finds.dev← search

// the find

evilsocket/arc

★ 967 · JavaScript · GPL-3.0 · updated Jul 2024

A manager for your secrets.

Arc is a self-hosted password and secrets manager with a Go backend and a browser-based frontend. Encryption happens entirely client-side using WebCrypto (AES-256-GCM), so the server never sees plaintext. It's aimed at developers who want to run their own secrets store on isolated hardware like a Raspberry Pi rather than trust a cloud provider.

Client-side encryption is the right call — the server is just an encrypted blob store, which limits the blast radius of a server compromise. The field type system (TOTP, markdown, file attachments, password generator) is more complete than most self-hosted alternatives. Tailscale/Headscale integration is a practical way to avoid exposing the server to the public internet. Cross-platform binary releases including ARM/MIPS mean it genuinely runs on the cheap hardware it recommends.

Last meaningful push was July 2024 and the project shows signs of stagnation — the webui still vendors Bootstrap 3-era dependencies and jQuery, which means the frontend is carrying a lot of dead weight and won't get security updates. The JavaScript is split across individual loose files with no bundler or module system, so auditing the crypto path requires manually tracing a global variable chain. Using a different encryption key per login session is presented as a feature, but in practice it's a UX trap — if you forget which key encrypted which record, that data is gone. There's no password sharing or multi-user support, which limits it to strict single-user setups.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →