Secure Sharing Model

How AmnPass enables password sharing without compromising zero-knowledge security.

The Challenge

Password sharing presents a unique challenge for zero-knowledge systems. If your vault is encrypted with your personal key, how can someone else access a shared item without knowing your key?

The answer: public-key cryptography.

How It Works

You (Owner)

Sharing a password

Your Vault Item

Username: john@example.com

Password: ••••••••

Encrypted with your vault key
Re-Encrypt for Recipient

Item key wrapped with recipient's public key

Recipient's public key: Ed25519...

Recipient

Receives shared item

Shared Item

Username: john@example.com

Password: ••••••••

Decrypted with their private key
Revoke Access Anytime

When you revoke access, the recipient can no longer decrypt the shared item. Their copy becomes unreadable because they no longer have the decryption key.

Server never sees plaintext passwords

Key Pairs

Every AmnPass user has a cryptographic key pair:

  • Public Key: Known to everyone, used to encrypt data for you
  • Private Key: Known only to you, used to decrypt data sent to you

Your private key is encrypted with your vault key and stored alongside your vault data. It's protected by the same zero-knowledge encryption as everything else.

Sharing Process

When you share a password with someone:

  1. Look up recipient's public key — Their public key is fetched from our servers (public keys are, by definition, safe to share)
  2. Generate a share key — A unique encryption key is created for this shared item
  3. Encrypt the item — The password is encrypted with the share key
  4. Wrap the share key — The share key is encrypted with the recipient's public key
  5. Store on server — Both encrypted components are stored together

Receiving Shared Items

When someone shares a password with you:

  1. You receive the encrypted item and wrapped share key
  2. Your private key unwraps the share key
  3. The share key decrypts the actual password
  4. You can now see the shared credential

Server Never Sees Plaintext

Throughout this process, our servers only store encrypted data. We never have access to the plaintext password or the keys needed to decrypt it.

Revoking Access

When you revoke someone's access to a shared item:

  • The wrapped share key for that user is deleted
  • Without the share key, they can no longer decrypt the item
  • Any cached copy they have becomes useless when you update the password

For maximum security, we recommend changing the password after revoking access, since the recipient may have copied it while they had access.

Update Propagation

When you update a shared password:

  • The new password is re-encrypted with the existing share keys
  • All recipients see the update immediately
  • No action required from recipients

Security Considerations

The sharing model maintains zero-knowledge properties:

  • ✓ Server never sees plaintext passwords
  • ✓ Server cannot decrypt shared items
  • ✓ Only designated recipients can decrypt
  • ✓ Revoking access is cryptographically enforced

Trust Recipients

Remember: once you share a password, the recipient can see it and potentially copy it. Only share with people you trust.

Share passwords securely

Start sharing credentials with your family or team. Protected by end-to-end encryption.

Get Started Free Learn About Teams
Zero-knowledge encryption
End-to-end encrypted
2FA authenticator included