Zero-Knowledge Architecture

Your data, truly private

AmnPass uses zero-knowledge encryption. Your vault is encrypted locally using your master password. We cannot access your passwords or 2FA seeds — not even if we wanted to.

Your vault is encrypted locally

When you create or update an item in your vault, it is encrypted on your device using keys derived from your master password. The encryption happens in your browser before any data is sent to our servers.

AmnPass cannot access your passwords

We store only encrypted data on our servers. Without your master password, this data is cryptographically unreadable. Our employees, our systems, and even law enforcement with a subpoena cannot decrypt your vault.

If you lose your master password, we cannot recover your data

This is intentional. True zero-knowledge security means we never have the ability to decrypt your vault. Please store your master password in a secure location, such as a physical safe or with a trusted family member.

How Encryption Works

Your Device

Enter master password

••••••••••

Key Derivation

Derive encryption keys locally

Auth Key → Server
Vault Key → Never sent

Encrypt Locally

All data encrypted in browser

x9Kj2m...encrypted

Cloud Sync

Only ciphertext stored

We can't decrypt
See detailed technical explanation

Technical Details

Key Derivation

Your master password is processed to derive two separate keys:

  • Authentication key — sent to server for login
  • Vault key — never leaves your device

Symmetric Encryption

Each vault item is encrypted with authenticated encryption:

  • 256-bit keys for strong security
  • Random nonces per item
  • Authenticated encryption (AEAD)

Secure Sharing

Password sharing uses public-key cryptography:

  • Each user has a public/private key pair
  • Items encrypted for each recipient
  • Revocable access control

Client-Side Only

All cryptographic operations happen in your browser:

  • Web Crypto API for native performance
  • Open source cryptographic libraries
  • Verifiable in browser DevTools

New Device Verification

When you sign in from a new browser or device, we send a one-time code to your email to confirm it's really you.

1

Sign In

Enter your email and master password as usual.

2

New Device Detected

We detect it's a new device and send a verification code to your email.

3

Verify & Access

Enter the code to unlock your vault. Optionally trust the device for future logins.

Manage Your Trusted Devices

View and revoke trusted devices from your account settings. If you don't recognize a device, revoke it immediately and change your master password. Revoked devices will require verification again on the next sign-in.

Learn More

How Encryption Works

Step-by-step technical explanation of our encryption process.

Sharing Model

How we enable secure sharing without compromising privacy.

Threat Model

What we protect against and what's your responsibility.

Ready to secure your passwords?

Start using AmnPass today with zero-knowledge encryption. Your data stays private — we can never see it.

Get Started Free View Features
Zero-knowledge encryption
End-to-end encrypted
2FA authenticator included