Security & Architecture
Zecuri is built on zero-knowledge encryption. Your vault is encrypted on your device before it ever reaches our servers.
Cryptographic Primitives
Argon2id (KDF)
Your master password is hashed with Argon2id using memory-hard parameters. This derives a strong encryption key from your password, making it resistant to brute-force attacks even if an attacker gains access to the hashing parameters.
AES-256-GCM (AEAD)
Your vault is encrypted with AES-256-GCM, an authenticated encryption cipher. This ensures confidentiality, integrity, and authenticity of your encrypted data.
Ed25519 (Signatures)
Each device holds a unique Ed25519 signing key. Sync metadata is signed with this key to prove authenticity. Only you can sign metadata for your vault.
Hybrid Logical Clocks (HLC)
Sync uses HLC for causal ordering without a central authority. Conflicts are resolved deterministically, and you always have the final say.
Zero-Knowledge Guarantee
Zecuri servers store:
- Opaque encrypted vault blob (ciphertext we cannot decrypt)
- Ed25519-signed sync metadata (which device made which change)
- Account metadata (email, timestamps)
Zecuri servers do not store:
- Your master password
- Your encryption keys
- Plaintext credentials, passwords, or secrets
- Information about which sites you have credentials for
Threat Model
Out of scope: If your device is compromised by malware, an attacker with physical or remote access could steal your vault. This is a device-level threat, not a Zecuri flaw. Zecuri cannot protect against keyloggers, device takeovers, or malware. We recommend keeping your device secure (OS updates, antivirus, strong device lock).
In scope: Zecuri protects against server compromise, network eavesdropping, legal requests for your vault, and data breaches on our infrastructure.
Audit & Open Source
Zecuri's client code and sync protocol are open source and available on GitHub. We've completed a security audit covering dependency CVEs, threat modeling, and cryptographic verification.