Install on Chrome
Security

Security & encryption

How Zecuri protects your vault — a detailed, plain-English technical overview.

Threat model & assumptions

Zecuri protects against:

  • Server compromise: if attackers gain access to our servers and all sync metadata, they learn nothing about your passwords. Vault data is encrypted with keys derived from your master password.
  • Network eavesdropping: all communication is over HTTPS. Even if traffic is intercepted, vault data is end-to-end encrypted with AES-256-GCM.
  • Account enumeration: our servers don't store account names or emails — only sync metadata. An attacker cannot enumerate Zecuri users.

Zecuri does not protect against:

  • Device compromise (malware): a keylogger on your device can capture your master password.
  • Physical device theft: if someone steals your device and cracks the device lock, they can reach your vault.
  • Social engineering: if you're tricked into revealing your master password, an attacker can access your vault.

Bottom line: Zecuri moves the responsibility to the device level. Keep your device secure — OS updates, a strong passcode — and Zecuri handles the encryption.

Cryptography

Cryptographic primitives

Modern, standard, audited building blocks — nothing home-grown in the critical path.

Master password derivation

Argon2id (RFC 9106)

m=64 MiB, t=3, p=4. 32-byte random salt per account, 32-byte output key. Memory-hard, resistant to GPU/ASIC cracking. No shared master key across accounts.

Vault encryption

AES-256-GCM

12-byte random nonce per encryption; authenticated encryption detects tampering. Each item is encrypted separately, so one compromised key doesn't expose the rest.

Device signing

Ed25519

32-byte keys, 64-byte signatures. Each device signs its sync metadata; other devices verify signatures for integrity. Fast and side-channel resistant.

Cross-device sync without a central key

Zecuri sync works like a time machine for your vault:

  1. Each device keeps a log of changes — password added, updated, or deleted.
  2. Each change is stamped with a Hybrid Logical Clock (HLC) timestamp.
  3. When devices sync, they exchange change logs.
  4. Each device merges changes using a Last-Write-Wins (LWW) strategy.
  5. If two devices modify the same password at different times, the later change wins.
  6. If they modify it concurrently, the device with the higher ID wins — deterministically.

The server only ever holds Ed25519-signed sync metadata — never your vault contents. Devices do the encryption and merging; the server is stateless.

Read the sync specification on GitHub →

Security audit & transparency

Zecuri's security is verified through:

  • Dependency CVE scan: every dependency is checked against the NIST CVE database.
  • Threat-model review: assumptions documented and reviewed against the OWASP Top 10.
  • Code review: sync and crypto code reviewed for timing attacks, buffer overflows, and logic errors.
  • Standard primitives: all cryptography is NIST-approved or widely recommended.
  • Open source: all critical-path code is public. No closed-source components in the crypto.

Review on GitHub →

What's next (roadmap)

  • OPAQUE-3DH migration: replace token exchange with OPAQUE password-authenticated key exchange, so no password material (even hashed) is sent over the wire.
  • Per-item key derivation: researching whether each item should have its own derived key (extra isolation for marginal cost).
  • Durable storage migration: moving sync state to durable storage for permanent retention beyond the current short-lived cache.

Encryption you can verify

Read the code, run the audit, then install with confidence.

Install on Chrome View on GitHub