Add PaperVault to Password Managers

[boazeb]

PaperVault is an open source tool for backing up passwords and critical data on paper using Shamir secret sharing. Submission requests an exception on the 4-month repo age requirement per CONTRIBUTING.md (justified in PR description).

Request for exception: The contributing guidelines state that the first stable release should be older than 4 months. PaperVault does not yet meet that requirement. I am asking maintainers to consider an exception for this listing because:

1. Strong fit for the list: Fully open source (MIT), client-side only, zero-knowledge, documented privacy policy for the hosted version, and a clear SECURITY.md with responsible disclosure.
2. Niche use case: Paper-based secret backup with threshold recovery is a distinct privacy/security need (disaster recovery, inheritance) that complements existing password managers and has few listed alternatives.
3. Transparency: I am the project author and disclose that below. I commit to maintaining the project and addressing feedback.

---

Supporting Material

• Repo: https://github.com/boazeb/papervault
• Live app: https://papervault.xyz
• Security & threat model: https://github.com/boazeb/papervault/blob/main/SECURITY.md
• Instructions for an AI assisted code audit: https://github.com/boazeb/papervault/blob/main/AI_AUDIT_INSTRUCTIONS.md

---

Affiliation

Yes. I am the author and maintainer of PaperVault. I am submitting it for inclusion because I believe it meets the list’s privacy and security criteria and fills a gap (paper-based secret backup with threshold recovery).

---

Checklist

• I have read the Contributing guide, and confirmed my PR aligns with the requirements
• I have performed a self-review (valid Markdown formatting, spelling, and grammar)
• I have indicated whether I have any affiliation with any software / services added
• I agree to follow the repositories Contributor Covenant Code of Conduct

---

[liss-bot]

Hello @boazeb

Thank you for contributing to Awesome Privacy! We will review your submission shortly. In the meantime, please ensure all changes are correct and inline with our Contributing Requirements.

Our automated checks detected some issues:

• Please fill in pull request template in full. You can find a copy of this here
• It looks like your submission is quite a small project without a lot of users yet. In some circumstances we may ask you to resubmit this once the project is more mature and has a proven track record of good practices and maintenance.
• This project appears to be quite new (created less than 4 months ago). Repositories should have a proven track record before listing.

Note

I am a bot, and sometimes make mistakes in my suggestions. But a human will review your submission shortly!

Summary of Changes:

• Added PaperVault in Essentials → Password Managers

Submission Info

Repo Stats

• 🟢 License: MIT License
• 🔴 Repo Age: 2 weeks
• 🟢 Last Updated: 1 week ago
• 🔴 Releases: 0
• 🔴 Stars: 12
• 🔴 Contributors: 1
• 🟢 Is Fork: No
• 🟢 Is Archived: No
• ⚪ Security Alerts: Unknown
• 🟢 Vibe Coded: 0 AI commits
• 🔵 Commits: 10
• 🔵 Open Issues: 0
• 🔵 Website: https://papervault.xyz
• 🔵 Author: boazeb
• 🔵 Languages: JavaScript, CSS, HTML

Website Checks

• 🟢 Status: 200
• 🟢 HTTPS: Yes
• 🟢 Blacklist: Not listed
• 🟢 Redirect: None
• 🔴 Risk Score: 70
• 🔴 HSTS: Missing
• 🔴 CSP: Missing
• 🔴 X-Frame-Options: Missing
• 🔴 Security.txt: Missing
• 🔵 Server: 216.198.79.1, AS16509
• 🔵 Server Location: Walnut, California, United States of America
• 🔵 Title: PaperVault.xyz - Cold storage vault

^{The above data does not determine a submissions eligibility. Human review is still needed.
Key: 🟢 = good. 🟠 = warning. 🔴 = attention required. 🔵 = info. ⚪ = unknown.}

^{For full details, please see workflow run 23050855121}

[ltguillaume]

Wow, this is a very good way to get digital legacy in order, e.g. by sharing the master password of your password manager.

Much better than e.g. Keepass's emergency sheet.

1. An issue would be that you need to either be sure that https://papervault.xyz or your own instance remains available, which isn't a given, or it should be easier to include an offline solution.
2. The "Disconnect from Internet" step always fails for me. Putting the phone in airplane mode does not "greenlight" the last step, ever (tested on a Firefox- and a Chromium-based browser).

[boazeb]

@ltguillaume thanks for the feedback!

1. cloning the repo can help ensure that if papervault.xyz website is gone the vault is always recoverable. Also, part of my goal in open sourcing the code and keeping a copy on github is to ensure its survival in the future. The paper vault also includes instructions that point both to the website and github repo.

2. Regarding 'disconnect from internet' issue, the indicator works well but turning on airplane mode isn't actually enough. You need to toggle off wifi as well.

@Lissy93 (fyi too)

[ltguillaume]

1. True, but to have the option to keep a self-contained webpage (or executable) next to the key and vault would be a lot more user friendly.
2. No, WiFi is off, too. I haven't looked into it, but you're probably using an API for this that both my browsers block by default then.

[Lissy93]

Yeah, I had similar thoughts to @ltguillaume

Based on the real-world use case, the most important thing here is going to be longevity. It could be 10 years time when myself (or my family) need to unlock my vault, so it's really important that the code stays available and runnable. If it was me, I'd:

1. Consider Dockerizing it, or adding a similarly easy way to run it locally. It is notoriously hard to get a Node.js environment running for older versions.
2. Likewise, it'd be neat if the code was mirrored/backed up somewhere beyond just GH. Mirroring to Codeberg is really easy.

I also had the same issue with the online/offline check: it doesn't work. The navigator.onLine property is really rubbish, it basically just checks if a device is connected to "a" network, and not if it has internet, and it's implemented differently across different OSs and browsers. I tried on Firefox and Chromium on Linux (NixOS).
I think thata's fine though, just make the "Accept the risk and proceed online" more obvious / or the Internet check optional.

---

Also, just a small thought on this part of your PR body/codebase:

Instructions for an AI assisted code audit: https://github.com/boazeb/papervault/blob/main/AI_AUDIT_INSTRUCTIONS.md

It's a cool idea. While I've not tried using AI for this, from what I have used it for, I expect it to miss about ~90% of what a human would find.
So careful not to let AI give you a false sense of security, it's is not a replacement for proper engineering and discipline. Especially when you've narrowed the scope down that far, and asked it to "verify no issue" - AI lives to please, so you've optimized for AI approval, rather than real-world hardening.

[Lissy93]

For now, I think it's a really cool concept, and both unique and very useful.

But, the project isn't mature yet. Realistically, it usually takes a couple of months of real use for issues to be found, reported and fixed. And a track record of good maintenance is important too.

There's also concerns with the codebase. The code on GitHub is not the same as what's running on the website. And both sources are very unstructured, making it really hard to follow, and so probably tricky to maintain. E.g. WalletEntryCard.jsx has the entire BIP-39 word list hardcoded inline, complete with the AI's helpful comment that you should import this instead. And about 25% of the repo is dead code, unused.

I think for now, we should close and revisit once it's more mature, if that's okay with you @boazeb?

[ltguillaume]

I just rebased from main, to pull in the latest changes because there was a merge conflict

Edit: wait did I do it wrong, just checking now.. 😳

Edit edit: I think we're good, AliasVault was merged a few days ago in #303, so this was just rebasing to resolve the conflict since they were in the same section.

I guess I expected a rebase and saw a merge and was a little confused by the web interface? Either way, you're right, nothing went wrong 🙂 Sorry about that 🫣

There's also concerns with the codebase. The code on GitHub is not the same as what's running on the website. And both sources are very unstructured, making it really hard to follow, and so probably tricky to maintain. E.g. WalletEntryCard.jsx has the entire BIP-39 word list hardcoded inline, complete with the AI's helpful comment that you should import this instead. And about 25% of the repo is dead code, unused.

Woah, didn't expect that, so yeah, would definitely need more work.

Since it's based on a very old algoritm and old implementations, I thought I'd find some alternatives to compare it to, but nothing really popped up yet.

That said, the user facing side of it all is very nicely done.

[boazeb]

Hey @Lissy93 @ltguillaume
thanks for the detailed feedback.
I've tried to address some of it via the following updates:

• Removed a lot of old dead code and comments (-838 lines)
• Removed hardcoded BIP-39 wordlist (uses the bip39 library directly now)
• Cleaned up code structure in major components
• Added security headers
• Added Docker support (Dockerfile + docs in README)

Regarding the 'online/offline check' i'm not sure I have a better solution at the moment, so i'm leaving it as-is. Honestly i'm also having trouble replicating the issue, its been working silky smooth for me across both web and mobile and i've tested both chrome and safari.

There's also concerns with the codebase. The code on GitHub is not the same as what's running on the website.

Regarding your concern on codebase being different between the repo and website: I excluded the 'marketing site' (papervault.xyz) from the open source release because users installing the app locally don't really need a fancy homepage. The app itself is located on a subdomain: https://app.papervault.xyz ; the website simply points users to the subdomain. The app hosted on the subdomain is identical to the github repo, and is hosted by vercel.

I'm happy to resubmit in a couple weeks if you'd like, but on the other hand, a tiny bit of visibility would help accellerate product maturity as well.

Cheers!