How Encryption Works

A technical explanation of how AmnPass protects your data with zero-knowledge encryption.

The Big Picture

When you use AmnPass, your passwords never leave your device in a readable form. Instead, they're encrypted locally using keys that only you possess — derived from your master password. Let's walk through exactly how this works.

Your Device

Enter master password

••••••••••

Key Derivation

Derive encryption keys locally

Auth Key → Server
Vault Key → Never sent

Encrypt Locally

All data encrypted in browser

x9Kj2m...encrypted

Cloud Sync

Only ciphertext stored

We can't decrypt

Step 1: Key Derivation

When you enter your master password, AmnPass derives two separate cryptographic keys from it:

  • Authentication Key: Used to prove your identity to the server. This is derived in a way that makes it impossible to reverse-engineer your master password from it.
  • Vault Key: Used to encrypt and decrypt your vault data. This key never leaves your device and is never sent to our servers.

We use strong key derivation functions that are specifically designed to be slow and memory-intensive. This makes brute-force attacks impractical — even if an attacker knew your authentication hash, they couldn't feasibly guess your password.

Your master password is never transmitted

Only derived keys are used for authentication. Your actual master password never leaves your device.

Step 2: Vault Encryption

Each item in your vault (passwords, 2FA codes, secure notes) is encrypted individually using authenticated encryption. This means:

  • Each item has a unique random nonce (number used once)
  • The ciphertext includes an authentication tag that prevents tampering
  • Without the vault key, the data is indistinguishable from random noise

Step 3: Cloud Sync

When your encrypted vault syncs to our servers, we store only ciphertext — encrypted data that we cannot decrypt. Our servers see something like:

eyJub25jZSI6IjRiN2UzZjJhMWM5ZTg3...

This is completely unreadable without your vault key, which exists only in your browser's memory when you're logged in.

Step 4: Decryption

When you access your vault on any device:

  1. You enter your master password
  2. The vault key is derived locally
  3. Encrypted data is downloaded from our servers
  4. Data is decrypted locally in your browser
  5. You see your passwords

The decrypted data exists only in your browser's memory. When you log out or close the tab, it's gone.

Master Password = Your Only Key

Because encryption happens locally with keys derived from your master password, we cannot recover your data if you forget it. This is the fundamental trade-off of zero-knowledge security.

What About Server Compromise?

If our servers were ever breached, attackers would find:

  • Encrypted vault data (useless without master passwords)
  • Authentication hashes (designed to resist cracking)
  • Email addresses (the only personally identifiable information)

They would not be able to:

  • Decrypt any user's vault
  • Recover master passwords
  • Access plaintext passwords or 2FA seeds

Cryptographic Transparency

All cryptographic operations happen in your browser using standard Web Crypto APIs and well-audited libraries. You can verify this yourself:

  • Open browser DevTools
  • Inspect network traffic — you'll see only encrypted data being transmitted
  • Review the client-side JavaScript — encryption logic runs locally

Security you can trust

Start using AmnPass with confidence. Your data is protected by zero-knowledge encryption.

Get Started Free View Threat Model
Zero-knowledge encryption
End-to-end encrypted
2FA authenticator included