nokee
Self-Hosted · Zero-Knowledge · Enterprise-Ready

Your passwords.
Your servers.
No compromise.

Nokee encrypts everything client-side using AES-256-GCM. The server stores only ciphertext — it never sees your plaintext passwords or encryption keys.

Deploy with DockerContact Us
AES-256-GCM
Encryption
RSA-4096
Key Exchange
PBKDF2
Key Derivation
TOTP
2FA Support
The Cost of Insecurity

One leaked password can cost millions

Most teams store passwords in spreadsheets, chat messages, or on personal devices — without realizing how much a single breach can cost them.

€4.9M

Average cost of a data breach

IBM 2024

4%

Max GDPR fine of global annual revenue

GDPR Art. 83

277

Days on average to detect a breach

IBM 2024

83%

of companies have experienced more than one breach

IBM 2024

💬 Passwords in Chat & Email

Credentials sent via Slack or email live in message history forever. One compromised account exposes every password ever shared — with no way to revoke access.

📊 Excel & Google Sheets

Spreadsheets are unencrypted on disk and cloud-synced without access control. Version history preserves deleted passwords. A wrong share setting means a mass leak.

📱 Personal Devices

Passwords saved in personal browsers sync to private accounts outside company control. There is no remote wipe when an employee leaves — and no audit trail.

Sources: IBM Cost of a Data Breach Report 2024 · GDPR Art. 83

Why Nokee

Security you can audit,
infrastructure you control

Nokee is built on the principle that your secrets should only ever be accessible to you — cryptographically enforced.

Zero-Knowledge Architecture

The server never sees your plaintext passwords or encryption keys. Everything is encrypted and decrypted exclusively in your browser.

Fully Self-Hosted

Deploy on your own infrastructure with Docker Compose. Your data never leaves your servers — no cloud dependency, no vendor lock-in.

Secure Team Sharing

Share passwords with teammates using RSA public-key encryption. Each recipient gets their own encrypted copy — access is fully revocable.

End-to-End Encrypted

AES-256-GCM for all vault items and folder names. PBKDF2 key derivation. RSA-OAEP for sharing. Encryption throughout the entire stack.

Two-Factor Authentication

Add a second layer of security with TOTP 2FA. Compatible with Google Authenticator, Authy, and any RFC 6238-compliant authenticator app.

Complete Audit Log

Every action logged with timestamps and user context. Know exactly who accessed, modified, or shared what — and when. Full accountability.

How It Works

From zero to secured
in minutes

Nokee is designed to be simple to deploy and impossible to compromise — by design.

01

Deploy Nokee

Clone the repository, configure your environment, and run docker compose up -d. Nokee is production-ready in under 2 minutes on any server with Docker.

bash
docker compose up -d

# Runs PostgreSQL, FastAPI backend, and Next.js frontend

02

Create Your Vault

Register and set your master password. Your encryption key is derived client-side via PBKDF2 with 100,000 iterations — it never leaves your browser.

crypto
PBKDF2(masterPassword) → encryptionKey

# authHash sent to server · encryptionKey stays local

03

Collaborate Securely

Invite teammates to shared folders or projects. Each item is automatically re-encrypted with the recipient's RSA public key. Revoke access anytime.

crypto
RSA-OAEP.encrypt(item, recipientPublicKey)

# Per-recipient encryption · folder cascade sharing

Encryption Model

Encryption you can
actually audit

Our crypto is not a black box. Here is exactly how Nokee protects your data — step by step.

Encryption Flow

In Your Browser
Master Password
PBKDF2 (100,000 iterations)
authHash
sent to server
encryptionKey
stays in browser
AES-256-GCM encryption
ciphertext only
Server
[ encrypted ciphertext ]
no plaintext

Cryptographic guarantees

Server never sees plaintext

The server only ever receives the authHash (a derivative of your master password, useless for decryption) and encrypted ciphertext.

Encryption key never transmitted

Your encryptionKey is derived client-side via PBKDF2 and stays exclusively in your browser session — it is never sent over the network.

Shared items individually encrypted

When sharing, each recipient gets a separate copy encrypted with their RSA public key. Revoking access is cryptographically enforced.

Code auditable on request

Enterprise customers can request a full code review. The exact PBKDF2, AES-GCM, and RSA-OAEP implementation is available for inspection under NDA.

Self-Hosted

Production-ready
in 3 commands

Nokee ships as a fully containerized stack. No complex setup — just Docker and you are running.

bash

# 1. Extract the package and configure

$tar -xzf nokee-latest.tar.gz && cd nokee
$cp .env.example .env # set your secrets

# 2. Start all services

$docker compose up -d

# 3. Run database migrations

$docker compose exec backend alembic upgrade head

# output

✓ Starting nokee_db ...

✓ Starting nokee_backend ...

✓ Starting nokee_frontend ...

→ Ready at http://localhost:3000

Minimum Requirements

Docker20+
RAM512 MB
Storage1 GB
DatabaseIncluded

What You Get

  • On-premise or managed deployment options
  • Full control over backups and data retention
  • Air-gapped deployment supported
  • PostgreSQL included via Docker Compose
  • Scales with your team — no user limits
  • HTTPS-ready with reverse proxy support
Contact Us for Deployment
Get in Touch

Ready to secure
your team?

Interested in deploying Nokee for your organization? Reach out and we will help you get set up — from a single team to enterprise scale.

Contact UsSee Setup Guide

Self-hosted · Zero-knowledge · Enterprise support available