Data model
Data in Passwork is organized in a four-level hierarchy with its own cryptographic keys at each level.
Object hierarchy
User
└── Vault
└── Folder [optional]
└── Record
├── Standard fields
├── Custom fields
└── Attachments
Level 1: User
Each user has:
- Credentials for system login (username, password, or SSO/LDAP)
- Master password for client-side encryption (when CSE is enabled)
- RSA key pair (public and encrypted private)
- PBKDF2 parameters (salt, iteration count)
Level 2: Vault
A vault is the primary container for grouping records.
Vault types:
- Corporate vaults — shared storage with configurable access rights
- Personal vaults — individual user storage
Vault attributes:
| Attribute | Description |
|---|---|
| Name | Vault name |
| Description | Text description |
| Vault key | Symmetric key for encrypting records |
| Access rights | List of users and their roles |
| Settings | Limits, policies, and other parameters |
Level 3: Folders and records
Folders are used for logical organization of records within a vault. Folders can be nested (unlimited depth). Folders do not have their own encryption keys.
A record is a unit of secret information storage.
Level 4: Fields and attachments
Each record contains a set of fields and can have attachments (files).
Record structure
Record fields
A record contains:
- Standard fields: name, login, password, URL, description, tags, color
- Custom fields: arbitrary name-value pairs
- TOTP secret: for two-factor authentication
- Attachments: attached files
Not all fields are encrypted on the client — some are protected only by server-side encryption to enable search and sorting. A detailed field encryption table is in the Encryption scope section.
Object-to-key relationship
Each hierarchy level has its own encryption key.
Key structure
The object hierarchy and their cryptographic keys form a tree:
User has a master key (derived from the master password via PBKDF2) and an RSA key pair (public + private, encrypted with the master key).
Vault has a vault key (256 bits). For each user with access, a copy of the vault key is created, encrypted with their public RSA key.
Record has a record key, encrypted with the vault key.
Record data (password field, custom fields, TOTP) is encrypted with the record key.
Attachments have their own attachment key, encrypted with the record key. File contents are encrypted with the attachment key.
Keys by level
| Level | Object | Key | Key type | Protected by |
|---|---|---|---|---|
| 1 | User | Master key | Symmetric, 512 bits | PBKDF2 from master password |
| 1 | User | RSA keys | Asymmetric, 2048 bits | Private encrypted with master key |
| 2 | Vault | Vault key | Symmetric, 256 bits | RSA key of each user |
| 3 | Record | Record key | Symmetric | Vault key |
| 4 | Attachment | Attachment key | Symmetric, 256 bits | Record key |
Data lifecycle
Creating a record
- User creates a record in a vault
- A random record key (256 bits) is generated
- Encrypted fields (password, custom fields, TOTP) are encrypted with the record key (AES-256-CBC)
- The record key is encrypted with the vault key
- Data is sent to the server
- Server applies server-side encryption (AES-256-CFB) before saving to database
Adding an attachment
- User attaches a file to a record
- A random attachment key (256 bits) is generated
- File is encrypted with the attachment key (AES-256-CBC)
- The attachment key is encrypted with the record key
- Encrypted file and encrypted key are sent to the server
Reading a record
- Client requests the record from the server
- Server decrypts server-side encryption and sends the data
- Client decrypts the vault key with their private RSA key (WebCrypto)
- Decrypts the record key with the vault key (AES-256-CBC)
- Decrypts the record fields with the record key (AES-256-CBC)
- For attachments: decrypts the attachment key → decrypts the file
Model characteristics
Key isolation
- Compromising one record does not reveal other records
- Compromising one attachment does not reveal other attachments
- Each object has a unique encryption key
Granular access
- Access to a vault grants access to all records inside
- Access to an individual record is possible without vault access ("Inbox" section)
- External links allow sharing a record without an account
Field encryption
Detailed information about which fields are encrypted on the client and which only on the server is in the Encryption scope section.