Four months ago I wrote a post titled Why I’m Building a Password Manager of All Things. Today KeyPears is in alpha, live at keypears.com, and every line of code is open source on GitHub under MIT.
You can create an account, send end-to-end encrypted messages to anyone on any KeyPears server, store secrets in an encrypted vault, rotate your keys, and claim a domain you already own by hosting a single JSON file. Two KeyPears servers on two different domains can already federate and exchange messages in production. That’s the alpha.
KeyPears is a federated, end-to-end encrypted protocol for messaging and secret
storage. Your identity is an email-style address — [email protected], or
[email protected] if you host the keypears.json file yourself — backed by
a NIST P-256 key pair. Servers store only ciphertext. The server operator cannot
read your messages or your vault, and a database breach reveals nothing.
The pitch is one sentence: keep what email got right (name@domain addressing
and DNS-based federation), and add what email could never retrofit
(Diffie-Hellman key exchange and proof of work), mandatory from day one.
Email got addressing and federation right forty years ago and never fixed encryption or spam. PGP tried key exchange as a layer on top, and Whitten and Tygar showed in 1999 that most users couldn’t successfully encrypt a message even with ninety minutes of training. Hashcash proposed proof of work for spam in 1997 and couldn’t be made mandatory without breaking every legitimate sender who hadn’t heard of it. The centralized alternatives — Signal, iMessage — solved encryption by abandoning federation and binding your identity to a phone number and a single company’s servers. Matrix got federation and encryption but threw out email-compatible addresses and built a directed acyclic graph of room state that’s conceptually rich and operationally heavy.
KeyPears is the third path. Federated. Encrypted. Simple. Boring cryptography on purpose.
Every primitive in KeyPears is NIST-approved: SHA-256, HMAC-SHA-256, PBKDF2-HMAC-SHA-256 (1.2 million total rounds, 600,000 on the server alone), AES-256-GCM, P-256 ECDH and ECDSA. Nothing novel, nothing creative — the same primitives that secure TLS, WebAuthn, and every smartcard on Earth. If you open the crypto layer as a reviewer, you should find it boring. Boring is the goal.
Proof of work is computed client-side via a GPU-friendly algorithm called
pow5-64b, and the difficulty is configurable per-server and per-user. An
operator under spam pressure raises the account-creation difficulty. A user
receiving unwanted messages raises their first-contact difficulty. No CAPTCHAs,
no third-party verification, no phone numbers.
Federation uses a pull model: when I send a message to you, my server stores the ciphertext and notifies your server with a pull token. Your server independently resolves my domain via DNS and TLS and pulls the ciphertext itself — so domain authentication piggybacks on the HTTPS trust model the rest of the web already uses, and there’s no new PKI to operate.
The whitepaper covers the full protocol, cryptographic construction, and security analysis in about a dozen pages. If you’re the kind of person who reads the protocol before signing up, start there.
KeyPears is in alpha. The cryptography is boring, the protocol has been audited internally more than once, and the security model is documented in detail. We do not plan to wipe the database. But if a fundamental flaw is discovered — something that can’t be fixed by a code update without re-deriving everyone’s keys — we may have no choice. The alpha label is a precaution, not a prediction. Don’t store the only copy of anything you can’t afford to recreate. Everything we’ve shipped is in service of making the wipe scenario unlikely enough that the alpha flag eventually comes off and the database keeps running.
The most useful thing you can do for the project right now is run your own
KeyPears server on a domain you control and federate it with keypears.com.
That’s a direct test of the federation layer in production, and it’s the
scenario the whole protocol was designed for. If you find a bug, file it on
GitHub. If you find a cryptographic flaw,
keypears me directly first.
This is the post I’ve been wanting to write for four months. KeyPears is live. Go break it.
