How to Use Keyfiles for Stronger Offline Vault Security

Keyfiles add a possession-based factor to your vault’s encryption. When enabled, access to the vault requires both the master password and a specific file whose cryptographic hash is incorporated into key derivation. This significantly raises the cost of offline attacks while preserving Passary’s local-only, zero-knowledge design.

What is a Keyfile?

A Keyfile is a standard file that acts as a physical key to your vault. It can be any file type (such as an image, an MP3, or a generated .key file), though randomly generated keyfiles are strongly recommended for reliability, portability, and long-term safety. Its contents are used as part of the encryption key. Passary uses the file’s raw binary contents—any modification—even a single byte—will change the derived encryption key and prevent the vault from unlocking.

Unlike a password, which you type from memory, a Keyfile must be present on the device unlocking the vault. This makes it similar to a physical key for a door.

Step 1: Creating a Vault with a Keyfile

Setting up a keyfile is easiest when creating a new vault.

1. Go to Create New Vault.
2. Enter your strong Master Password as usual.
3. Toggle the "Use Keyfile (Optional)" switch (recommended for users who want stronger offline protection).
4. Choose one of two options:
   • Generate New: Passary creates a cryptographically secure random file for you. This file is exactly 32 bytes and will never change unless you rotate it.
   • Import File: Use an existing file (like a specific photo) as your key.
5. If you chose "Generate New," click the Download Keyfile button immediately.

Step 2: Unlocking with a Keyfile

Once your vault is protected, unlocking requires both components:

1. Select your Vault File (`.passary`).
2. Enter your Master Password.
3. Toggle "Use Keyfile" on.
4. Select your Keyfile.
5. Click Unlock.

If either the password or the keyfile is incorrect, the vault will simply fail to decrypt. The error message is intentionally generic so attackers cannot determine whether a password or keyfile was incorrect.

Step 3: Managing Keyfiles in Settings

We've redesigned the settings page to make managing advanced security safe and intuitive. Go to Settings inside your unlocked vault.

Security Controls (Intentional Security Changes)

Here you can see if keyfile protection is active. You have three main actions:

• Add Keyfile Protection: If you didn't set one up initially, you can add one here. This completely re-encrypts your vault.
• Verify Keyfile: Checks if a file matches the one used to secure the vault. Useful for testing backups without locking yourself out.
• Rotate Keyfile: Generate a new keyfile and discard the old one. Useful if you think your current keyfile might have been copied by someone else.

High Risk Zone (Permanent Security Changes)

For critical actions, look for the red "High Risk" section at the bottom of settings.

• Remove Keyfile Protection: Downgrades your security to password-only. Be careful—this permanently removes the second factor requirement. After removal, the vault can be unlocked with the password alone.
• Re-encrypt Vault: Re-encrypts the entire vault with fresh cryptographic randomness (new salts, nonce, and vault binding) without changing your password or keyfile.

Best Practices & Storage

To get the full security benefit of a Keyfile, follow these rules:

• Separate Storage: Don't store your Keyfile in the same folder as your Vault file. If an attacker gains access to both, the security benefit is significantly reduced.
• USB Drive: Ideally, keep your Keyfile on a USB flash drive. Plug it in only when you need to unlock the vault. This effectively keeps the keyfile offline for most of its lifetime.
• Backups: Keyfiles don't change (unless you rotate them). Keep reliable backups of your keyfile in safe physical locations (e.g., a safe, a trusted relative's house).
• Cloud Caution: Storing your keyfile in Dropbox/Google Drive significantly reduces the security benefit if your vault file is also stored there. Keep them separated.

Recovery & Warnings

Important: Passary is a zero-knowledge, local-only system.

Internally, Passary derives the vault key using Argon2id, a cryptographic hash of the keyfile, and an additional key-derivation step. Both components are required to produce the correct encryption key.

If you lose the Keyfile, you have lost the mathematical component required to generate the key. There is no recovery mechanism, backdoor, or support-based reset for a lost keyfile.

Unlike a physical lock where a locksmith can help, this cryptographic construction has no recovery path by design. If you lose your Keyfile, permanent data loss is the expected and unavoidable outcome by design.

Frequently Asked Questions

Can I use any file as a keyfile?

Yes. You can use a specific photo, audio file, or document — as long as the file remains bit-for-bit identical. Just remember: if you edit that file (e.g., crop the photo, edit ID3 tags on the MP3), the file's binary data changes, and it will no longer work as your key.

What happens if I edit my keyfile?

The keyfile must remain bit-for-bit identical to when you set it up. Even changing one byte will result in a completely different encryption key, and your vault will not unlock.

Can I use a keyfile on mobile?

Yes, the web app works on mobile. You'll simply select the keyfile from your phone's file system (e.g., iCloud Files, Google Drive, or local storage). Be careful not to let your operating system modify or re-save the file, as any change will invalidate the keyfile.