Passwork is built on a zero knowledge architecture. Security is the foundation of the entire system, not an afterthought. All sensitive data is client-side encrypted before leaving the device. Only your team can access it. No one else.
Trusted by top teams:
Developed in Europe, with full GDPR and NIS2 compliance and data sovereignty
Development and infrastructure meet the international benchmark for information security
Chosen by government agencies and highly regulated industries across Europe
Zero-knowledge architecture with client-side encryption keeps your passwords private
Independent research shows 30% savings compared to competitors
Passwork can be deployed in isolated offline environments and cloud infrastructures to meet corporate security policies and data sovereignty requirements. It runs on Linux and Windows Server, scales horizontally, and integrates with your existing IT stack.
Security requirements defined alongside customer needs before any development begins.
Threat modeling, security requirements definition, and technical specification planning.
Static code analysis (SAST), dependency checks (SCA), and automated security tests.
Dynamic testing (DAST), automated analysis, expert review, and manual validation.
Every build runs in an isolated environment, no external access, no tampering risk.
Distribution packages are verified and signed to ensure integrity and authenticity.
Processes for security and data protection aligned with ISO 27001
Continuous internal audits and independent external penetration testing
Developed according to OWASP best practices and secure development principles (SDL)
Encryption for all stored vaults and credentials
Secure key exchange for data sharing and access control
Encrypted channel for all network communication
Cryptographically secure random number generation
Industry-standard cryptographic library for data encryption
Secure key derivation from master passwords
Every password and vault gets its own encryption key, generated on the client side. This ensures that data is isolated and protected independently at every level.
The password key is encrypted with your master key and remains protected throughout the entire encryption chain.
The vault key is encrypted in the system public RSA key and only vault owners can decrypt and access data. No one else can read vault contents.
The master password never leaves the user's device and serves as the root of the encryption chain. It is the only way to access cryptographic data.
The master key is generated from the user's master password using PBKDF2 - a standard that makes brute-force attacks computationally intensive and practically impossible.
Private security keys are generated on the client side and protected with passphrase-based encryption. They never leave the device unprotected.
ISO 27001 
Pentest by
GDPR
NIS2 ready 
PCI DSS ISO 27001 Pentest by GDPR NIS2 ready PCI DSS Best software to password management on premise. We chose it after checking various solutions. The possibility of installing it on our systems weighed heavily on the choice. The use is simple and …
I was looking for an on premise solution to store and manage our passwords. Multiuser with different roles and rights was a must, LDAP integration a nice add on. Passwork ticked all the boxes. They were …
Very easy and secure Passwork Manager. Easy sharing functionalities. Good LDAP integration, TOTP and Multifactor Authentication Options.
Every team manages credentials differently. See how companies across industries use Passwork to secure access, streamline collaboration, and maintain full control. From small IT teams to enterprise-wide deployments.
The City of Melle deployed Passwork to centralize credential management across municipal departments, eliminating password-related security incidents and improving access control.
Kindernothilfe deployed Passwork to enable secure password sharing across distributed teams in multiple countries, reducing access-related delays and improving operational efficiency.
Essential features for small and medium businesses to support secure growth
Advanced capabilities for complex security and management needs in large organizations
Join thousands of IT professionals who trust Passwork to manage their passwords securely. Start your free trial today or get a personalized quote.
Essential features for small and medium businesses to support secure growth
Advanced capabilities for complex security and management needs in large organizations
Join thousands of IT professionals who trust Passwork to manage their passwords securely. Start your free trial today or get a personalized quote.
Zero Trust means the server holds no information sufficient to decrypt user data. Neither server administrators nor Passwork staff can access passwords — even with full database access.
With client-side encryption enabled, the server cannot read passwords, custom field names and values, TOTP secrets, file contents, or revision history. It can only read non-sensitive metadata: vault names, record titles, login fields, URLs, and tags — fields needed for search and sorting.
Passwork applies two independent encryption layers:
The server layer is always active. All data at rest is encrypted with AES-256-CFB via OpenSSL. This protects against database file theft even without client-side encryption.
The client layer runs when client-side encryption (CSE) is enabled. Sensitive fields are encrypted on the user's device before leaving it. The server receives already-encrypted data and adds a second layer on top.
On Passwork Cloud, CSE is always enabled and cannot be disabled. On on-premise installations, CSE is configurable — disabling it is acceptable for air-gapped environments with documented justification, but is a high-severity finding on any internet-accessible instance.
Each piece of data is protected by a chain where each level encrypts the next:
1. The user enters the master password — it never leaves the device
2. PBKDF2 (SHA-256, 300,000 iterations) derives a 512-bit master key in the browser
3. The master key decrypts the user's private RSA key (2048 bits, OAEP/SHA-256), which is stored on the server in encrypted form
4. The private RSA key decrypts the vault key (256 bits), which is unique per vault and stored RSA-encrypted per user
5. The vault key decrypts the record key (256 bits), unique per record
6. The record key decrypts the password field, custom fields, TOTP secret, and attachment keys
7. Each attached file has its own unique attachment key (256 bits), encrypted with the record key
Compromising a single record key exposes only that one record. It does not expose other records, other vaults, or the user's RSA key.
All algorithms meet or exceed NIST SP 800-131A Rev. 2 recommendations:
Each key uses a fresh 128-bit initialization vector per encryption operation. Vault and record keys carry ~596 bits of input entropy, reducing to 256 bits through the AES key derivation step.
Passwork also publishes a machine-readable security profile at passwork.pro/trust.json and a standard security.txt contact file.
Every feature goes through six mandatory stages before release:
1. Idea stage — security requirements analysis and Security Champion review
2. Analysis — STRIDE threat modeling and specification
3. Code — SAST (static analysis), SBOM checks on all dependencies, automated tests
4. Build — isolated CI environment, signed distributives, private keys stored offline
5. Testing — DAST (dynamic analysis), AI-assisted review, manual expert verification
6. Release — signature verification on the customer portal
All distributives are cryptographically signed. Builds are assembled in an isolated CI environment with no external access. Private signing keys are stored offline. The public key is available at passwork.pro/public-key. Signature verification is built into the deployment scripts, so installations automatically confirm integrity before proceeding.
Passwork supports multiple authentication layers:
All user and system actions are recorded in an immutable action history. The log captures authentication events, admin actions, vault access changes, password exports, API token creation, and LDAP sync results. Events are exported in CEF (Common Event Format) via Syslog, compatible with Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM, and ArcSight. On Windows Server, events are written to Windows Event Viewer.
The Security Dashboard continuously analyzes vault credentials and flags weak passwords, passwords not rotated in over 180 days, and credentials that were accessed by users whose access has since been revoked — the last category is a critical finding requiring immediate rotation.
Send a report to [email protected]. Passwork will acknowledge receipt within 5 business days and coordinate on disclosure timing (typically 30–90 days after a fix is released). Scope includes Passwork Cloud, on-premise installations, browser extensions, mobile apps, API, and documentation. Researchers who follow the responsible disclosure policy have safe harbor — no legal action for good-faith testing. Researchers credited with confirmed findings are listed in the public Hall of Fame.
If you haven't received the email, check your spam folder or contact us at [email protected]
Please click the button below to change the language
Switch to EnglishFill out the form below to get your copy of the report
Fill out the form below to get your copy of the NIS2 guide
No credit card required 
