The KeePassXC experience for your Vaultwarden vault

Clavix is a fast, native desktop client for Vaultwarden and Bitwarden — the comfortable tree vault with real drag & drop that the self-hosted community has been missing.

Download for desktop View source

Linux macOS Windows Built with Tauri 2 GPL-3.0

Clavix — My Vault

G GitLab — self-hostedops@acme.dev drag → Work

M Mailcow adminpostmaster@acme.dev

S SSH — build servered25519 · used by agent

N Nextcloud2FA · TOTP

V Vaultwarden masterYubiKey unlock enrolled

Client-side encryption No telemetry, ever Works offline 100% open source Native & lightweight

Features

Everything KeePassXC users miss in the official client

Clavix talks to your real Vaultwarden or Bitwarden server — it just gives you a far nicer way to live in your vault.

Tree vault & drag & drop

A real hierarchical tree built from your parent/child folder names and org collections. Drag items onto folders, drag whole folders to reorganise — sub-folders cascade-rename on the server.

Full 2FA, including WebAuthn

TOTP, YubiKey OTP and WebAuthn / FIDO2 — Clavix drives your hardware key over CTAP2/HID itself, so security keys work even though a desktop app isn't a browser on your vault's domain.

Embedded SSH agent

Exposes the Ed25519 and RSA keys from your vault over a Unix socket, so ssh, git and scp use them without ever writing private keys to disk — like Bitwarden Desktop's agent. (Linux / macOS)

Built-in security audit

One click runs a Have I Been Pwned k-anonymity breach lookup and flags reused and weak passwords locally with zxcvbn — no password or hash ever leaves your machine in the clear.

Live TOTP & QR scanner

Generates rolling TOTP codes from stored secrets (custom period, digits and hash), and scans QR codes with your camera to capture a new TOTP secret while editing a login.

Encrypted offline cache

The whole vault is cached in encrypted SQLite under the user key. Re-open Clavix on a plane and your vault shows up instantly, read-only, with no server round-trip.

YubiKey unlock

After auto-lock, touch a registered FIDO2 key to release the cached user key instead of re-typing your master password — CTAP2 hmac-secret, conceptually the same as Bitwarden's PRF unlock.

KeePassXC import

Bring a KeePassXC CSV export straight in — Clavix creates a folder per Group on the fly, so your existing hierarchy lands intact instead of as a flat dump.

System tray & auto-lock

Lives in the tray with a right-click menu, hides on close like KeePassXC, and auto-locks on idle — a Rust watchdog drops the in-memory session even if the window freezes. Clipboard clears after 30 s.

Security model

Your master password never leaves your device

Clavix reimplements the Bitwarden crypto in Rust (it does not bundle the ambiguously-licensed official SDK). Everything sensitive stays local.

Only derived values are sent

The server sees the master-password hash for auth and never the password itself; the master key stays on the client for decryption.

AES-256-CBC + HMAC-SHA256

Personal vault items are decrypted and encrypted client-side; organization keys use RSA-OAEP. PBKDF2 and Argon2id KDFs are both supported.

Keys zeroized on drop

Every sensitive key derives ZeroizeOnDrop, wiping its bytes from memory the moment it's no longer needed.

Encrypted session at rest

The refresh token on disk is itself encrypted under the user key; the access token auto-refreshes 60 s before expiry. Files are written 0600.

Honest status: Clavix is alpha. The cryptography has not been independently audited and a significant part of the code was AI-assisted under human review. Don't trust it with irreplaceable secrets yet — see the disclaimer.

crypto.rs

// Master password is derived locally — the plaintext
// never touches the network or the disk.
let master_key = pbkdf2(&password, &email, iters);
let hash       = auth_hash(&master_key, &password);

// Only `hash` is sent to Vaultwarden.
client.login(email, hash).await?;

// Vault items decrypt client-side…
let cipher = decrypt_aes_cbc_hmac(&enc, &key)?;

// …and keys wipe themselves on drop.
impl Drop for MasterKey {
    fn drop(&mut self) { self.0.zeroize(); } // ✓
}

How it compares

Clavix vs. the alternatives

Why build another client? Because nothing else gives self-hosters a proper tree with drag & drop and full write access for free.

	Clavix	Bitwarden Desktop	Keyguard
Tree vault (nested folders)
Drag & drop items / folders
Create & edit items (write)			Premium only
Embedded SSH agent
WebAuthn / FIDO2 login
Native (not Electron)	Tauri / Rust	Electron	Compose
Self-hosted friendly
Price	Free · GPL-3.0	Free / Premium	Free / Premium

Comparison reflects publicly documented features at the time of writing. Clavix is not affiliated with Bitwarden, Vaultwarden, Keyguard or KeePassXC.

Download

Get Clavix for your platform

Free and open source. Pick a build below — links always resolve to the newest release.

Latest release: loading…

Linux

AppImage portable Debian / Ubuntu .deb Fedora / RHEL .rpm

macOS

Universal disk image .dmg App bundle .app.tar.gz

Not yet code-signed — right-click → Open on first launch.

Windows

Installer .exe MSI package .msi

Not yet code-signed — SmartScreen may warn on first run.

Or build from source — see the development guide, or browse all releases.

FAQ

Frequently asked questions

What is Clavix?

Clavix is a native desktop client for Vaultwarden and Bitwarden. It connects to your existing server and gives you a KeePassXC-style hierarchical vault with drag & drop, plus features the official client lacks — an embedded SSH agent, a security audit, YubiKey unlock and more.

Does it work with my self-hosted Vaultwarden?

Yes — that's the whole point. You enter your own server URL at login. It also works against bitwarden.com. Clavix never sends data anywhere except your configured server (and Have I Been Pwned's k-anonymity API, hash-prefixed, when you run the audit).

Is it safe to use with my real vault?

Clavix is alpha. The cryptography hasn't been independently audited and part of the code was written with AI assistance under human review. Treat it as experimental — test against a throwaway vault first and read the disclaimer before trusting it with real secrets.

Which platforms are supported?

Linux (AppImage, .deb, .rpm), macOS (universal .dmg) and Windows (.exe / .msi). The embedded SSH agent is currently Unix-only (Linux/macOS); Windows named-pipe support is on the roadmap.

Does Clavix use the official Bitwarden SDK?

No. The Bitwarden SDK has an ambiguous license, so Clavix reimplements the crypto in-project under GPL-3.0, inspired by rbw. The frontend is Svelte 5 + TypeScript; the backend is Rust on Tauri 2.

Is it really free?

Yes — Clavix is free and open source under the GPL-3.0-or-later license, with no premium tier. Write access, the SSH agent and the security audit are all included. Contributions are welcome on GitHub.

Bring your Vaultwarden vault home

A comfortable tree, real drag & drop, and the keys that matter — on Linux, macOS and Windows.

Download Clavix Star on GitHub