Skip to main content
Passwork LogoPasswork LogoTechnical guides
search
7.0arrow
search
Version: 7.0

Encryption scope

Passwork uses a two-level protection model. Not all data is encrypted on the client — some fields are protected only by server-side encryption to enable functionality (search, sorting, display).

Encryption levels overview

LevelWhere it runsWhen activeKeyAlgorithm
Client-side encryptionIn browserWhen CSE is enabledUser, vault, record keysAES-256-CBC
Server-side encryptionOn serverAlwaysServer keyAES-256-CFB

Record data

FieldClient-side encryptionServer-side encryptionReason
Record nameSearch, list display
LoginSearch, autofill
PasswordCritical data
URLSearch, autofill, browser extension
DescriptionSearch
TagsFiltering, grouping
ColorDisplay

Custom fields

AttributeClient-side encryptionServer-side encryptionReason
Field nameMay contain sensitive information
Field valueCritical data
Field typeField metadata

TOTP (two-factor authentication)

AttributeClient-side encryptionServer-side encryptionReason
TOTP secretCritical 2FA data

Attachments

AttributeClient-side encryptionServer-side encryptionReason
File nameDisplay, search
File contentsCritical data
Attachment keyYes (with record key)Key material

Record revisions

AttributeClient-side encryptionServer-side encryptionReason
Previous password valuesHistorical secrets
Previous custom fieldsHistorical secrets
Change metadataAudit, logging

Vault data

AttributeClient-side encryptionServer-side encryptionReason
Vault nameNavigation, display
Vault descriptionInformation
Vault keyYes (with user RSA key)Key material
Access rightsAccess control
Vault settingsConfiguration

User data

AttributeClient-side encryptionServer-side encryptionReason
UsernameIdentification
EmailIdentification
Public RSA keyPublic by definition
Private RSA keyYes (with master key)Critical data
Master key hashFor password verification
PBKDF2 saltCryptographic parameters
Local Storage Secret CodeFor "Remember" feature
AttributeClient-side encryptionServer-side encryptionReason
Link tokenURL identifier
Record data copyYes (with link key)Secret data
Link key (encrypted)Key material
Link key hashFor access verification
Link settingsTTL, one-time use

Service data

DataClient-side encryptionServer-side encryptionReason
Object IDsIdentification
TimestampsSorting, audit
Access/Refresh tokensSessions (in memory/cookies)
LDAP passwords (integration)Server integration
SMTP passwordsServer integration

Encryption keys by data type

DataClient-side encryption keyServer-side encryption key
Password fieldRecord key (AES-256-CBC)Server key (AES-256-CFB)
Custom fieldsRecord keyServer key
TOTP secretRecord keyServer key
File contentsAttachment key (AES-256-CBC)Server key
Attachment keyRecord keyServer key
Record keyVault key (AES-256-CBC)Server key
Vault keyUser RSA key (RSA-OAEP)Server key
Private RSA keyMaster key (AES-256-CBC)Server key

Why is not everything encrypted on the client?

Functional reasons

  1. Search — to search by name, login, URL, description, and tags, the server must be able to index these fields
  2. Sorting — sorting records by name requires access to this field
  3. Filtering — tag filtering works on the server side
  4. Autofill — browser extension matches URLs without decryption
  5. List display — showing record names without decrypting the entire record

Metadata security

Although some fields are not encrypted on the client, they are protected by:

  • Server-side encryption (AES-256-CFB) before database write
  • TLS/HTTPS during transmission between client and server
  • Access control at the application level

Threat model

ThreatProtection
Database leakServer-side encryption protects all data
Server compromiseClient-side encryption protects critical data
Traffic interceptionTLS protects data in transit
Administrator accessZero-Knowledge for passwords and secrets

Security recommendations

With CSE enabled

With client-side encryption, critical data (passwords, secrets, files) is protected by the Zero-Knowledge principle. The server cannot decrypt them.

What remains visible to the server:

  • Vault and folder structure
  • Record names
  • Logins and URLs
  • Tags and descriptions
  • Number and names of attachments

Minimizing metadata

If you need to hide metadata:

  • Use generic/non-informative record names
  • Avoid sensitive information in descriptions
  • Don't specify exact URLs for critical systems
LLM version
© 2014–2025 «Passwork»
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center