Zero-Knowledge Encryption

SecurityCreds uses zero-knowledge encryption to ensure that only you can access your passwords. Even we cannot see your sensitive data.

What is Zero-Knowledge Encryption?

Zero-knowledge encryption means your passwords are encrypted on your device before they ever leave it. The encryption key is derived from your master password, which is never sent to our servers.

Your Password
↓
[Encrypted on your device with AES-256-GCM]
↓
Encrypted data sent to server
↓
[Server stores encrypted blob - cannot decrypt]

What This Means for You

Complete Privacy - Even SecurityCreds employees cannot see your passwords
Data Breach Protection - If our servers were ever compromised, attackers would only get encrypted data they cannot decrypt
No Master Key - We don't have a "master key" that can unlock your data

How It Works

Key Derivation

When you create an account, SecurityCreds derives an encryption key from your master password using PBKDF2:

Your master password is combined with a unique salt
PBKDF2 runs 100,000+ iterations to create a strong key
This key is used for AES-256-GCM encryption
The key never leaves your device

Encryption Process

When you save a credential:

Client-side: Your password is encrypted with AES-256-GCM using your derived key
Transmission: Only encrypted data is sent to our servers
Storage: We store the encrypted blob - we cannot decrypt it

Decryption Process

When you view a credential:

Encrypted data is retrieved from our servers
Your browser decrypts it locally using your derived key
The decrypted password is displayed only in your browser

Hybrid Approach

We use a hybrid approach: searchable fields (name, username, URL, notes) are encrypted with AWS KMS for server-side search capability, while your actual passwords and TOTP secrets use client-side zero-knowledge encryption.

Recovery Keys

Since we cannot reset your master password (we don't have access to your encryption key), you'll receive a recovery key during setup.

Critical: Store Your Recovery Key Safely

Your recovery key is the only way to recover your data if you forget your master password. Store it in a secure location like a safe, safety deposit box, or with a trusted family member.

What the Recovery Key Does

Allows you to regain access if you forget your master password
Is generated once during account setup
Should be stored offline in a secure location
Can only be used once (then you set a new master password)

Using Your Recovery Key

If you need to use your recovery key:

Go to the login page and click "Forgot Password"
Select "Recover with Recovery Key"
Enter your recovery key exactly as provided
Create a new master password
A new recovery key will be generated - save it!

Setting Up Encryption

When you first create your account, you'll go through the encryption setup process:

Create master password - Choose a strong, memorable password
Generate keys - SecurityCreds derives your encryption key
Receive recovery key - Save this immediately
Verify recovery key - Confirm you've saved it correctly

Technical Specifications

Encryption Algorithm: AES-256-GCM (Galois/Counter Mode)
Key Derivation: PBKDF2-SHA256 with 100,000+ iterations
Salt: Unique 128-bit salt per user
IV/Nonce: Random 96-bit nonce per encryption operation

Best Practices

Use a strong master password - At least 12 characters with mixed case, numbers, and symbols
Don't reuse your master password - Use a unique password just for SecurityCreds
Store your recovery key offline - Not in a digital note or email
Enable device security - Use screen lock on all devices