Skip to main content
Passwork LogoPasswork LogoTechnical guides
search
7.0arrow
search
Version: 7.0

Data model

Data in Passwork is organized in a four-level hierarchy with its own cryptographic keys at each level.

Object hierarchy

User
└── Vault
    └── Folder [optional]
        └── Record
            ├── Standard fields
            ├── Custom fields
            └── Attachments

Level 1: User

Each user has:

  • Credentials for system login (username, password, or SSO/LDAP)
  • Master password for client-side encryption (when CSE is enabled)
  • RSA key pair (public and encrypted private)
  • PBKDF2 parameters (salt, iteration count)

Level 2: Vault

A vault is the primary container for grouping records.

Vault types:

  • Corporate vaults — shared storage with configurable access rights
  • Personal vaults — individual user storage

Vault attributes:

AttributeDescription
NameVault name
DescriptionText description
Vault keySymmetric key for encrypting records
Access rightsList of users and their roles
SettingsLimits, policies, and other parameters

Level 3: Folders and records

Folders are used for logical organization of records within a vault. Folders can be nested (unlimited depth). Folders do not have their own encryption keys.

A record is a unit of secret information storage.

Level 4: Fields and attachments

Each record contains a set of fields and can have attachments (files).

Record structure

Record fields

A record contains:

  • Standard fields: name, login, password, URL, description, tags, color
  • Custom fields: arbitrary name-value pairs
  • TOTP secret: for two-factor authentication
  • Attachments: attached files

Not all fields are encrypted on the client — some are protected only by server-side encryption to enable search and sorting. A detailed field encryption table is in the Encryption scope section.

Object-to-key relationship

Each hierarchy level has its own encryption key.

Key structure

The object hierarchy and their cryptographic keys form a tree:

User has a master key (derived from the master password via PBKDF2) and an RSA key pair (public + private, encrypted with the master key).

Vault has a vault key (256 bits). For each user with access, a copy of the vault key is created, encrypted with their public RSA key.

Record has a record key, encrypted with the vault key.

Record data (password field, custom fields, TOTP) is encrypted with the record key.

Attachments have their own attachment key, encrypted with the record key. File contents are encrypted with the attachment key.

Keys by level

LevelObjectKeyKey typeProtected by
1UserMaster keySymmetric, 512 bitsPBKDF2 from master password
1UserRSA keysAsymmetric, 2048 bitsPrivate encrypted with master key
2VaultVault keySymmetric, 256 bitsRSA key of each user
3RecordRecord keySymmetricVault key
4AttachmentAttachment keySymmetric, 256 bitsRecord key

Data lifecycle

Creating a record

  1. User creates a record in a vault
  2. A random record key (256 bits) is generated
  3. Encrypted fields (password, custom fields, TOTP) are encrypted with the record key (AES-256-CBC)
  4. The record key is encrypted with the vault key
  5. Data is sent to the server
  6. Server applies server-side encryption (AES-256-CFB) before saving to database

Adding an attachment

  1. User attaches a file to a record
  2. A random attachment key (256 bits) is generated
  3. File is encrypted with the attachment key (AES-256-CBC)
  4. The attachment key is encrypted with the record key
  5. Encrypted file and encrypted key are sent to the server

Reading a record

  1. Client requests the record from the server
  2. Server decrypts server-side encryption and sends the data
  3. Client decrypts the vault key with their private RSA key (WebCrypto)
  4. Decrypts the record key with the vault key (AES-256-CBC)
  5. Decrypts the record fields with the record key (AES-256-CBC)
  6. For attachments: decrypts the attachment key → decrypts the file

Model characteristics

Key isolation

  • Compromising one record does not reveal other records
  • Compromising one attachment does not reveal other attachments
  • Each object has a unique encryption key

Granular access

  • Access to a vault grants access to all records inside
  • Access to an individual record is possible without vault access ("Inbox" section)
  • External links allow sharing a record without an account

Field encryption

Detailed information about which fields are encrypted on the client and which only on the server is in the Encryption scope section.

LLM version
© 2014–2025 «Passwork»
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center