AliasVault

AliasVault is a privacy‑first, end‑to‑end encrypted password and email alias manager designed for self‑hosting. From a developer’s perspective, it provides a single monolithic codebase that can be deployed on any Linux host or container platform while exposing a RESTful API and WebSocket endpoints for real‑time synchronization. The application bundles its own lightweight SMTP server, eliminating external email dependencies and ensuring that all data remains within the host environment.

Technical Stack

• Language & Runtime: C# (.NET 8) with minimal API architecture, leveraging System.Text.Json for high‑performance serialization.
• Web Framework: ASP.NET Core 8 with Razor Pages for the web UI and SignalR for live updates.
• Database: PostgreSQL 15 (optionally SQLite in dev) accessed via Entity Framework Core, with JSONB columns for flexible vault schema.
• Email: Built‑in MailKit SMTP server that supports DKIM/DMARC signatures, enabling AliasVault to act as a fully functional mail host.
• Containerization: Official Docker images (multi‑stage build) expose ports 80/443 for HTTPS and 2525 for SMTP, with optional docker‑compose templates for quick spin‑up.

Core Capabilities & APIs

• Vault CRUD: Create, read, update, delete entries with granular field‑level encryption keys derived from the user’s master password.
• Alias Generation: Algorithmic alias creation (e.g., john.doe+shop@aliasvault.com) with configurable domain suffixes.
• Email Routing: Receive inbound mail, parse X‑AliasVault headers, and route to the correct user mailbox via internal API.
• Webhooks: Expose HTTP callbacks for events such as new password entry, alias creation, or mailbox activity.
• SDK: A lightweight C# SDK (NuGet) that wraps the REST API, handles encryption/decryption locally, and manages token refresh.

Deployment & Infrastructure

• Self‑Hosting: Requires a Linux server with Docker or plain .NET runtime. The application runs as a single process, making it suitable for VPS or cloud droplets (DigitalOcean, Linode).
• Scalability: Stateless API layer allows horizontal scaling behind a reverse proxy (NGINX/Traefik). The PostgreSQL instance can be replicated using logical replication or managed services.
• High Availability: Built‑in health checks, graceful shutdown hooks, and support for persistent storage volumes.

Integration & Extensibility

• Plugin System: Developers can drop custom DLLs into the /plugins folder; the host loads them at startup, enabling features like MFA providers or custom storage adapters.
• OAuth & SSO: Supports OpenID Connect for federated authentication, making it easy to integrate with corporate identity providers.
• Webhooks & Callbacks: Exposes a generic webhook endpoint that can be consumed by CI/CD pipelines or monitoring tools.
• Custom Domains: AliasVault can serve on any domain, with automatic Let's Encrypt support via the built‑in Certbot integration.

Developer Experience

• Configuration: YAML/JSON config files with sensible defaults; environment variables override for CI/CD pipelines.
• Documentation: Comprehensive API reference on docs.aliasvault.net, including example payloads and encryption flow diagrams.
• Community: Active Discord channel for support, GitHub Discussions for feature requests, and a contribution guide that encourages plugin development.

Use Cases

• Enterprise Zero‑Trust: Deploy AliasVault as an internal vault for developers, automatically generating unique aliases per project to prevent credential reuse.
• Personal Privacy: Self‑host on a home server or NAS to maintain full control over passwords and email routing without third‑party services.
• DevOps Automation: Use the API to programmatically generate credentials for CI runners, injecting them into build pipelines securely.

Advantages

• Full Control: No data leaves the host; all encryption happens client‑side, ensuring compliance with strict privacy regulations.
• Performance: .NET 8’s minimal API and SignalR provide low‑latency sync across devices, outperforming many legacy password managers.
• Extensibility: The plugin architecture and open API make it straightforward to add custom authentication, storage backends, or integrate with existing tooling.
• Licensing: MIT‑licensed codebase removes any commercial restrictions, allowing free use in open‑source or proprietary projects.

AliasVault’s blend of a modern .NET stack, built‑in email server, and developer‑friendly extensibility makes it an attractive choice for teams that require a self‑hosted, privacy‑centric password manager with rich API integration.