,
+        map_name : ByteBuf,
+    ) : async Result<[(ByteBuf, ByteBuf)], Text> {
+        let result = encryptedMaps.getEncryptedValuesForMap(msg.caller, (map_owner, map_name.inner));
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(values)) {
+                #Ok(
+                    Array.map<(Blob, Blob), (ByteBuf, ByteBuf)>(
+                        values,
+                        func((blob1, blob2) : (Blob, Blob)) {
+                            ({ inner = blob1 }, { inner = blob2 });
+                        },
+                    )
+                );
+            };
+        };
+    };
+
+    public query (msg) func get_all_accessible_encrypted_values() : async [((Principal, ByteBuf), [(ByteBuf, ByteBuf)])] {
+        Array.map<((Principal, Blob), [(Blob, Blob)]), ((Principal, ByteBuf), [(ByteBuf, ByteBuf)])>(
+            encryptedMaps.getAllAccessibleEncryptedValues(msg.caller),
+            func(((owner, map_name), values) : ((Principal, Blob), [(Blob, Blob)])) {
+                (
+                    (owner, { inner = map_name }),
+                    Array.map<(Blob, Blob), (ByteBuf, ByteBuf)>(
+                        values,
+                        func((blob1, blob2) : (Blob, Blob)) {
+                            ({ inner = blob1 }, { inner = blob2 });
+                        },
+                    ),
+                );
+            },
+        );
+    };
+
+    public query (msg) func get_all_accessible_encrypted_maps() : async [EncryptedMapData] {
+        Array.map<IcVetkeys.EncryptedMaps.EncryptedMapData<Types.AccessRights>, EncryptedMapData>(
+            encryptedMaps.getAllAccessibleEncryptedMaps(msg.caller),
+            func(map : IcVetkeys.EncryptedMaps.EncryptedMapData<Types.AccessRights>) : EncryptedMapData {
+                {
+                    map_owner = map.map_owner;
+                    map_name = { inner = map.map_name };
+                    keyvals = Array.map<(Blob, Blob), (ByteBuf, ByteBuf)>(
+                        map.keyvals,
+                        func((blob1, blob2) : (Blob, Blob)) {
+                            ({ inner = blob1 }, { inner = blob2 });
+                        },
+                    );
+                    access_control = map.access_control;
+                };
+            },
+        );
+    };
+
+    public query (msg) func get_encrypted_value(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        map_key : ByteBuf,
+    ) : async Result<?ByteBuf, Text> {
+        let result = encryptedMaps.getEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner);
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(null)) { #Ok(null) };
+            case (#ok(?blob)) { #Ok(?{ inner = blob }) };
+        };
+    };
+
+    public shared (msg) func remove_map_values(
+        map_owner : Principal,
+        map_name : ByteBuf,
+    ) : async Result<[ByteBuf], Text> {
+        let result = encryptedMaps.removeMapValues(msg.caller, (map_owner, map_name.inner));
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(values)) {
+                #Ok(
+                    Array.map<Blob, ByteBuf>(
+                        values,
+                        func(blob : Blob) : ByteBuf {
+                            { inner = blob };
+                        },
+                    )
+                );
+            };
+        };
+    };
+
+    public query (msg) func get_owned_non_empty_map_names() : async [ByteBuf] {
+        Array.map<Blob, ByteBuf>(
+            encryptedMaps.getOwnedNonEmptyMapNames(msg.caller),
+            func(blob : Blob) : ByteBuf {
+                { inner = blob };
+            },
+        );
+    };
+
+    public shared (msg) func insert_encrypted_value(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        map_key : ByteBuf,
+        value : ByteBuf,
+    ) : async Result<?ByteBuf, Text> {
+        let result = encryptedMaps.insertEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner, value.inner);
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(null)) { #Ok(null) };
+            case (#ok(?blob)) { #Ok(?{ inner = blob }) };
+        };
+    };
+
+    public shared (msg) func remove_encrypted_value(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        map_key : ByteBuf,
+    ) : async Result<?ByteBuf, Text> {
+        let result = encryptedMaps.removeEncryptedValue(msg.caller, (map_owner, map_name.inner), map_key.inner);
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(null)) { #Ok(null) };
+            case (#ok(?blob)) { #Ok(?{ inner = blob }) };
+        };
+    };
+
+    public shared func get_vetkey_verification_key() : async ByteBuf {
+        let inner = await encryptedMaps.getVetkeyVerificationKey();
+        { inner };
+    };
+
+    public shared (msg) func get_encrypted_vetkey(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        transport_key : ByteBuf,
+    ) : async Result<ByteBuf, Text> {
+        let result = await encryptedMaps.getEncryptedVetkey(msg.caller, (map_owner, map_name.inner), transport_key.inner);
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(vetkey)) { #Ok({ inner = vetkey }) };
+        };
+    };
+
+    public query (msg) func get_user_rights(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        user : Principal,
+    ) : async Result<?Types.AccessRights, Text> {
+        convertResult(encryptedMaps.getUserRights(msg.caller, (map_owner, map_name.inner), user));
+    };
+
+    public shared (msg) func set_user_rights(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        user : Principal,
+        access_rights : Types.AccessRights,
+    ) : async Result<?Types.AccessRights, Text> {
+        convertResult(encryptedMaps.setUserRights(msg.caller, (map_owner, map_name.inner), user, access_rights));
+    };
+
+    public shared (msg) func remove_user(
+        map_owner : Principal,
+        map_name : ByteBuf,
+        user : Principal,
+    ) : async Result<?Types.AccessRights, Text> {
+        convertResult(encryptedMaps.removeUser(msg.caller, (map_owner, map_name.inner), user));
+    };
+
+    /// Convert to the result type compatible with Rust's `Result`
+    private func convertResult<Ok, Err>(result : Result.Result<Ok, Err>) : Result<Ok, Err> {
+        switch (result) {
+            case (#err(e)) { #Err(e) };
+            case (#ok(o)) { #Ok(o) };
+        };
+    };
+};
diff --git a/rust/vetkeys/password_manager/motoko/dfx.json b/rust/vetkeys/password_manager/motoko/dfx.json
new file mode 100644
index 000000000..3118676e7
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/dfx.json
@@ -0,0 +1,37 @@
+{
+  "canisters": {
+    "ic_vetkeys_encrypted_maps_canister": {
+      "main": "backend/src/Main.mo",
+      "type": "motoko",
+      "args": "--enhanced-orthogonal-persistence",
+      "init_arg": "(\"test_key_1\")"
+    },
+    "internet-identity": {
+      "candid": "https://github.com/dfinity/internet-identity/releases/download/release-2026-03-16/internet_identity.did",
+      "type": "custom",
+      "specified_id": "rdmx6-jaaaa-aaaaa-aaadq-cai",
+      "remote": {
+      "id": {
+          "ic": "rdmx6-jaaaa-aaaaa-aaadq-cai"
+        }
+      },
+      "wasm": "https://github.com/dfinity/internet-identity/releases/download/release-2026-03-16/internet_identity_dev.wasm.gz"
+    },
+    "www": {
+      "dependencies": ["ic_vetkeys_encrypted_maps_canister", "internet-identity"],
+      "build": ["cd frontend && npm i --include=dev && npm run build && cd - && rm -r dist > /dev/null 2>&1; mv frontend/dist ./"],
+      "frontend": {
+        "entrypoint": "dist/index.html"
+      },
+      "source": ["dist/"],
+      "type": "assets",
+      "output_env_file": "frontend/.env"
+    }
+  },
+  "defaults": {
+    "build": {
+      "packtool": "npx ic-mops sources",
+      "args": ""
+    }
+  }
+}
diff --git a/rust/vetkeys/password_manager/motoko/frontend b/rust/vetkeys/password_manager/motoko/frontend
new file mode 120000
index 000000000..af288785f
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/frontend
@@ -0,0 +1 @@
+../frontend
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/motoko/mops.toml b/rust/vetkeys/password_manager/motoko/mops.toml
new file mode 100644
index 000000000..593456675
--- /dev/null
+++ b/rust/vetkeys/password_manager/motoko/mops.toml
@@ -0,0 +1,13 @@
+[package]
+name = "ic-vetkeys-encrypted-maps-canister"
+version = "0.1.0"
+repository = "https://github.com/dfinity/vetkeys/examples/password_manager/motoko"
+keywords = [
+  "vetkeys,vetkd,encryption,privacy,signature,BLS,key ",
+  "derivation,IBE"
+]
+license = "Apache-2.0"
+
+[dependencies]
+base = "0.14.6"
+ic-vetkeys = "0.4.0"
diff --git a/rust/vetkeys/password_manager/rust/Cargo.toml b/rust/vetkeys/password_manager/rust/Cargo.toml
new file mode 100644
index 000000000..0169acf9f
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/Cargo.toml
@@ -0,0 +1,13 @@
+[workspace]
+members = ["backend"]
+resolver = "2"
+
+[workspace.dependencies]
+ic-cdk = "0.19.0"
+ic-stable-structures = "0.7.0"
+ic-vetkeys = "0.6.0"
+
+[profile.release]
+lto = true
+opt-level = 'z'
+panic = 'abort'
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/rust/backend/Cargo.toml b/rust/vetkeys/password_manager/rust/backend/Cargo.toml
new file mode 100644
index 000000000..cb662f05f
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/backend/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+name = "ic-vetkeys-encrypted-maps-canister"
+authors = ["DFINITY Stiftung"]
+version = "0.1.0"
+edition = "2021"
+license = "Apache-2.0"
+description = "# Basic Identity Based Encryption"
+repository = "https://github.com/dfinity/vetkeys"
+rust-version = "1.85.0"
+
+[lib]
+path = "src/lib.rs"
+crate-type = ["cdylib"]
+
+[dependencies]
+candid = "0.10.2"
+ic-cdk = { workspace = true }
+ic-dummy-getrandom-for-wasm = "0.1.0"
+ic-stable-structures = { workspace = true }
+ic-vetkeys = { workspace = true }
+serde = "1.0.217"
+
+[dev-dependencies]
+assert_matches = "1.5.0"
+pocket-ic = "9.0.0"
+rand = "0.8.5"
+rand_chacha = "0.3.1"
+reqwest = "0.12.12"
+strum = "0.27.1"
diff --git a/rust/vetkeys/password_manager/rust/backend/Makefile b/rust/vetkeys/password_manager/rust/backend/Makefile
new file mode 100644
index 000000000..b6dc7595e
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/backend/Makefile
@@ -0,0 +1,22 @@
+ROOT_DIR := $(shell git rev-parse --show-toplevel)
+
+.PHONY: compile-wasm
+.SILENT: compile-wasm
+compile-wasm:
+	cargo build --release --target wasm32-unknown-unknown
+
+.PHONY: test
+.SILENT: test
+test: compile-wasm
+	cargo test -p ic-vetkeys-encrypted-maps-canister
+
+.PHONY: extract-candid
+.SILENT: extract-candid
+extract-candid: compile-wasm
+	candid-extractor $(ROOT_DIR)/target/wasm32-unknown-unknown/release/ic_vetkeys_encrypted_maps_canister.wasm > ic_vetkeys_encrypted_maps_canister.did
+
+.PHONY: clean
+.SILENT: clean
+clean:
+	cargo clean
+	rm -rf .icp/cache
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/rust/backend/README.md b/rust/vetkeys/password_manager/rust/backend/README.md
new file mode 100644
index 000000000..71f0ac924
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/backend/README.md
@@ -0,0 +1,7 @@
+# ic-vetkeys-encrypted-maps-canister
+
+The canister implemented in this folder directly exposes the methods of the encrypted maps.
+This is useful for:
+
+1. running canister tests
+2. implementing dapps that only require encrypted maps
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/rust/backend/ic_vetkeys_encrypted_maps_canister.did b/rust/vetkeys/password_manager/rust/backend/ic_vetkeys_encrypted_maps_canister.did
new file mode 100644
index 000000000..f30499fd1
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/backend/ic_vetkeys_encrypted_maps_canister.did
@@ -0,0 +1,41 @@
+type AccessRights = variant { Read; ReadWrite; ReadWriteManage };
+type ByteBuf = record { inner : blob };
+type EncryptedMapData = record {
+  access_control : vec record { principal; AccessRights };
+  keyvals : vec record { ByteBuf; ByteBuf };
+  map_name : ByteBuf;
+  map_owner : principal;
+};
+type Result = variant { Ok : opt ByteBuf; Err : text };
+type Result_1 = variant { Ok : vec record { ByteBuf; ByteBuf }; Err : text };
+type Result_2 = variant { Ok : ByteBuf; Err : text };
+type Result_3 = variant {
+  Ok : vec record { principal; AccessRights };
+  Err : text;
+};
+type Result_4 = variant { Ok : opt AccessRights; Err : text };
+type Result_5 = variant { Ok : vec ByteBuf; Err : text };
+service : (text) -> {
+  get_accessible_shared_map_names : () -> (
+      vec record { principal; ByteBuf },
+    ) query;
+  get_all_accessible_encrypted_maps : () -> (vec EncryptedMapData) query;
+  get_all_accessible_encrypted_values : () -> (
+      vec record {
+        record { principal; ByteBuf };
+        vec record { ByteBuf; ByteBuf };
+      },
+    ) query;
+  get_encrypted_value : (principal, ByteBuf, ByteBuf) -> (Result) query;
+  get_encrypted_values_for_map : (principal, ByteBuf) -> (Result_1) query;
+  get_encrypted_vetkey : (principal, ByteBuf, ByteBuf) -> (Result_2);
+  get_owned_non_empty_map_names : () -> (vec ByteBuf) query;
+  get_shared_user_access_for_map : (principal, ByteBuf) -> (Result_3) query;
+  get_user_rights : (principal, ByteBuf, principal) -> (Result_4) query;
+  get_vetkey_verification_key : () -> (ByteBuf);
+  insert_encrypted_value : (principal, ByteBuf, ByteBuf, ByteBuf) -> (Result);
+  remove_encrypted_value : (principal, ByteBuf, ByteBuf) -> (Result);
+  remove_map_values : (principal, ByteBuf) -> (Result_5);
+  remove_user : (principal, ByteBuf, principal) -> (Result_4);
+  set_user_rights : (principal, ByteBuf, principal, AccessRights) -> (Result_4);
+}
diff --git a/rust/vetkeys/password_manager/rust/backend/src/lib.rs b/rust/vetkeys/password_manager/rust/backend/src/lib.rs
new file mode 100644
index 000000000..ee4034817
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/backend/src/lib.rs
@@ -0,0 +1,298 @@
+use std::cell::RefCell;
+
+use candid::Principal;
+use ic_cdk::management_canister::{VetKDCurve, VetKDKeyId};
+use ic_cdk::{init, query, update};
+use ic_stable_structures::memory_manager::{MemoryId, MemoryManager, VirtualMemory};
+use ic_stable_structures::storable::Blob;
+use ic_stable_structures::DefaultMemoryImpl;
+use ic_vetkeys::encrypted_maps::{EncryptedMapData, EncryptedMaps, VetKey, VetKeyVerificationKey};
+use ic_vetkeys::types::{AccessRights, ByteBuf, EncryptedMapValue, TransportKey};
+
+type Memory = VirtualMemory<DefaultMemoryImpl>;
+type MapId = (Principal, ByteBuf);
+
+thread_local! {
+    static MEMORY_MANAGER: RefCell<MemoryManager<DefaultMemoryImpl>> =
+        RefCell::new(MemoryManager::init(DefaultMemoryImpl::default()));
+    static ENCRYPTED_MAPS: RefCell<Option<EncryptedMaps<AccessRights>>> =
+        const { RefCell::new(None) };
+}
+
+#[init]
+fn init(key_name: String) {
+    let key_id = VetKDKeyId {
+        curve: VetKDCurve::Bls12_381_G2,
+        name: key_name,
+    };
+    ENCRYPTED_MAPS.with_borrow_mut(|encrypted_maps| {
+        encrypted_maps.replace(EncryptedMaps::init(
+            "encrypted_maps_dapp",
+            key_id,
+            id_to_memory(0),
+            id_to_memory(1),
+            id_to_memory(2),
+            id_to_memory(3),
+        ))
+    });
+}
+
+#[query]
+fn get_accessible_shared_map_names() -> Vec<(Principal, ByteBuf)> {
+    ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps
+            .as_ref()
+            .unwrap()
+            .get_accessible_shared_map_names(ic_cdk::api::msg_caller())
+            .into_iter()
+            .map(|map_id| (map_id.0, ByteBuf::from(map_id.1.as_ref().to_vec())))
+            .collect()
+    })
+}
+
+#[query]
+fn get_shared_user_access_for_map(
+    key_owner: Principal,
+    key_name: ByteBuf,
+) -> Result<Vec<(Principal, AccessRights)>, String> {
+    let key_name = bytebuf_to_blob(key_name)?;
+    let key_id = (key_owner, key_name);
+    ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps
+            .as_ref()
+            .unwrap()
+            .get_shared_user_access_for_map(ic_cdk::api::msg_caller(), key_id)
+    })
+}
+
+#[query]
+fn get_encrypted_values_for_map(
+    map_owner: Principal,
+    map_name: ByteBuf,
+) -> Result<Vec<(ByteBuf, EncryptedMapValue)>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    let result = ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps
+            .as_ref()
+            .unwrap()
+            .get_encrypted_values_for_map(ic_cdk::api::msg_caller(), map_id)
+    });
+    result.map(|map_values| {
+        map_values
+            .into_iter()
+            .map(|(key, value)| (ByteBuf::from(key.as_slice().to_vec()), value))
+            .collect()
+    })
+}
+
+#[query]
+fn get_all_accessible_encrypted_values() -> Vec<(MapId, Vec<(ByteBuf, EncryptedMapValue)>)> {
+    ENCRYPTED_MAPS
+        .with_borrow(|encrypted_maps| {
+            encrypted_maps
+                .as_ref()
+                .unwrap()
+                .get_all_accessible_encrypted_values(ic_cdk::api::msg_caller())
+        })
+        .into_iter()
+        .map(|((owner, map_name), encrypted_values)| {
+            (
+                (owner, ByteBuf::from(map_name.as_ref().to_vec())),
+                encrypted_values
+                    .into_iter()
+                    .map(|(key, value)| (ByteBuf::from(key.as_ref().to_vec()), value))
+                    .collect(),
+            )
+        })
+        .collect()
+}
+
+#[query]
+fn get_all_accessible_encrypted_maps() -> Vec<EncryptedMapData<AccessRights>> {
+    ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps
+            .as_ref()
+            .unwrap()
+            .get_all_accessible_encrypted_maps(ic_cdk::api::msg_caller())
+    })
+}
+
+#[query]
+fn get_encrypted_value(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    map_key: ByteBuf,
+) -> Result<Option<EncryptedMapValue>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps.as_ref().unwrap().get_encrypted_value(
+            ic_cdk::api::msg_caller(),
+            map_id,
+            bytebuf_to_blob(map_key)?,
+        )
+    })
+}
+
+#[update]
+fn remove_map_values(
+    map_owner: Principal,
+    map_name: ByteBuf,
+) -> Result<Vec<EncryptedMapValue>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    let result = ENCRYPTED_MAPS.with_borrow_mut(|encrypted_maps| {
+        encrypted_maps
+            .as_mut()
+            .unwrap()
+            .remove_map_values(ic_cdk::api::msg_caller(), map_id)
+    });
+    result.map(|removed| {
+        removed
+            .into_iter()
+            .map(|key| ByteBuf::from(key.as_ref().to_vec()))
+            .collect()
+    })
+}
+
+#[query]
+fn get_owned_non_empty_map_names() -> Vec<ByteBuf> {
+    ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps
+            .as_ref()
+            .unwrap()
+            .get_owned_non_empty_map_names(ic_cdk::api::msg_caller())
+            .into_iter()
+            .map(|map_name| ByteBuf::from(map_name.as_slice().to_vec()))
+            .collect()
+    })
+}
+
+#[update]
+fn insert_encrypted_value(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    map_key: ByteBuf,
+    value: EncryptedMapValue,
+) -> Result<Option<EncryptedMapValue>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    ENCRYPTED_MAPS.with_borrow_mut(|encrypted_maps| {
+        encrypted_maps.as_mut().unwrap().insert_encrypted_value(
+            ic_cdk::api::msg_caller(),
+            map_id,
+            bytebuf_to_blob(map_key)?,
+            value,
+        )
+    })
+}
+
+#[update]
+fn remove_encrypted_value(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    map_key: ByteBuf,
+) -> Result<Option<EncryptedMapValue>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    ENCRYPTED_MAPS.with_borrow_mut(|encrypted_maps| {
+        encrypted_maps.as_mut().unwrap().remove_encrypted_value(
+            ic_cdk::api::msg_caller(),
+            map_id,
+            bytebuf_to_blob(map_key)?,
+        )
+    })
+}
+
+#[update]
+async fn get_vetkey_verification_key() -> VetKeyVerificationKey {
+    ENCRYPTED_MAPS
+        .with_borrow(|encrypted_maps| {
+            encrypted_maps
+                .as_ref()
+                .unwrap()
+                .get_vetkey_verification_key()
+        })
+        .await
+}
+
+#[update]
+async fn get_encrypted_vetkey(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    transport_key: TransportKey,
+) -> Result<VetKey, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    Ok(ENCRYPTED_MAPS
+        .with_borrow(|encrypted_maps| {
+            encrypted_maps.as_ref().unwrap().get_encrypted_vetkey(
+                ic_cdk::api::msg_caller(),
+                map_id,
+                transport_key,
+            )
+        })?
+        .await)
+}
+
+#[query]
+fn get_user_rights(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    user: Principal,
+) -> Result<Option<AccessRights>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    ENCRYPTED_MAPS.with_borrow(|encrypted_maps| {
+        encrypted_maps
+            .as_ref()
+            .unwrap()
+            .get_user_rights(ic_cdk::api::msg_caller(), map_id, user)
+    })
+}
+
+#[update]
+fn set_user_rights(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    user: Principal,
+    access_rights: AccessRights,
+) -> Result<Option<AccessRights>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    ENCRYPTED_MAPS.with_borrow_mut(|encrypted_maps| {
+        encrypted_maps.as_mut().unwrap().set_user_rights(
+            ic_cdk::api::msg_caller(),
+            map_id,
+            user,
+            access_rights,
+        )
+    })
+}
+
+#[update]
+fn remove_user(
+    map_owner: Principal,
+    map_name: ByteBuf,
+    user: Principal,
+) -> Result<Option<AccessRights>, String> {
+    let map_name = bytebuf_to_blob(map_name)?;
+    let map_id = (map_owner, map_name);
+    ENCRYPTED_MAPS.with_borrow_mut(|encrypted_maps| {
+        encrypted_maps
+            .as_mut()
+            .unwrap()
+            .remove_user(ic_cdk::api::msg_caller(), map_id, user)
+    })
+}
+
+fn bytebuf_to_blob(buf: ByteBuf) -> Result<Blob<32>, String> {
+    Blob::try_from(buf.as_ref()).map_err(|_| "too large input".to_string())
+}
+
+fn id_to_memory(id: u8) -> Memory {
+    MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(id)))
+}
+
+ic_cdk::export_candid!();
diff --git a/rust/vetkeys/password_manager/rust/dfx.json b/rust/vetkeys/password_manager/rust/dfx.json
new file mode 100644
index 000000000..356bdb3f5
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/dfx.json
@@ -0,0 +1,31 @@
+{
+  "canisters": {
+    "ic_vetkeys_encrypted_maps_canister": {
+      "candid": "backend/ic_vetkeys_encrypted_maps_canister.did",
+      "package": "ic-vetkeys-encrypted-maps-canister",
+      "type": "rust",
+      "init_arg": "(\"test_key_1\")"
+    },
+    "internet-identity": {
+      "candid": "https://github.com/dfinity/internet-identity/releases/download/release-2026-03-16/internet_identity.did",
+      "type": "custom",
+      "specified_id": "rdmx6-jaaaa-aaaaa-aaadq-cai",
+      "remote": {
+      "id": {
+          "ic": "rdmx6-jaaaa-aaaaa-aaadq-cai"
+        }
+      },
+      "wasm": "https://github.com/dfinity/internet-identity/releases/download/release-2026-03-16/internet_identity_dev.wasm.gz"
+    },
+    "www": {
+      "dependencies": ["ic_vetkeys_encrypted_maps_canister", "internet-identity"],
+      "build": ["cd frontend && npm i --include=dev && npm run build && cd - && rm -r dist > /dev/null 2>&1; mv frontend/dist ./"],
+      "frontend": {
+        "entrypoint": "dist/index.html"
+      },
+      "source": ["dist/"],
+      "type": "assets",
+      "output_env_file": "frontend/.env"
+    }
+  }
+}
diff --git a/rust/vetkeys/password_manager/rust/frontend b/rust/vetkeys/password_manager/rust/frontend
new file mode 120000
index 000000000..af288785f
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/frontend
@@ -0,0 +1 @@
+../frontend
\ No newline at end of file
diff --git a/rust/vetkeys/password_manager/rust/rust-toolchain.toml b/rust/vetkeys/password_manager/rust/rust-toolchain.toml
new file mode 100644
index 000000000..2a2058b04
--- /dev/null
+++ b/rust/vetkeys/password_manager/rust/rust-toolchain.toml
@@ -0,0 +1,4 @@
+[toolchain]
+channel = "1.88.0"
+targets = ["wasm32-unknown-unknown"]
+profile = "default"
\ No newline at end of file