AES-256-GCM · Argon2id · Zero servers · Zero telemetry
Your passwords live on
your device. Nowhere else.
Every major password manager stores your secrets on their servers. When they get breached — and they do — your data is exposed. Neoxtemus is different: your encrypted vault never leaves your device. No cloud. No accounts. No company database to hack.
Passwords · 2FA codes · Files · Credit cards · Crypto wallets · IDs — all in one encrypted vault that works offline, forever.
Your password manager has a single point of failure: their servers.
Many popular password services rely on cloud-hosted vaults. If those servers are breached, attackers can obtain encrypted vaults and perform offline brute-force attacks. If a provider shuts down or is compelled by legal process, your metadata or access may be affected.
Neoxtemus eliminates the server entirely. Your vault is encrypted with AES-256-GCM and stored only on your device. There is no NeoXten database. No API your app calls. No infrastructure to breach.
100% Local. Works Across Devices.
Your AES-256-GCM encrypted vault lives on your device — not on our servers. Move it between up to 3 devices using encrypted .nex backup files that only your master password can open. No cloud sync needed. No vendor lock-in. You hold the only key.
The Decoy Vault.
Under duress? Enter a secondary PIN to open a fake vault with dummy data. The attacker thinks they won. Your real secrets remain cryptographically hidden.
On-Device OCR Engine.
Photograph a Wi-Fi label, API key, or printed credential. The native offline OCR extracts text instantly. No images uploaded. No cloud API. The secret stays on your device.
Panic Drop.
Instantly lock the vault and wipe keys from memory with a single action. Decrypted temp files are purged on every lock. Zero forensic trace.
YubiKey Hardware Enclave.
Bind your vault to a physical YubiKey via HMAC-SHA1 Challenge-Response. Without the physical touch of your USB key, the master password alone is mathematically useless.
Five layers of protection
Argon2id key derivation
Your master password is processed through Argon2id — the winner of the Password Hashing Competition — to derive the encryption key. The password itself is never written to disk.
For daily convenience, enable a 6-digit PIN or Android biometric fingerprint for quick unlock. The vault auto-locks after inactivity or when the app is backgrounded.
24-word recovery phrase
During setup, Neoxtemus generates a 24-word recovery phrase — the only way to regain access if you lose your master password. There is no "forgot password" flow and no recovery server.
We also generate a PDF Emergency Kit with a QR code for offline vault restore.
Screenshot & clipboard protection
On Android, FLAG_SECURE blocks screenshots and screen recording. Copied secrets are automatically cleared from the clipboard after a short timeout.
Decrypted temporary files are purged from disk on every vault lock.
Password health monitor
Built-in analysis flags weak, reused, and aging passwords across your entire vault. The integrated password generator creates strong replacements instantly.
Full audit log tracks vault access events, exportable to CSV.
Technical specification: AES-256-GCM authenticated encryption with Argon2id key derivation. These are industry-standard cryptographic choices used in widely trusted secure systems. Built in Rust — no garbage collection, memory-safe by design.
One vault for everything
Username, password, URL, TOTP
Number, expiry, CVV, cardholder
Name, email, phone, address
Seed phrase, address, network
Account, routing, bank name
Document number, expiry, nationality
Product key, product name, URL
Freeform encrypted text
Any file type, stored in-vault
Local by design
Your vault file is AES-256-GCM encrypted. On disk, it is indistinguishable from random data. No keys stored alongside it.
No account creation. No email. No sign-in. Neoxtemus does not know who you are and has no mechanism to find out.
There is no analytics code in the binary. We have no way to know how you use the app, how often you open it, or what you store.
Two-factor codes are computed on your device using standard TOTP. No separate authenticator app needed. No network connection required.
Photograph Wi-Fi labels, API keys, or printed credentials. Text extraction runs fully offline — no images uploaded, no cloud API.
Export your vault as an encrypted .nex file any time. Store it on a USB drive, cloud storage, or email it to yourself — without your master password, the file is unreadable. If your device is lost or replaced, restore the backup on your new device in seconds.
Use Neoxtemus on your phone, laptop, and tablet. Set up each device by restoring from the same encrypted backup. No account, no cloud sync — just one backup file and your master password.
Switching from another password manager? Import directly from CSV or JSON exports. Neoxtemus detects common formats automatically and shows a preview before importing.
Every vault access event is recorded locally. Export to CSV for compliance or personal review. No audit data leaves your device.
People who take privacy seriously
Professionals — doctors, accountants, coaches, freelancers — who handle sensitive client data and need to keep it off third-party servers.
Crypto holders — who need a secure, offline place for seed phrases and wallet credentials that no company can access.
Privacy-conscious individuals — who want their passwords, IDs, and financial data stored under their control, not someone else's.
Backup, restore & multi-device
No cloud sync does not mean no portability. Neoxtemus gives you full control over how your vault moves between devices — using encrypted files only you can open.
Back Up
In Settings, tap Export Backup. Neoxtemus creates an encrypted .nex file — AES-256-GCM protected by your master password. Save it to a USB drive, cloud storage, or email. Without the password, the file is unreadable.
Set Up Another Device
Install Neoxtemus on your second device. Activate with the same license email. Then tap Restore and select your .nex file. Enter your master password — your full vault appears instantly.
Migrate to a New Phone
Export a fresh backup on your old device. Install Neoxtemus on the new one. Restore from the backup. Deactivate the old device from Settings if you've reached 3 devices. Done.
Why this is safer than cloud sync: Your vault is never stored on anyone else's servers. Backup files are encrypted end-to-end — you can store them on Google Drive, iCloud, Dropbox, or a USB stick. Even if someone intercepts the file, it is cryptographically useless without your master password.
You own it. You protect it.
Because there are no servers, there is no "forgot password" reset. This is the security model — not a missing feature. Neoxtemus gives you two safety nets:
- 24-word recovery phrase — generated during setup. Write it down and store it separately. It can unlock your vault if you lose your master password.
- Encrypted .nex backups — export regularly. If your device breaks or is lost, restore on any new device with your master password.
- PDF Emergency Kit — generated during setup, includes a QR code for offline vault restore.
Keep these in a safe place. As long as you have your master password (or recovery phrase) and a recent backup, your vault is always recoverable — no company, no server, no third party needed.
Three steps. Under a minute.
Install
Download the installer and run it. One executable, no dependencies, native binary.
Create Your Vault
Set a master password. Optionally add a 6-digit PIN for quick unlock. That's it.
Start Storing
Add passwords, secrets, 2FA codes, notes. Everything encrypted instantly. Works offline forever.
Own It. No Subscription.
Secure checkout via Stripe. No account required.
Independent publisher: The installer is not code-signed yet. On Windows, SmartScreen may show a warning — click "More info" then "Run anyway."
30-Day Refund Policy
Full refund within 30 days of purchase. No forms, no justification required. Email neoxtenstudios@gmail.com with your purchase receipt. Refunds are typically processed within 5–10 business days.
Frequently Asked
What if I forget my master password?
Use your 24-word recovery phrase to regain access. If you've lost both the master password and the recovery phrase, the vault is irrecoverable — this is the security model, not a missing feature.
Can NeoXten recover my data?
No. There is no infrastructure that receives or stores your vault data. We cannot access, decrypt, or recover it under any circumstances.
What if my device breaks or gets lost?
The vault on the lost device is encrypted — without your master password, it is unreadable. To recover: install Neoxtemus on your new device, activate with the same license email, and restore from your encrypted .nex backup file. Your full vault is back in seconds.
How do I set up Neoxtemus on a second device?
Export an encrypted backup from your first device (Settings → Export Backup). Install Neoxtemus on the second device and activate with the same license email. Tap Restore, select the .nex file, and enter your master password. Both devices now have the same vault.
Is it safe to store backups in Google Drive / Dropbox / iCloud?
Yes. Backup files are encrypted with AES-256-GCM — the same protection as the vault itself. Without your master password, the file cannot be decrypted, regardless of where it is stored. Cloud storage is a convenient, safe place for your encrypted backups.
How do I migrate to a new phone or computer?
On your old device, export a fresh backup (Settings → Export Backup). On the new device, install Neoxtemus, activate with your license email, and restore from the backup. If you've reached 3 devices, deactivate the old one in Settings first.
Can I switch from another password manager?
Yes. Export your data from your current manager as CSV or JSON. In Neoxtemus, use Import and select the file — common formats are detected automatically. Preview your data before confirming the import.
How many devices can I use?
Your lifetime license covers up to 3 devices (for example: phone, laptop, and tablet). You can manage and deactivate devices from within the app whenever you switch hardware.
Do my devices sync automatically?
No — and that is intentional. Automatic sync requires cloud servers, which creates exactly the attack surface Neoxtemus eliminates. Instead, you keep devices in sync by restoring from the same backup file. It takes seconds and your data never passes through anyone else's infrastructure.
Does Neoxtemus replace my authenticator app?
Yes. Neoxtemus has a built-in TOTP authenticator that generates 2FA codes locally. Add TOTP secrets to any login entry and codes are computed on-device — no separate app needed.
What is the app built with?
Tauri 2 and SvelteKit. Native Rust backend with a lightweight web frontend — no Electron, no Chromium bloat. Compact install, launches in seconds.