Zero Knowledge Encryption

Enable device level encryption with Pleasant Password Server. Protect your passwords from prying eyes.

End-To-End Encryption (E2EE) options allow a software client to securely communicate with the server without server knowledge of your passwords.

Thus the concepts of Zero Knowledge Architecture, Zero Knowledge Data, Zero Knowledge Server, and Zero Knowledge Database are born.

Applies to: 

  • Version 8 SSO edition - Web app, Password Server


Pleasant Password Server version 8 (expected shortly!) adds the ability to encrypt at the device level using encryption keys, which are then kept private from the Server and Database.

Each user has their own secret encrypted access based on their own Secret Key or alternatively on their own Vault Password.

Conveniently the user's Secret Keys can be securely stored on the user's devices, and even conveniently uploaded to subsequent devices.


Client Safeguards:

  • Incompatible requests are securely blocked from accessing the E2EE encrypted values: other client apps, client types, older client versions, and other API requests 

Sharing Encrypted Secrets:

  • A secure copy of the encrypted data can be securely provided for each user which has been granted access.

Feature Support:

  • Passwordless (with SAML SSO)
  • Share Secrets - with other users
  • Password Resets:
    • User
    • Admin - using the concept of Corporate Keys
  • Active Directory / LDAP Integration
  • Etc.

Zero Knowledge Encryption

End-To-End Encryption (E2EE) is implemented with the following:

  • AES256-GCM
  • RSA 2048-bit Asymmetric Encryption
  • Salt, PBKDF2-HMAC SHA256 with 100,000 iterations

Zero Knowledge Security

Has the following benefits:

  • Protects secrets from Hosting / Cloud Partners
  • Protects secrets from Internal threat actors
  • Provides another layer of encryption
    • on the database & server
    • in transit from the device

Go Passwordless!

Passwordless Encryption Methods

At this time this layer of encryption is enabled via General Systems, allowing the administrative user to decide which workflows they wish to enable

  • User Secret Keys - which can be stored on any the user's device(s)

In this method, 1 user will have 1 Secret Key across devices.

Vault Password Encryption Method

Alternatively, you may choose to base encryption on: 

  • Vault Passwords (only)

Both Encryption Methods

  • Secret Keys & Vault Password

Device Level Encryption

Each web application client will encrypt/decrypt using the user's encryption keys, which are based on the method (above) chosen by the administrator.

Zero Knowledge Data

It's possible that you may safely store all your data in a Zero Knowledge Data format!

Data fields which are encrypted with this method are visibly indicated with a secure shield and include:

  • User Names, Passwords, URLs, Notes, TOTP Secrets, Custom Field Values