Passlette Get started
← Back to About

Security details

A technical explanation of how Passlette's zero-knowledge encryption works.

How the encryption works

Account creation

When you create an account, your master password is run through Argon2id — a slow, memory-hard key derivation function — to produce two things:

  • A server authentication token, which is hashed again and stored by the server to verify your password at sign-in. This hash cannot be reversed.
  • An encryption key, which is used to protect your private key. This key never leaves your device.

Your browser then generates a 2048-bit RSA key pair. The private key is encrypted with your Argon2id-derived encryption key before being uploaded. The server stores only the encrypted form and has no way to decrypt it.

Master password
Argon2id
Server auth token
Hashed and stored on server
Encryption key
Encrypts your RSA private key
never leaves your browser
stored on server
stays in browser

Groups and vault keys

Each group has a random 256-bit AES-GCM symmetric key — the vault key. When you create a group, this key is generated entirely in your browser and then encrypted with your RSA public key before being stored on the server.

When an admin invites someone to a group, the admin's browser decrypts the vault key (using their own private key) and re-encrypts it with the new member's public key. No plaintext vault key ever touches the server.

Vault key
encrypted with admin's public key
admin decrypts in browser
Vault key (plaintext)
temporarily in admin's browser only
re-encrypted for new member
Vault key
encrypted with new member's public key

Storing and loading credentials

Every credential you save — password, username, notes — is encrypted with the group's vault key using AES-256-GCM before being sent to the server. The server stores the ciphertext and a random IV. Decryption happens in your browser after you sign in and your private key is unlocked.

Credential
password, username, notes
AES-256-GCM with vault key
Ciphertext + IV
Stored on server
server sees only encrypted blob

What the server stores

  • Your email address
  • An Argon2id hash of your server authentication token — used to verify your password at sign-in; cannot be reversed to recover your password
  • Your RSA public key
  • Your RSA private key, encrypted with your Argon2id-derived key
  • Vault entries as encrypted blobs — the server sees only ciphertext and a random IV per entry
  • An audit log of create, update, and delete events — timestamps and entry identifiers only; no credential content

What the server never sees

  • Your master password
  • Your Argon2id-derived encryption key
  • Your RSA private key in plaintext
  • The vault key for any group
  • Any credential content — passwords, usernames, or notes

Limitations and caveats

Zero-knowledge protects your data at rest on the server and in transit, but there are some things this model cannot prevent:

  • Compromised device. If an attacker can run code in your browser session, they could intercept your passwords before encryption. Keep your devices and browser extensions up to date.
  • Weak master password. Argon2id makes brute-force attacks slow, but a short or common password is still easier to crack. Use a strong, unique master password.
  • Server-delivered code. Because your browser fetches the application code from this server, a compromised server could theoretically serve malicious JavaScript. This is a limitation shared by all web-based password managers.
  • No master password recovery. Because the server never sees your encryption key, there is no mechanism to recover a forgotten master password. Your vault cannot be decrypted without it.