Building a Post-Quantum Password Vault: A Learning Journey

Over the last few weeks, I’ve been exploring one of the biggest security challenges of our time: what happens to our data when quantum computers arrive?

Quantum computers aren’t just “faster” versions of today’s computers. They operate on entirely different physics. Using quantum bits (qubits), they can run algorithms that exploit superposition and entanglement to solve certain problems exponentially faster than classical computers. That’s great for science and medicine, but it’s concerning for today’s security.

Why? Because the encryption we rely on every day — the systems that lock down our operating systems, banking transactions, and even cryptocurrencies — is vulnerable. Shor’s Algorithm, first described in the 1990s, shows that a powerful enough quantum computer could break:

• RSA (Rivest–Shamir–Adleman) public-key cryptography

• ECC (Elliptic Curve Cryptography), widely used for digital signatures

• Other public-key protocols underpinning the internet

When that day comes, the foundations of digital trust collapse.

Recognizing this, the NIST (National Institute of Standards and Technology) began a process years ago to standardize post-quantum cryptography. The first three standards — FIPS (Federal Information Processing Standards) 203, 204, and 205 — were finalized in 2024. They introduce quantum-resistant algorithms such as:

• ML-KEM (Module-Lattice Key Encapsulation Mechanism) for key exchange

• ML-DSA (Module-Lattice Digital Signature Algorithm) for digital signatures

• SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) for specialized use cases

These are the building blocks of a future-proof internet.  More standards are likely to emerge from NIST in the coming years, too. 

Building the Vault

Over a weekend, I prototyped a local-only, post-quantum password vault. I started with Python, then wrapped it into a macOS application using PyInstaller. At first the UI (User Interface) was in Tkinter (a user interface library), but I migrated it to PyQt (another user interface library) for a cleaner, modern look — black and silver, with Meaningful Systems branding.

The app generates its own post-quantum keypairs using ML-KEM-1024 (Module-Lattice Key Encapsulation Mechanism, 1024-bit security level) and encrypts each vault entry with AES-256-GCM (Advanced Encryption Standard, 256-bit, Galois/Counter Mode). I keep the private key off the machine entirely, on an encrypted USB flash drive, so even if the computer itself is compromised, the vault file remains useless without the external key.

This separation of vault and key is critical. It means malware on the host machine can’t exfiltrate your secrets unless you’ve physically mounted the key drive. It’s a simple, practical design principle that dramatically reduces risk.

The Learning Process

This wasn’t just about coding — it was about learning. I explored open-source libraries such as liboqs (Open Quantum Safe Library), ran into packaging challenges, and discovered just how tricky distributing a macOS app can be.

Along the way, I also realized how vulnerable even “local” apps are to side channels such as RAM scraping, clipboard monitoring, and compromised operating systems.

To harden my design, I worked with an AI assistant to do a security audit. The goal was to take multiple perspectives: one to challenge assumptions, another to identify blind spots, and another to stress-test the design. What I learned is that security is really hard and my proof of concept has several vulnerabilities.  We tried clearing the clipboard after a short time period, but I guess malware can constantly scrape the clipboard.  Also, working memory for a python program might be vulnerable. 

The Vibe Coding Approach

I wasn’t trained as a software developer the same way a computer scientist would be – although I did learn to program in C, Java, and Matlab in college. Python is something I learned later in my career.  My background is in electrical engineering, mechanical engineering, and systems engineering. What has worked for me recently is something industry refers to as “vibe coding.”

Vibe coding is about learning by doing: starting with a prototype, rapidly testing ideas, and letting intuition and systems thinking guide the structure. Instead of memorizing every API call or syntax rule up front, I use iteration, exploration, and tools like AI assistants to build momentum quickly.

For someone like me, vibe coding turns programming into a design process instead of a rigid task. I already think in terms of systems — inputs, flows, constraints, feedback loops — and coding becomes just another layer of that. The rapid feedback cycle makes it a powerful way to learn, especially for engineers transitioning into software.

Where This Fits

Right now, my vault is just a proof of concept for personal use. It’s not production-ready, and it won’t replace your favorite password manager tomorrow. But it points toward what’s coming. Companies and organizations around the world are beginning the long process of upgrading IT infrastructure to be quantum-resistant. That transition could take a decade or more.

To my knowledge, no one else has released a fully local, post-quantum password manager yet. I wanted to see if it was possible, and in the process, I learned a lot about the coming challenges and opportunities.

Closing Thoughts

We’re at the very beginning of the post-quantum transition. My password vault project is just one small experiment in applying these new standards to everyday life. But it also shows what’s possible when you combine curiosity, inclusive innovation, and modern cryptography.

If you’re interested in learning more about this project — or in collaborating to build innovative projects for the future — you can reach out at meaningfulsystems.com/contact.