All vault data is encrypted by Passvault before being stored anywhere.
Vault data can only be decrypted using a key derived from your master password. Passvault is a zero knowledge encryption solution, meaning you are the only party with access to your key and the ability to decrypt the vault data. Listed below are examples of the data that is encrypted, as well as download links demonstrating the encrypted data.
Vault data that is encrypted:
- For all items:
- Item names
- Notes
- Attachments
- Attachment name
- File contents
- File encryption key
- Custom field names and values
- For logins:
- Usernames
- Passwords
- Password history
- URIs (i.e. match detection strings)
- Authenticator keys (i.e. TOTP secrets)
- For cards:
- Cardholder names
- Numbers
- Brands
- Expiration dates
- Security codes
- For identities:
- Names (Title/First/Middle/Last)
- Usernames
- Companies
- Social Security numbers, passport numbers, and license numbers
- Emails and phones
- Address 1, Address 2, Address 3, City / Town, State / Province, Zip / Postal code, Country
- For Sends:
- Send names
- Send text
- Send file
- Send notes
- Send encryption key
- Folder names
- Collection names
Secrets Manager data that is encrypted:
- For secrets:
- Secret names
- Secret values
- Secret notes
- Project names
- Service account names
- Access token names (access token values are never stored by Passvault)
Some data, but never vault or secrets data, is used to provide the Passvault service to you.