Show HN: AliasVault – Open-source password manager with built-in email aliases

(www.aliasvault.net)
28 points lanedirt | 8 comments | 14 Mar 25 13:59 UTC | HN request time: 2.08s | source | bottom

AliasVault (https://aliasvault.net) is an open-source, self-hostable, end-to-end encrypted password and (email) alias manager that protects your privacy by creating alternative identities, passwords and email addresses for every website you use. Keeping your personal information private.

My name is Lanedirt and I’m a software developer with over 15 years of experience and a privacy enthusiast. Since 2013, I've been running a public temporary email service (https://spamok.com), but I wanted to build something more privacy-centric and fully self-hostable. That's why I've spent the last year developing AliasVault from scratch. The idea behind AliasVault is simple: create unique, random identities for every website, protecting your privacy and reducing online tracking and profiling.

Key Features:

- Unique identities & passwords: Generate individual aliases and strong passwords for every site.

- Built-in email server: Create email aliases with your own domains, receive and read emails directly in AliasVault—no external dependencies.

- Zero-knowledge encryption: All data encrypted locally (using Argon2Id and AES-256-GCM); your master password never leaves your device.

- Flexible installation: Docker-based self-hosting, supports Linux VMs and ARM devices (like Raspberry Pi).

- Fully Open-source: Free to use, audit, modify, under the MIT license.

I've just released v0.14.0, which adds:

- Built-in support for Google Authenticator-compatible TOTP code generation.

- Official browser extensions now approved and live in Chrome, Firefox, Edge, Safari (macOS), and Brave app stores for easy access to your credentials, email aliases and allows for one-click alias creation.

Try the official supported cloud version: https://aliasvault.net

Github and quick self install guide: https://github.com/lanedirt/AliasVault

Full documentation including architecture: https://docs.aliasvault.net

I'd love to hear your feedback and suggestions, happy to answer any questions! Thanks for checking out AliasVault, I appreciate it a lot! :-)

1. out-of-ideas ◴[14 Mar 25 21:36 UTC] No.43367559[source]
> main restrictions: 1) Email aliases are receive-only, meaning you cannot send or reply to emails from your aliases

this part is a bummer but i do understand why; i feel it would be a huge improvement being able to do this if i were to self-host; especially if the headers make no use of "alias" or "sent on behalf of user X". (ive never been a fan of email addresses being 1:1 with usernames for public domains, a system that allows interchangeability on both would be a pretty big win, coupled with aliases, imo)

replies(1): >>43368568 #
2. lanedirt ◴[14 Mar 25 23:54 UTC] No.43368568[source]
Thanks for your feedback! Yes the primary reason for it being receive only right now is to combat spam. I am considering options where self-hosted users and cloud users (perhaps as a premium option) will be able to do this though.

One of the big challenges then would be that self hosting outgoing email servers has historically always been tricky thing in terms of email deliverability. A lot of big email providers block entire residential IP ranges, so more often than not emails tend to be delivered straight to spam.

But there are other options I’m considering such as being able to integrate AliasVault with external email servers (e.g. MS365 or Google) for both receiving and sending. Or leaving the receiving as-is but integrating with an external SMTP relay for email sending.

I’m actively working on improving AliasVault and iterating quickly, so all feedback is appreciated. :-)

replies(1): >>43368747 #
3. imcritic ◴[15 Mar 25 00:21 UTC] No.43368723[source]
I don't see any information about domains that are used for those email aliases.

Apart from that - the idea of the project is just pure fire, I would love very much to have thousands of different personas for the nasty tracking huge corporations that entangled the internet.

replies(2): >>43368807 #>>43371048 #
4. out-of-ideas ◴[15 Mar 25 00:25 UTC] No.43368747{3}[source]
> I am considering options where self-hosted users and cloud users (perhaps as a premium option) will be able to do this though.

yeah that sounds great! i think the one site i recall doing this acted as a fancy email forwarder and header exchanger; allowed the user to create N aliases, and it would forward them all to the users email. then a user could reply and the server would basically grab the body and convert the outbound headers to match the alias (i can never remember the website anymore though- and it lacked open sourceness or i'd have self hosted that if i could)

many iterations is the way to go - im one who always favors options and tinkering (and sometimes with minimal reading; extra challenge mode) - wont be for a month before i can attempt the self hosting bit but i do plan to try it (so my feedback will be very delayed)

thanks for doin all the hard work good luck and dont burn out!

replies(1): >>43371075 #
5. out-of-ideas ◴[15 Mar 25 00:33 UTC] No.43368807[source]
my experience having a unique email per domain is basically the hacked companies are the ones where the email is bled to spammers - though going through google's services i think a ton of spam is auto filtered (though i did go through a chunk of emails at one point and flag as spam+ auto purge).

its probably more likely they collect the info on you and associate you with the different domains with those emails (and likely without those emails, too)

email is too easy for the user to filter out spam; why bother with that vs websites that require javascript, proactively treat users like they are bots, and also serve ice cold ads? [ex cloudflare and amazon where you have to verify you are a bot _before_ trying to login; remember when websites allowed like 3 attempts before offering the bot detections / backoff protections? - now we cannot even try to login perfectly once without getting "am you a bot?" prompts - even with TOTP]

but after all is said and done - i still really do enjoy a single email per website - it is a great way to filter items (and takes 1 attack vector out of the public email part; they dont ever get my username unless they hack the server)

6. lanedirt ◴[15 Mar 25 08:46 UTC] No.43371048[source]
Thanks for your comment!

The official cloud hosted variant currently offers unlimited *@aliasvault.net addresses. However I’ll be adding more domains as time goes on as certain companies don’t always like the idea of aliases and tend to start blacklisting.

The self-hosted variant allows you to attach as many of your own domains that you want, and then you can choose which domain you want to generate an alias with from the GUI.

The ability to connect your own private domains to the cloud hosted variant is also on the roadmap and will be added in the coming 2-3 weeks. This will allow you to move from/to different services without losing access to your email aliases.

7. lanedirt ◴[15 Mar 25 08:50 UTC] No.43371075{4}[source]
Thank you for your kind words! Nice idea about the header exchanger, I’ll add it to my list to explore as an option for this feature.

I’m looking forward to your feedback whenever you have had the chance to try AliasVault. Much appreciated! :-)