Skip to main content

How it works

PassAgent uses a zero-trust encryption model where all sensitive data is encrypted and decrypted on your device. The server stores only ciphertext and can never access your passwords.
1

Key derivation

Your master password is processed through Argon2id (64 MiB memory, 3 iterations, 4 lanes) with a per-user salt to produce a 256-bit AES key. A low-memory fallback (32 MiB, 4 iterations) is available for constrained devices.
2

Encryption

Each password record is encrypted with AES-256-GCM using a unique initialization vector. The resulting ciphertext is stored as { iv, ciphertext } in the database.
3

Envelope encryption

For sharing scenarios, per-item 256-bit random keys are encrypted with the recipient’s RSA-OAEP public key. This enables secure credential sharing without exposing the vault key.

Vault lifecycle

ActionWhat happens
UnlockMaster password derives the vault key via Argon2id. Key is held in memory.
Save credentialCredential is encrypted client-side with the vault key, then sent to the server as ciphertext.
Reveal credentialCiphertext is fetched from the server and decrypted client-side. An audit event is logged.
LockVault key is wiped from memory. Credentials become inaccessible until re-unlock.
Auto-lockVault locks automatically after a configurable inactivity timeout.

Password generation

PassAgent includes a configurable password generator:
  • Length: 8 to 128 characters
  • Character sets: uppercase, lowercase, digits, symbols
  • Presets: memorable (passphrase), strong (random), PIN (numeric)
  • Exclusions: ambiguous characters (0O1lI), custom character exclusions

Import and export

Import credentials from other password managers via CSV or JSON:
  • 1Password
  • LastPass
  • Bitwarden
  • Chrome browser export
  • Generic CSV format
Navigate to Dashboard > Settings > Import and upload your export file.

Family vault

The family vault lets household members share a common set of credentials (streaming services, utility accounts, etc.) while maintaining individual vaults.
  • Family vault key (FVK) is wrapped with each member’s vault key using AES-KW
  • Members can add, edit, and remove shared credentials
  • Each member’s individual vault remains separate and private
  • Shamir secret sharing enables family recovery if a member loses their master password
Family vault recovery uses k-of-n Shamir shares split over GF(256). Each share is encrypted with the guardian’s vault key before storage.