The Velvet Suite is a modular security architecture designed for environments where deterministic trust, local authority, and the elimination of persistent secrets are required. Each module operates independently and does not rely on external services, centralized signing infrastructure, or network connectivity. All cryptographic state is derived at runtime, kept only in memory, and destroyed on expiration.
The execution control system enforces trust by content hash. It uses a kernel level interception mechanism to monitor every file execution event and prevents any binary from running unless its hash has been explicitly authorized. Trust is based entirely on the file's contents. Names, locations, permissions, and metadata are not used. If the file's SHA 256 hash is not present in the local trust database, execution is denied before it begins. This prevents substitution attacks, injection, spoofed binaries, and environmental manipulation by enforcing identity through the data itself.
Trust management is handled through tools that allow administrators to populate, inspect, and maintain the local trust database. A scanning utility walks specified directories, hashes executable files, and records them. Manual tools allow precise modification and review, both through a command line interface and a graphical interface that operates without background services. These utilities allow the system to remain deterministic and fully auditable even in recovery or disconnected environments.
Additional components support encrypted file transfer, secure messaging, password storage, and interprocess communication. These systems perform all encryption on the client using secrets that are generated in memory and rotated frequently. Synchronization is supported through local relays that store only encrypted blobs without metadata or identifying information. No keys or credentials are written to disk and no long term secrets persist after execution.
Passman is a stateless, offline-first password manager that eliminates the risks of traditional vault-based solutions like LastPass, Bitwarden, and 1Password. Instead of storing passwords in a vault, Passman mathematically regenerates them on demand, making it impossible to steal what isn’t stored.
This is a proof-of-concept release, and minimal testing has been completed. The goal is to challenge conventional password management by proving that a zero-storage model can work. Looking for security researchers, developers, and privacy advocates to test, break, and improve it.
How Passman Works
You enter your master password and a website/app name.
Passman mathematically derives a password from these inputs.
The password is copied to your clipboard for immediate use.
The clipboard automatically clears after 60 seconds to prevent leaks.
Nothing is stored—no vaults, no sync, no cloud. Everything is derived in real-time.
Core Features
No vaults, no storage, no sync – Nothing to steal, nothing to hack.
Mathematically derived passwords – Always reproducible, never saved.
Auto-copy to clipboard – Prevents keyloggers without manual copying.
Clipboard auto-clear after 60 seconds – No lingering passwords.
Encrypted transformation rules – Securely export/import between devices.
Open-source and GPL-3 licensed – Anyone can verify or improve it.
This is not a finished product. It is a proof-of-concept to demonstrate that password managers don’t need to store passwords at all. If there’s nothing to steal, there’s nothing to hack.
If you care about security, privacy, or cryptography, try it out and let me know what you think. Looking for feedback from anyone who can test it, break it, or suggest improvements.
Versions of this idea have been kicking about for ages, you can probably find some other implementations even just on HN (and the commentary on them, which will probably mostly say that this is a bit of a design dead end).
