| I built Whisper Money: a personal finance app designed so the server never sees your transactions in plaintext. Core idea: - Transactions/accounts/budgets are encrypted on the client before sync (zero-knowledge storage). - No bank integrations/credential sharing; you import CSV/XLS from your bank instead. - Open source: https://github.com/whisper-money/whisper-money - Demo (no signup): https://whisper.money (see “Demo”) Tradeoffs/limitations: - Because data is encrypted client-side, server-side “AI insights” and some global features are intentionally not possible. - Key management and UX around recovery are hard; I’m still iterating on the right balance. I’d love feedback on: 1. threat model assumptions and key handling, 2. how you’d design search/categorization on encrypted data, 3. what you’d want to see before trusting this with real financial history. |
- Stack: Laravel 12 + React 19 + Inertia v2 + TypeScript + MySQL/Redis.
- Encryption code lives under src/lib/crypto (happy to point to specific files).
- Import is CSV/XLS; encryption happens before upload.
- Hosting/deploy: Docker + docker-compose, includes a production compose and a Coolify template.
If anyone has experience with audits / threat modeling for E2E apps, I’d appreciate pointers on what to formalize first.