✦ · · · ✦ · · · · ✦ · · ✦ · · · · · ✦ · · · ✦
Self-hosted encrypted recovery code vault.
Runs on your machine. AES-256 encrypted. No cloud. No accounts.
Warning
🚧 Work in progress — not ready for use.
This project is under active development. Things may be broken, incomplete, or change without notice. Use at your own risk.
services:
andromeda:
image: ghcr.io/matejselko/andromeda:latest
container_name: andromeda
restart: unless-stopped
ports:
- "3456:3000" # HTTPS — access via https://your-server-ip:3456
# Port 3002 is NOT exposed — it's internal healthcheck only
volumes:
- andromeda-data:/data
environment:
- DATA_FILE=/data/vault.enc
- CERT_DIR=/data/certs
volumes:
andromeda-data:docker stop andromeda
docker rm andromeda
# Remove data too (irreversible!)
docker volume rm andromeda-data- 🔒 AES-256-GCM encryption — happens in your browser, server never sees plaintext
- 🌐 Fully offline after first pull
- 🎨 Service icons — GitHub, Proton, Ente, Google, AWS and more
- ✓ Mark codes as used
- 📦 Export encrypted backup anytime
- 🐳 amd64 + arm64 (works on Raspberry Pi and Apple Silicon)
Stored in a Docker volume at /data/vault.enc. Always encrypted.
Without your master password it is completely unreadable.
⚠️ There is no password recovery. Keep it in a password manager.
Click ⬇ Export inside the app to download a backup at any time.
✦ · · · ✦ · · · · ✦ · · ✦ · · · · · ✦ · · · ✦
Note: I hate programming.