Zero-knowledge password manager
Zero-Knowledge Architecture
Understanding Passary's cryptographic guarantees
What is Zero-Knowledge?
Zero-knowledge encryption is a system architecture where the service provider has zero knowledge of the data stored on their platform. In Passary's case, we mathematically cannot access, view, or decrypt your vault data—even if we wanted to, even if legally compelled.
The Mathematical Guarantee
Zero-knowledge isn't just a policy or promise—it's a mathematical certainty enforced by cryptography. Your data is encrypted with keys that exist only on your device, derived from a password only you know.
How Zero-Knowledge Works in Passary
1. Local-First Architecture
Unlike cloud-based password managers, Passary stores your vault exclusively on your device:
- Your vault data never touches our servers
- All encryption/decryption happens in your browser
- We don't have cloud infrastructure storing user vaults
- Even temporary data doesn't leave your device
2. Client-Side Encryption
All cryptographic operations occur in your browser, not on our servers:
3. No Server-Side Decryption Keys
The encryption key that protects your vault is derived from your master password using Argon2id. This key:
- Never leaves your device - Not even encrypted
- Never transmitted over the network - No HTTPS, no API calls
- Never stored permanently - Exists only in browser memory while vault is unlocked
- Cannot be reconstructed by us - We don't have your password or salt
Cryptographic Proof
The zero-knowledge property is enforced through several cryptographic mechanisms:
| Component | How It Ensures Zero-Knowledge |
|---|---|
| Argon2id KDF | One-way function. Master password → encryption key is irreversible. We can't derive the password from any stored data. |
| AES-256-GCM | Without the encryption key, encrypted data is mathematically indistinguishable from random noise. Brute-force would take billions of years. |
| Browser Storage | Vault stored in IndexedDB on your device. We have no access to your device's storage. |
| No Network Transmission | Vault data never sent over HTTPS. We can't intercept what isn't transmitted. |
What This Means in Practice
Server Breach
If our website infrastructure is compromised, attackers gain nothing—your vault isn't on our servers.
Legal Requests
Even if compelled by law enforcement, we genuinely cannot provide access to your vault data.
Rogue Employees
A malicious insider cannot access user vaults—the architecture prevents it by design.
Surveillance
Mass surveillance of our infrastructure yields nothing—there's no centralized vault database to monitor.
Comparing Security Models
| Scenario | Zero-Knowledge (Passary) | Cloud-Based PM |
|---|---|---|
| Provider can see passwords | ✗ Impossible | ✓ Technically possible |
| Password recovery possible | ✗ No | ✓ Yes (email reset) |
| Server breach impact | ✓ Zero impact | ⚠ High risk |
| User responsibility | ⚠ High (backups) | ✓ Low |
| Trust requirement | ✓ Minimal | ⚠ Must trust provider |
The Trade-Off
Maximum Security = Maximum Responsibility
Zero-knowledge architecture provides unmatched security and privacy, but it comes at a cost:
- No password recovery: If you forget your master password, your vault is permanently inaccessible
- No customer support backdoor: We genuinely cannot help you regain access
- Backup responsibility: You must create and manage your own backups
- No account recovery: There's no email-based password reset
This isn't a limitation of our implementation—it's an inherent property of true zero-knowledge encryption. Any system that offers password recovery cannot be truly zero-knowledge.
Verifying Our Claims
How can you verify that Passary truly implements zero-knowledge encryption?
1. Open Source (Planned)
Our code will be open source, allowing security experts to audit our cryptographic implementation and verify our zero-knowledge claims.
2. Browser DevTools Inspection
Open your browser's Network tab while using Passary. You'll see that no vault data is transmitted to our servers—only the application itself is loaded.
3. Local Storage Verification
Inspect IndexedDB in your browser's DevTools. You'll find your encrypted vault stored locally—gibberish without your master password.
4. Offline Functionality
Once loaded, Passary works completely offline. Disconnect from the internet and your vault still functions—proof that it's local-first.