Release 1.0.0
1Key 1.0.0 — a free, local-only Android password manager that doesn't ask for an account, an email, or the INTERNET
permission.
1Key is a password manager for Android that keeps your vault on your device and nowhere else. No sync server, no account, no
telemetry, no subscription tier hiding TOTP behind a paywall.
Highlights
- No account, no server, no INTERNET permission. The manifest doesn't request
INTERNETat all. The app physically cannot
phone home. - Built-in TOTP alongside the password it protects, with a live 30-second countdown and one-tap copy. No second
authenticator app, no premium tier. - OCR credential capture via on-device ML Kit. Point the camera at a printed password and it pre-fills the form. Image
never leaves the device. - Importer for seven password managers (Google Passwords, LastPass, KeePass, Safari/iCloud, 1Password, Dashlane,
NordPass). Auto-detects format and column headers. - Encrypted V4 backups — Argon2id-derived key, AES-256-GCM, with the export timestamp and vault version counter bound into
the auth tag so old backups can't be replayed against a newer vault. - Tiered persistent lockouts that survive a process kill (3 / 5 / 10 wrong attempts trigger 30s / 5min / 1hr cooldowns).
Security and privacy posture
- Argon2id master-key derivation (m = 64 MiB, t = 3, p = 1)
- AES-256-GCM with HKDF-SHA256 subkey separation and per-field AAD bound to row + column
- Vault key wrapped by an Android Keystore key; verifier and PIN hash live in
EncryptedSharedPreferences, so a stolen DB
file alone is not offline-brute-forceable - No
INTERNETpermission, no analytics, no crash reporting, no usage data FLAG_SECUREblocks screenshots and Recent Apps previews by default- Encrypted V4
.1keybackup envelope
Full architecture and threat model: https://roufsyed.github.io/1Key/whitepaper.html
Features
- Credentials with title, username, password, URL, notes, and custom fields
- Tag-based categories, favourites, full-text search across all fields
- TOTP / 2FA codes scanned from a QR
- OCR credential capture from camera
- Recycle bin (soft delete) with restore
- Biometric unlock backed by hardware-secure key, gated by master-password confirmation to enable
- 6-digit PIN unlock with 3-strike fallback to master password
- Background and inactivity auto-lock with configurable timers
- Optional periodic master-password recheck (48h / 3d / 1w / 3w)
- Encrypted
.1keybackup, plain CSV/JSON export
Install
Download 1Key_1_1.0.0_release.apk from the Assets below. Minimum Android 8.0 (API 26), target SDK 36.
Sideload:
- Download the APK to your phone.
- Open it from your file manager or browser downloads.
- Allow "Install unknown apps" for the source when prompted.
Verify the download:
shasum -a 256 1Key_1_1.0.0_release.apkExpected SHA-256: [VERIFY: compute after signing]
Build from source
No API keys, no .env, no setup.
git clone https://github.com/roufsyed/1Key.git
cd 1Key
./gradlew assembleDebugRequires Android Studio Hedgehog or later and JDK 17.
Known limits
- Single device only. No sync, by design.
- No account recovery. Lose the master password and the vault is unrecoverable — that's the trade-off for having no server.
- No third-party security audit yet. The crypto choices are documented; they have not been independently reviewed.
- Single-developer project. Response times on issues will reflect that.
Documentation
- White paper: https://roufsyed.github.io/1Key/whitepaper.html
- FAQ: https://roufsyed.github.io/1Key/FAQ.html
- Privacy policy: https://roufsyed.github.io/1Key/PRIVACY_POLICY.html
- Project site: https://roufsyed.github.io/1Key/
Licence and trademark
1Key is released under GPL-3.0. You can use, study, modify, and redistribute it under those terms.
The name "1Key", the wordmark, and the app icon are not under the GPL — see
TRADEMARKS.md. Forks must rebrand before redistributing.
What's next
- F-Droid distribution (planned)
- LAN sync over same-WiFi, master-password gated with a 4-digit short authentication string (designed, parked)
- Android Autofill integration (parked)