How Passary Works

Zero-Knowledge Architecture

Passary is built on a zero-knowledge architecture, which means we mathematically cannot access your passwords or vault data. This is not a policy choice—it's a fundamental design principle enforced by cryptography.

What does "zero-knowledge" mean?

Zero-knowledge means that even if someone gained complete access to our servers or infrastructure, they would only find encrypted data that is mathematically impossible to decrypt without your master password.

Local-First Design

Unlike traditional cloud-based password managers, Passary stores all your data locally on your device:

Your browser storage: Vault data is stored in IndexedDB, a secure browser database
Your file system: You can export your vault as an encrypted file you control
No cloud servers: We don't have cloud infrastructure storing your passwords
Complete control: You decide where and when to backup your vault

The Encryption Process

Master Password Entry

You enter your master password. This password never leaves your device and is never transmitted over the internet.

Key Derivation (Argon2id)

Your master password is processed using Argon2id, a memory-hard key derivation function that's resistant to brute-force attacks. This process happens entirely in your browser and generates an encryption key.

Argon2id(password, salt, iterations, memory) → encryption_key

Encryption (AES-256-GCM)

Your vault data is encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), a military-grade encryption standard. GCM provides both encryption and authentication, ensuring data hasn't been tampered with.

AES-256-GCM(vault_data, encryption_key) → encrypted_vault

Local Storage

The encrypted vault is stored in your browser's IndexedDB. Even if someone accessed your device storage, they would only see encrypted data that's useless without your master password.

Security Guarantees

✓ Client-Side Encryption

All encryption happens in your browser. Your passwords are encrypted before they ever touch storage.

✓ No Server-Side Storage

We don't have databases storing your vault data. Everything stays on your device.

✓ No Network Transmission

Your vault data and master password are never sent over the internet.

✓ Industry-Standard Crypto

We use battle-tested algorithms (Argon2id, AES-256-GCM) trusted by security experts worldwide.

Trade-offs of Zero-Knowledge

While zero-knowledge architecture provides maximum security and privacy, it comes with important trade-offs you should understand:

⚠️ No Password Recovery

If you forget your master password, we cannot recover it for you. This is not a limitation—it's proof that our zero-knowledge architecture is genuine.

Solution: Keep secure backups of your vault file and choose a master password you can remember (but that's still strong).

⚠️ Your Responsibility

You are responsible for backing up your vault. We don't provide cloud sync or automatic backups because that would compromise the zero-knowledge principle.

Frequently Asked Questions

Can Passary see my passwords?

No. Your passwords are encrypted on your device before storage. We never have access to unencrypted data.

What if Passary gets hacked?

Since your vault is stored locally on your device (not on our servers), a breach of our website infrastructure wouldn't expose your passwords. Even if someone accessed your encrypted vault file, it would be mathematically impossible to decrypt without your master password.

How is this different from other password managers?

Most password managers use cloud sync and store encrypted vaults on their servers. While they may use encryption, you're trusting their infrastructure. Passary is local-first—your vault never leaves your device unless you explicitly export it.