Zero-knowledge · End-to-end encrypted

Your passwords, yours alone.

Passphrazor encrypts everything in your browser before it ever touches a server. Not even we can read your vault.

Create a free vaultSign in
vault.passphrazor.app

GitHub

octocat@github.com

Stripe

founder@acme.io

AWS Root

ops@acme.io

Home WiFi

WPA2 · Aurora-2.4

Built so we can't see your data

The math is the security. Everything below runs in your browser, in front of every byte that gets stored.

Zero-knowledge architecture

Your master password never leaves your device. Encryption happens entirely in your browser via the Web Crypto API.

AES-GCM-256 encryption

Every entry is sealed with AES-GCM-256 and a unique IV before it touches Firestore.

PBKDF2 key derivation

310,000 SHA-256 iterations make brute-forcing your master password computationally painful.

All entry types

Logins, credit cards, secure notes, and WiFi passwords — every byte encrypted, every byte yours.

Cryptographic password generator

Up to 128-character passwords with live entropy measurement, all generated by crypto.getRandomValues.

Encrypted export

Export re-encrypted with a separate password — or plain CSV if you really need it, with explicit warnings.

Security by design

Zero-knowledge isn't a slogan — it's a constraint.

Each guarantee below is enforced in code you can audit. No analytics on your secrets, no key escrow, no fine print.

  • Master password never sent over the network
  • Derived CryptoKey lives only in memory — never localStorage
  • Every Firestore write passes through AES-GCM encrypt() first
  • PBKDF2: 310,000 SHA-256 iterations
  • Random 96-bit IV per encrypt() call
  • Clipboard auto-clears after a configurable timeout
  • Idle-based auto-lock with adjustable timeout
  • HIBP breach checks use k-anonymity (5-char SHA-1 prefix only)

Spin up a vault in 30 seconds.

Pick a master password, set up 2FA, and start storing logins. No credit card, no telemetry, no recovery backdoor.

Create your vaultI already have one