Why I’m Building a Password Manager of All Things
Of all the things I could build—another blockchain, an AI agent, a developer tool—I’m building a password manager. It sounds almost mundane. Password managers have existed for decades. The market has established players. Why would someone who’s spent years building cryptocurrency infrastructure decide this is worth the effort?
Because KeyPears isn’t really a password manager. It’s the first federated Diffie-Hellman key exchange platform. Password management is just where it starts.
The Broken State of Key Management
Every application that requires authentication creates its own key management silo. Your bank has one set of credentials. Your email provider has another. Your cryptocurrency exchange has a third. Password managers help by giving you one place to store all these credentials, but they don’t solve the fundamental problem: key management is fragmented, centralized, and broken.
Consider what happens when you need to share a production database password with a contractor at a different company. You’re using 1Password. They’re using Bitwarden. There’s no interoperability. You end up pasting the password into Slack or sending an encrypted email attachment—workarounds that defeat the purpose of having a password manager in the first place.
Cryptocurrency made this worse, not better. Seed phrases written on paper. Hardware wallets stored in safes. No good way to share wallet access with a family member or business partner without physically handing them a piece of paper. The industry that should have solved key management created some of the most user-hostile key management experiences imaginable.
Secure messaging has the same problem from a different angle. Signal has excellent encryption, but it’s a centralized service. If Signal gets shut down, subpoenaed, or acquired, hundreds of millions of users are affected simultaneously. The encryption is decentralized; the infrastructure isn’t.
The common thread across all of these: we keep reinventing key management badly, in isolated silos, with no interoperability.
What KeyPears Actually Is
KeyPears uses an email-like architecture for cryptographic key exchange. Your
identity is an email-style address: alice@keypears.com or
alice@yourcompany.com. Each address maps to a public/private keypair. When you
want to share a secret with someone, you use their address to discover their
public key and establish an encrypted channel.
This is how email works—alice@company-a.com can message bob@company-b.com without asking permission from a central authority. The protocol is open. The network is federated. Anyone can run a server.
KeyPears applies this model to secrets. Your vault syncs across your devices with end-to-end encryption. When you need to share a secret with someone at a different organization, you don’t need them to use the same provider. You just need them to have a KeyPears-compatible address, which could be hosted anywhere.
The entire codebase is open source under Apache 2.0. The protocol is open. Anyone can run a KeyPears server, just like anyone can run an email server.
The Technical Innovation: Decentralized Diffie-Hellman
The core innovation is federated Diffie-Hellman key exchange—something no other password manager offers.
Here’s how it works: Alice at alice@example1.com wants to share a secret with
Bob at bob@example2.com. Alice’s client contacts Bob’s server and requests an
engagement public key. Bob’s server generates a derived public key using
elliptic curve addition—a mathematical property where adding two public keys
produces a new public key corresponding to the sum of the private keys. This
means the server can generate valid public keys for Bob without ever knowing
Bob’s private key.
Alice’s client computes a shared secret using Diffie-Hellman. She encrypts the secret and sends it to Bob’s server. When Bob comes online, his client retrieves the derivation component from his server, adds it to his vault private key, and computes the same shared secret. He decrypts the message.
Neither server ever saw the plaintext. The cryptography happens entirely client-side. The servers coordinate the exchange without learning anything about the contents.
This enables something that doesn’t exist today: secure secret sharing across organizational boundaries without trusting any intermediary.
Three Layers of Value
KeyPears delivers value at three levels, each building on the previous.
Layer 1: Password Management. This works today. You create a vault, store your passwords, and sync across all your devices. The client runs on Windows, macOS, Linux, iOS, and Android via Tauri. Your secrets are encrypted with keys derived from your password using 100,000 rounds of key derivation. The server stores only encrypted blobs—it can’t read your passwords even if compromised.
Layer 2: Federated Secret Sharing. This is what I’m building now. Once the Diffie-Hellman infrastructure is complete, you’ll be able to share any secret with any KeyPears address. Need to give a contractor access to an API key? Share it directly through KeyPears. They accept it into their vault. No Slack messages, no encrypted emails, no awkward workarounds.
Layer 3: Secure Messaging and Cryptocurrency. The same DH infrastructure
that enables secret sharing enables encrypted messaging—a decentralized Signal
built on email-style addresses. It also enables cryptocurrency wallets where
your email address is your wallet address. alice@example.com sends money to
bob@example.com. No more copying and pasting 42-character hexadecimal strings.
Each layer is independently useful, but together they create something new: a unified platform for private, secure digital interaction.
Why This Matters for Crypto
Cryptocurrency’s biggest UX problem is key management. Wallet addresses are 42-character strings that humans can’t read or remember. Seed phrases are 12-24 words that you’re supposed to write on paper and store in a safe. Self-custody means taking on operational security responsibilities that most people aren’t equipped to handle.
KeyPears solves this by making your email address your identity. The address maps to a public key. The private key stays encrypted on your devices, synced through the federated network. When you want to send money, you send it to an email address. The DH infrastructure resolves the address to a public key and handles the cryptography.
This isn’t replacing cryptocurrency—it’s making it usable. The same infrastructure that lets you share a password with a colleague lets you share wallet access with a family member or send a payment to a business partner. Self-custody without the UX nightmare.
Why This Matters for Privacy
The current options for private communication are unsatisfying. Centralized services like Signal provide excellent encryption but create single points of failure. Federated systems like email provide decentralization but no encryption by default. Self-hosted solutions provide both but require technical expertise most people don’t have.
KeyPears combines federated architecture with end-to-end encryption in a package that’s actually usable. You can run your own server for maximum control, or use a hosted provider for convenience. Either way, your secrets are encrypted with keys only you control. There’s no central authority to subpoena, breach, or shut down.
This is the model that should have existed from the beginning: the decentralization of email with the encryption of Signal.
The Business Model
KeyPears isn’t a non-profit. Non-profits in this space tend to be chronically underfunded, dependent on grants, and unable to attract engineering talent. I want KeyPears to be sustainable.
But it’s also not a VC-backed hypergrowth startup. That model creates pressure to compromise on principles—to monetize user data, to add features that undermine privacy, to sell to the highest bidder regardless of their intentions. I’ve seen too many promising projects destroyed by the growth-at-all-costs mentality.
KeyPears is a slow-growth small business. The free tier is generous enough for most users: 300 syncs per month, 500 secrets, 1GB storage. Premium users pay $99 per year for custom domains and unlimited usage. Businesses pay per-user pricing for team features.
Sustainable revenue is success. We don’t need to be a unicorn. We need to be around in twenty years, still serving users who value privacy and security.
Current Status
Phase 1 is complete: cross-device synchronization works. You can create a vault, store secrets, and sync them across all your devices with end-to-end encryption. The server never sees your passwords.
Phase 2 is underway: Diffie-Hellman key exchange for federated secret sharing. The cryptographic primitives are implemented. The protocol is designed. I’m building the API endpoints and client UI now.
The code is open source at github.com/keypears/keypears. The website is at keypears.com. Native apps for all platforms are built with Tauri—one codebase for Windows, macOS, Linux, iOS, and Android.
The Bigger Picture
Password management sounds boring until you realize it’s the foundation of digital identity. Every interaction you have online—logging into services, signing transactions, proving who you are—depends on managing cryptographic secrets. Get this right, and you enable a new model for how humans interact securely across organizational boundaries.
I’m building the email of cryptographic keys. A federated network where anyone can participate. Open protocols that anyone can implement. End-to-end encryption that no intermediary can break. And a user experience familiar enough that anyone can use it.
KeyPears starts with passwords because that’s the immediate, practical problem. But the infrastructure we’re building enables much more: secure messaging, cryptocurrency wallets, and any other application that requires humans to manage cryptographic keys safely.
That’s why I’m building a password manager of all things.