Skip to main content
Passwork LogoPasswork LogoTechnical guides
search
7.0arrow
search
Version: 7.0

Cryptography overview

Security is built into every stage of development — from the first idea to the final release. This section describes the cryptographic model, algorithms, and data protection mechanisms that make Passwork trusted by thousands of businesses worldwide.

Who this section is for

  • Information security specialists — for audits and compliance assessments
  • Technical decision-makers — for evaluating the product before deployment
  • Administrators — for understanding how the system works and how to configure it

How we build secure software

PracticeDescription
Security championsOWASP training and threat modeling in every development team
DevSecOps approachStatic & dynamic analysis, SCA, IaC scanners integrated into every build
Multi-stage reviewNo direct pushes to main branch, mandatory security code review
External auditsAnnual penetration testing and security audits by independent experts

Standards and validation

  • ISO 27001 certified — all development and infrastructure practices meet the highest security standards
  • Tested by HackerOne — independent security assessments by ethical hackers
  • GDPR compliant — full compliance with European data protection regulations

Zero-Knowledge architecture

Passwork is built on the Zero-Knowledge principle: the server does not have enough information to decrypt user data. Neither server administrators nor technical staff can access your passwords — even if they wanted to.

  • The master password never leaves the user's device
  • All cryptographic keys are generated on the client
  • The server stores only encrypted data and encrypted keys
  • Decryption is only possible on the client side

This architecture ensures your passwords never leave your infrastructure, making Passwork trusted by government agencies and highly regulated organizations across Europe.

Two-level protection

Passwork applies two levels of encryption:

LevelWhere it runsKeyWhen active
Client-side encryptionBrowser / appUser keysWhen CSE is enabled
Server-side encryptionServerServer keyAlways

Even with client-side encryption disabled, data is still protected by server-side encryption with AES-256.

Algorithms used

PurposeAlgorithmParameters
Key derivation from passwordPBKDF2SHA-256, 300K iterations
Symmetric encryption (server)AES-256-CFBOpenSSL
Symmetric encryption (client)AES-256-CBC+ Base32 encoding
Asymmetric encryptionRSA-OAEP2048 bit, SHA-256
HashingSHA-256, SHA-512

Section structure

Fundamentals

  • Glossary — definitions: master password, master key, vault, record, keys
  • Data model — object hierarchy and relationship with cryptographic keys

Encryption

Processes

Infrastructure

Encryption chain overview

Client side:

  1. Master password (entered by user) → PBKDF2 (300K iterations) →
  2. Master key (512 bits) → AES-256-CBC →
  3. Private RSA key (2048 bits) → RSA-OAEP (WebCrypto) →
  4. Vault key (256 bits) → AES-256-CBC →
  5. Record key (256 bits) → AES-256-CBC →
  6. Record data (passwords, secrets, files — encrypted)

Server side:

  1. Server key (256 bits, OpenSSL) → AES-256-CFB →
  2. Database (double encryption)

What is encrypted on the client

Not all data is encrypted on the client — some fields are protected only by server-side encryption to enable search and sorting functionality.

Detailed information about encryption of each field is in the Encryption scope section.

Key parameters

ParameterValue
RSA key2048 bits
AES key256 bits
PBKDF2 iterations (client)300,000
PBKDF2 iterations (server)600,000
Access Token entropy256 bits
Link token entropy256 bits
Vault key entropy~596 bits

Industry standards compliance

ParameterPassworkNIST recommendations (2024)Status
Symmetric encryptionAES-256AES-128/192/256
Asymmetric encryptionRSA-2048RSA-2048+
HashingSHA-256/512SHA-2 family
PBKDF2 iterations300K/600K≥310K (SHA-256)
Random number generatorCSPRNGCSPRNG
LLM version
© 2014–2025 «Passwork»
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center