Skip to main content

Doriath — Feature Analysis & Product Strategy

Executive Summary

There is no production-ready Nextcloud-native encrypted vault with application secret management. The existing "Passwords" app provides basic password management but lacks enterprise-grade encryption (no PKI, no private CA, no application secrets). The broader market splits into consumer password managers (Bitwarden, 1Password) and infrastructure secret engines (HashiCorp Vault, AWS Secrets Manager) — no tool bridges both worlds on a self-hosted collaboration platform.

Key insight: Nextcloud is already the collaboration hub — users, groups, files, notifications, and search are already there. A Nextcloud-native vault orchestrates these capabilities for secret management: share secrets with Nextcloud users/groups, notify via the bell icon, search from the unified search bar, and manage application credentials alongside your team workspace.

1. Competitive Landscape

Nextcloud App Store

NameStatusDownloadsLast UpdatedKey FeaturesGaps
Passwords (Marius David Wieschollek)Active, mature500K+2024Password CRUD, folder organization, tags, password generator, sharing (user/link), browser extensions, API, client-side encryption optionsNo private CA, no application secrets, no CSR-based onboarding, no write-without-read, no enterprise key management
Secrets (various)Early/experimentalLowBasic encrypted notesNot a vault; minimal functionality

Finding: The "Passwords" app is the main Nextcloud competitor. It is mature and widely adopted but architecturally simpler — it uses server-side encryption (SSE) or client-side encryption (CSE) without PKI infrastructure. It cannot manage application secrets, has no write-without-read capability, and lacks a Certificate Authority for enterprise key management.

Self-Hosted Open Source

NameGitHub StarsPositioningKey FeaturesWeaknesses
Bitwarden (bitwarden/server)16K+Full-featured password managerWeb vault, browser extensions, mobile apps, CLI, org vaults, SSO, emergency access, FIDO2, password health reports, Send (ephemeral sharing)Heavy (.NET stack), requires multiple containers, no Nextcloud integration
Vaultwarden42K+Lightweight Bitwarden-compatible server (Rust)Same client ecosystem as Bitwarden, single binary, low resource usage, org vaults, SendNo native Nextcloud integration, no application secret management, no private CA
Passbolt4K+Team password manager (PHP/CakePHP)End-to-end GPG encryption, team sharing, RBAC, LDAP/AD, audit logs, folders, tags, mobile apps, APIGPG-based (not PKI/CA), no application secrets, no write-without-read, complex setup
KeePass / KeePassXC— / 19K+Offline password databaseKDBX format, strong encryption (AES-256/ChaCha20), browser integration, TOTP, auto-type, pluginsOffline-only, no server, no sharing, no team features, no API
Psono1.5K+Enterprise team password managerE2E encryption (Curve25519 + Salsa20), team sharing, LDAP, file encryption, API keys, emergency codesPython/Django stack, smaller community, no Nextcloud integration
Teampass1.6K+Collaborative password manager (PHP)Team folders, roles, export, API, LDAP, 2FADated UI, PHP but not Nextcloud-integrated, simpler encryption model
Padloc2.5K+Modern cross-platform password managerClean UI, E2E encryption (SRP + AES), vaults, sharing, org managementTypeScript/Electron, smaller ecosystem, no application secrets

Enterprise SaaS

NamePrice/user/moTarget AudienceKey FeaturesWhy Not
1Password$8–20Teams, enterprisesVaults, sharing, watchtower (breach detection), SSO, SCIM, CLI, secrets automation, service accountsSaaS-only, US jurisdiction, expensive at scale, data sovereignty
LastPass$4–7Consumer, small teamsPassword vault, sharing, dark web monitoring, SSO, admin consoleRepeated security breaches, SaaS-only, trust issues
HashiCorp VaultFree OSS / $1.58/hr (HCP)DevOps, platform teamsDynamic secrets, secret engines, PKI engine, transit encryption, audit logging, policies, namespacesInfrastructure tool (not a password manager), complex, no end-user UI
AWS Secrets Manager$0.40/secret/moAWS-native workloadsSecret rotation, RDS integration, cross-account sharing, CloudFormationCloud-locked, no user-facing UI, no sharing, not self-hosted
Proton PassFree–$4Privacy-focused consumersE2E encrypted, zero-knowledge, aliasing, Proton ecosystem integrationConsumer-focused, no team features, no application secrets, SaaS-only
Keeper$5–8EnterprisesZero-knowledge, secrets manager, connection manager, PAM, compliance reportsSaaS-only, expensive, complex licensing

Dutch Government

NameTypeStatusKey Features
Haven (NLnet Labs)Research / PKI toolkitActive developmentRPKI tooling, not a secrets manager
No direct equivalentDutch government has no mandated secrets management standard. Municipalities typically use commercial tools (1Password, Azure Key Vault) or rely on OS-level key management

Finding: There is no Dutch government standard or Common Ground component for secrets management. This is an opportunity — Doriath could become the reference implementation for sovereign secrets management in the Dutch public sector.

2. Feature Matrix

Core Secret Management

FeatureTierJustification
Secret CRUD (name, key, login, url, additional fields)MVPCore entity — see secrets spec
Secret types (login, api_key, ssh_key, certificate, note, database)MVPUI hint system with 6 system types
Custom secret types (user-scoped and admin global)MVPExtensibility for org-specific secret categories
Folder organization (tree hierarchy per user)MVPEssential organizational pattern
Folder CRUD (create, rename, move, delete with cascade options)MVPFull folder management
Secret list with search, sort, paginationMVPCore navigation
Copy-to-clipboard on secret list itemsMVPMost-used action — copy password without opening detail (Bitwarden, 1Password pattern)
Show/hide toggle on password fieldsMVPStandard pattern — passwords hidden by default with eye icon
Favicon/icon next to secrets by URLMVPVisual identification of which service a secret belongs to (1Password, Bitwarden)
Secret detail view with type-specific field presentationMVPCritical UX pattern
Fuzzy search by name and URL (Levenshtein tolerance)MVPTypo-tolerant search
Nextcloud unified search integration (IProvider)MVPFind secrets from Ctrl+F without opening Doriath
Deep-link from search results via lock screenMVPSeamless search → vault flow
Bulk secret operations (delete, move folder)V1Efficiency for large vaults
Secret import (CSV, Bitwarden JSON, KeePass XML)V1Migration from other tools
Secret export (encrypted backup, CSV)V1Data portability
Favorite/pinned secretsV1Quick access to frequently used secrets
Recently accessed secretsV1Convenience pattern from all major vaults
Password health scoring per secretV1Flag weak, reused, or old passwords (Bitwarden Reports, 1Password Watchtower)
Secret strength indicator in list viewV1Color-coded strength badge next to each secret (Passbolt, Bitwarden)
Vault search with keyboard shortcut (Ctrl+K)V1Power-user quick access (1Password pattern)
Dark mode supportV1User preference; Nextcloud supports dark mode natively
Secret tags (in addition to folders)EnterpriseCross-cutting categorization
Custom fields per secret type (admin-defined)EnterpriseOrganization-specific field requirements
Breach detection (HaveIBeenPwned) for secret URLsEnterpriseProactive security alerts for compromised URLs (1Password Watchtower)
Password age indicatorEnterpriseShow how old each secret is; flag stale credentials
Export to PDF (single secret)EnterprisePrint-friendly credential sheet for offline backup (KeePassXC)

Encryption & Key Management

FeatureTierJustification
RSA-4096 encryption of secrets via EncryptionSuiteMVPCore security — see encryption-suites spec
AES-256 encryption of private keys with master passwordMVPPrivate key protection
Private CA bootstrap (root + intermediate) on first setupMVPCertificate infrastructure
Automatic EncryptionSuite creation on first loginMVPZero-friction onboarding
Master password session with configurable timeoutMVPBalance security and convenience
Lock screen (full page, not overlay)MVPSession expiry handling
Tab-close session clearingMVPPrevent stale sessions
Master password strength enforcement (zxcvbn ≥ 3)MVPNIST-aligned password policy
Live password strength feedbackMVPUser guidance during setup
Routine master password change (re-wrap private key)MVPPassword hygiene
Compromise recovery (full key rotation + migration)MVPSecurity incident response
Suite migration with per-secret error trackingMVPReliable recovery
Suite revocation and reinstatementMVPAdmin control
CA certificate auto-renewal (intermediate)V1Operational continuity
CA health check in admin panelV1Admin visibility
Admin-configurable minimum password length and scoreV1Policy enforcement
Root certificate manual renewal with admin notificationsV1Planned lifecycle management
Forced intermediate renewal (leaked key scenario)V1Emergency response
Password expiry reminders for secretsEnterpriseCredential rotation prompts
Multiple encryption suites per user (key rotation)EnterpriseAdvanced key management
Custom CA chain uploadEnterpriseIntegrate with existing PKI
Post-quantum cryptography (when PHP supports it)EnterpriseFuture-proofing

Key Generator

FeatureTierJustification
Random key generation with configurable lengthMVPSee key-generator spec
Special character toggle (OWASP set)MVPAccommodate target system requirements
Character exclusionMVPAvoid ambiguous characters
Regex override for advanced patternsMVPDeveloper-friendly power feature
Integration with secret creation UIMVPSeamless workflow
Key generation API endpointMVPProgrammatic access
Password strength indicator on generated keysV1Visual feedback
Pronounceable password optionV1Human-friendly passwords
Passphrase generation (word-based)V1Diceware-style passphrases

User Sharing

FeatureTierJustification
Share secret with Nextcloud user (encrypted copy)MVPSee user-sharing spec
Sync-on-update (changes propagate to all copies)MVPShared secrets stay current
Share with Nextcloud group (static expansion)MVPTeam sharing
Notification on share receivedMVPUser awareness
Revoke share (delete recipient's copy)MVPAccess control
Share visibility (owner sees recipients; recipients don't)MVPPrivacy by design
Share request (recipient asks owner to share with third party)MVPControlled re-sharing
New group member notification + approvalMVPOwner control over group expansion
Auto-revoke on group member leaveMVPAutomatic access cleanup
Ownership delegation (admin power grab, user self-delegation)V1Continuity when owner is unavailable
Delegation reclaimV1Owner regains control
Permanent delegation on suite revocationV1Graceful ownership transfer
Compromised suite → owner notification for shared secretsV1Security incident awareness
FeatureTierJustification
Password-protected share link with usage limitMVPSee link-sharing spec
Argon2id KDF for snapshot encryptionMVPMemory-hard protection
Brute-force protection (5 attempts → auto-delete)MVPHostile access defense
Point-in-time snapshot (intentional staleness)MVPPredictable behavior
Multiple concurrent link shares per secretMVPFlexibility
Manual link revocationMVPOwner control
Link share expiry (optional)V1Time-limited access
Link share access audit logEnterpriseCompliance tracking

Secret Requests

FeatureTierJustification
Fill-in link for write-without-read submissionMVPSee secret-requests spec
Request for own secrets and application secretsMVPDual use case
Notification on fulfillmentMVPRequester awareness
Field validation (all requested fields non-empty)MVPData completeness
Write-once semanticsMVPSecurity guarantee
Re-request (credential rotation via new fill-in link)MVPOperational workflow
Optional request expiryV1Time-limited requests
Request audit trailEnterpriseCompliance tracking

Application Management

FeatureTierJustification
Application registration (any user, incl. anonymous)MVPSee application-mgmt spec
Approval queue for non-admin registrationsMVPAdmin control
EncryptionSuite via CSR (app manages own private key)MVPStandard PKI pattern
EncryptionSuite via generated key pair (private key returned once)MVPConvenience option
Admin notification on pending registrationMVPTimely approval
Pending applications counter on dashboardMVPAdmin visibility
Application deletion (hard delete with cascade)MVPLifecycle management
Write secret for application (write-without-read)MVPCore security pattern
Application API authentication (RFC 7523 JWT Bearer)V1Standardized API access
Application secret retrieval via REST APIV1Programmatic consumption
OpenConnector integration (secret store for connectors)V1Sister app integration

Dashboard & Reporting

FeatureTierJustification
Dashboard with vault summary (total secrets, shared, folders)MVPAt-a-glance overview
Vault health indicator (compromised secrets, migration status)MVPSecurity awareness
Pending applications counter (admin only)MVPAdmin actionability
CA health status card (admin only)V1Certificate lifecycle visibility
Recently accessed secrets widgetV1Quick access
Sharing activity summaryV1Collaboration overview
Password health report (weak, reused, old passwords)EnterpriseSecurity audit
Breach detection (HaveIBeenPwned integration)EnterpriseProactive security
Vault usage analytics (admin)EnterpriseAdoption tracking

Admin Settings

FeatureTierJustification
Nextcloud admin settings pageMVPApp configuration
CA health status displayMVPCertificate monitoring
Master password minimum length configuration (12–20)MVPPolicy enforcement
Master password minimum score configuration (3–4)MVPStrength floor
Application approval queueMVPRegistration management
Session timeout global defaultV1Org-wide policy
CA certificate details and expiry datesV1Certificate inspection
Forced intermediate renewal buttonV1Emergency action
CA bootstrap retry buttonV1Recovery from failed setup
Global secret type managementV1Organization-wide types
Secret type CRUD for admin-created global typesV1Customization
Vault statistics (total users, secrets, shares)EnterpriseUsage overview

User Settings (NcAppSettingsDialog)

FeatureTierJustification
Session timeout preference (Nextcloud session / 10 min / 30 min)MVPPer-user security/convenience balance
Notification toggle: secret shared with meMVPNotification control
Notification toggle: secret request fulfilledMVPNotification control
Notification toggle: group share additionsV1Fine-grained control
Notification toggle: compromise alertsV1Security notifications
Default secret type preferenceV1Workflow customization
Default view preference (list / folder tree)V1Display personalization

Notifications (OCP\Notification\IManager)

EventSubject KeySetting CategoryRecipient LogicTier
Secret shared with usersecret_sharednotify_sharesNotify recipientMVP
Secret request fulfilledrequest_fulfillednotify_requestsNotify requesterMVP
Application pending approvalapp_pending— (always notify admins)All vault_adminsMVP
Group share: new member needs approvalgroup_member_addednotify_group_sharesNotify secret ownerMVP
Share request from recipientshare_requestnotify_sharesNotify secret ownerMVP
Share request approved/deniedshare_request_resultnotify_sharesNotify requesterMVP
CA certificate expiring (90/30/7 days)ca_expiring— (always notify admins)All adminsV1
Intermediate auto-renewedca_renewed— (always notify admins)All adminsV1
Shared secret possibly compromisedsecret_compromisednotify_securityNotify original ownerV1
Suite revoked by adminsuite_revokednotify_securityNotify suite ownerV1

Backend pattern: NotificationService with SUBJECT_SETTING_MAP constant mapping subjects to user setting keys.

Security & Compliance

FeatureTierJustification
End-to-end RSA encryption at restMVPCore security model
Master password never stored (session-only AES key)MVPZero-knowledge principle
Write-without-read for application secrets and requestsMVPPrevent credential leakage
WCAG AA complianceMVPAccessibility requirement
English + Dutch localizationMVPPrimary markets
NL Design System theming supportV1Government visual compliance
GDPR data export (all user secrets + metadata)V1Right of access
GDPR data deletion (user + all shares)V1Right to erasure
Audit trail on all secret operationsV1Accountability
Field-level encryption audit (verify encrypted fields)EnterpriseCompliance verification
Data retention policiesEnterpriseAutomated cleanup

Integration

FeatureTierJustification
Nextcloud unified search (name + URL)MVPPlatform integration
Nextcloud notifications (shares, requests, CA)MVPPlatform integration
REST API for all operationsV1Programmatic access
OpenConnector secret store integrationV1Sister app integration
Browser extension (Bitwarden-compatible API subset)EnterpriseAuto-fill in browser
CLI tool for secret managementEnterpriseDevOps workflow
Nextcloud Flows automation triggersEnterpriseLow-code integration

3. Settings & Notifications (Derived from Features)

3.1 Admin Settings (IAppConfig)

SettingFeature SourceTypeDefaultTier
min_password_lengthMaster password strengthint12MVP
min_password_scoreMaster password strengthint (3–4)3MVP
default_session_timeoutSession mechanismenum (session/10min/30min)sessionV1
ca_auto_renew_enabledCA renewalbooltrueV1
ca_expiry_notification_daysCA healthJSON array[90, 30, 7]V1

3.2 User Settings (OCP\IConfig, NcAppSettingsDialog)

SettingFeature SourceTypeDefaultTier
session_timeoutSession mechanismenum (session/10min/30min)(admin default)MVP
notify_sharesUser sharingbooltrueMVP
notify_requestsSecret requestsbooltrueMVP
notify_group_sharesGroup sharingbooltrueV1
notify_securityCompromise alertsbooltrueV1
default_secret_typeSecret creationstringloginV1
default_viewVault navigationenum (list/folders)listV1

3.3 Notifications (OCP\Notification\IManager)

See the Notifications table in Section 2. Each notification event maps to a user setting toggle category. Admin notifications (CA expiry, pending applications) are always delivered and cannot be disabled.

4. Gap Analysis

What Competitors Do Well

  • Bitwarden/Vaultwarden: Massive ecosystem (browser extensions, mobile apps, CLI), FIDO2/WebAuthn, organization vaults with collections, Send for ephemeral sharing, password health reports, breach detection
  • 1Password: Best-in-class UX, Watchtower (security audit), service accounts for CI/CD, SSH agent integration, developer tools
  • HashiCorp Vault: Dynamic secrets (auto-rotating), transit encryption engine, policy-as-code, namespaces for multi-tenancy, comprehensive audit logging
  • Passbolt: True E2E encryption with GPG, team-first design, RBAC with fine-grained permissions, LDAP/AD integration

What They Lack

GapOpportunity for Doriath
No Nextcloud integrationDoriath lives in the collaboration platform — users, groups, search, notifications are native
No write-without-readOnly Doriath (via asymmetric encryption) lets admins request secrets they can never read
No private CA with user certificatesDoriath's PKI infrastructure enables certificate-based identity, not just password storage
No application secret management via CSRStandard PKI pattern for onboarding applications — competitors use API tokens or service accounts
No request-based credential provisioningSecret requests (fill-in links) are unique to Doriath
SaaS data sovereignty concernsBitwarden/1Password/LastPass store encrypted data on third-party infrastructure
No government-first designNo competitor targets Dutch public sector or supports NL Design System
Infrastructure vs. user tool splitHashiCorp Vault is too complex for end users; Bitwarden has no infrastructure features

Nextcloud-Native Advantages

CapabilityWhy Competitors Cannot Match It
Zero-cost identity layerNextcloud users and groups are the sharing model — no separate user directory
Unified search integrationSecrets discoverable from Nextcloud's Ctrl+F — no competitor can inject into another platform's search
Native notificationsShare alerts, request fulfillment, CA warnings via the bell icon — no separate notification system
Group-based sharingLeverage Nextcloud group membership for team secret access — automatic, no manual sync
User lifecycle integrationIUserDeletedEvent cleans up vaults automatically — no orphaned data
Sovereign deploymentSame Nextcloud instance, same server, same backup — no external SaaS dependency
OpenConnector secret storeDirect integration with Conduction's connector framework — no competitor can offer this

5. Strategic Positioning

Positioning Statement

Doriath is the vault that lives where your team already works. Built natively into Nextcloud, it provides enterprise-grade encrypted secret management — for humans and applications — without leaving your collaboration platform.

Differentiation Strategy

Three pillars:

  1. Platform leverage — Nextcloud provides identity, groups, search, notifications, and files. Doriath orchestrates them for secret management instead of rebuilding them.
  2. PKI-native architecture — Unlike password managers that bolt on encryption, Doriath is built on a private Certificate Authority with X.509 certificates. This enables write-without-read, application CSR onboarding, and a foundation for future Certificate Authority functionality.
  3. Government-first, enterprise-ready — NL Design System theming, sovereign self-hosted deployment, WCAG AA compliance, and a path to becoming the reference secrets manager for Dutch public sector organizations.

Risks

RiskSeverityMitigation
Feature gap vs. Bitwarden (browser extension, mobile, FIDO2)HighFocus on what Bitwarden can't do: Nextcloud integration, write-without-read, application secrets. Browser extension is Enterprise tier.
Passwords app incumbency on NextcloudHighDifferentiate on encryption architecture (PKI vs. SSE), application secrets, and enterprise features. Consider migration tooling.
No mobile appMediumNextcloud's mobile apps provide the session; Doriath is web-first. Mobile vault is a future consideration.
Complexity of PKI for end usersMediumZero-friction onboarding: EncryptionSuite auto-created on first login. Users only interact with master password, never with certificates.
Master password lost = data lostHighThis is by design (zero-knowledge). Document clearly. Consider emergency access (V1) or admin recovery mechanisms (Enterprise).
Small teamHighOwn-DB architecture means more backend code than thin-client apps. Prioritize MVP ruthlessly.

MVP (45 features)

A fully functional encrypted vault for Nextcloud users and applications. Replaces spreadsheets and insecure credential sharing.

Core Secret Management

  1. Secret CRUD (name, key, login, url, additional fields)
  2. Secret types (6 system types + custom user/global types)
  3. Folder organization (tree hierarchy per user)
  4. Folder CRUD with cascade options
  5. Secret list with search, sort, pagination
  6. Copy-to-clipboard on secret list items
  7. Show/hide toggle on password fields
  8. Favicon/icon next to secrets by URL
  9. Secret detail view with type-specific fields
  10. Fuzzy search by name and URL
  11. Nextcloud unified search integration
  12. Deep-link from search via lock screen

Encryption & Security 13. RSA-4096 encryption via EncryptionSuite 14. AES-256 private key protection 15. Private CA bootstrap (root + intermediate) 16. Auto-create EncryptionSuite on first login 17. Master password session with configurable timeout 18. Lock screen (full page) 19. Tab-close session clearing 20. Master password strength enforcement (zxcvbn) 21. Live strength feedback 22. Routine master password change 23. Compromise recovery with key rotation 24. Suite migration with error tracking 25. Suite revocation and reinstatement

Key Generator 26. Random key generation with configurable length 27. Special character toggle (OWASP set) 28. Character exclusion 29. Regex override 30. Integration with secret creation UI 31. Key generation API endpoint

Sharing 32. Share with Nextcloud user (encrypted copy) 33. Sync-on-update 34. Share with group (static expansion) 35. Share notification 36. Revoke share 37. Share visibility (owner-only recipient list) 38. Share request mechanism 39. Group member notification + approval 40. Auto-revoke on group leave

Link Sharing & Requests 41. Password-protected link with usage limit 42. Fill-in link for write-without-read submission 43. Request notification on fulfillment

Application Management 44. Application registration with approval queue 45. EncryptionSuite via CSR or generated key pair

V1 (30 additional features)

Enterprise-ready vault with full lifecycle management and API access.

  1. Ownership delegation and reclaim
  2. Permanent delegation on suite revocation
  3. Compromised suite owner notification
  4. Link share expiry
  5. Re-request for credential rotation
  6. Application API (RFC 7523 JWT Bearer)
  7. OpenConnector integration
  8. CA auto-renewal and health check
  9. Admin-configurable password policy
  10. Root certificate renewal with notifications
  11. Forced intermediate renewal
  12. Secret import (CSV, Bitwarden JSON, KeePass XML)
  13. Secret export (encrypted backup, CSV)
  14. Favorite/pinned secrets
  15. Recently accessed secrets
  16. Password health scoring per secret
  17. Secret strength indicator in list view
  18. Vault search with keyboard shortcut (Ctrl+K)
  19. Dark mode support
  20. NL Design System theming
  21. GDPR export + deletion
  22. Audit trail on secret operations
  23. REST API for all operations
  24. CA certificate details in admin panel
  25. Global secret type management
  26. Notification toggles (group shares, security)
  27. Default secret type and view preferences
  28. Password strength indicator on generated keys
  29. Pronounceable password and passphrase generation
  30. Bulk operations (delete, move folder)

Enterprise (15 additional features)

Large organizations, multi-instance deployments, and compliance-driven environments.

  1. Password health report (weak, reused, old)
  2. Breach detection (HaveIBeenPwned integration)
  3. Breach detection for secret URLs (HaveIBeenPwned)
  4. Password age indicator
  5. Export to PDF (single secret)
  6. Browser extension (Bitwarden-compatible API subset)
  7. CLI tool for secret management
  8. Multiple encryption suites per user (key rotation)
  9. Custom CA chain upload
  10. Post-quantum cryptography
  11. Secret tags
  12. Custom fields per secret type
  13. Field-level encryption audit
  14. Data retention policies
  15. Nextcloud Flows automation triggers