Zero Knowledge Encryption
Enable device level encryption with Pleasant Password Server. Protect your passwords from prying eyes.
End-To-End Encryption (E2EE) options allow a software client to securely communicate with the server without server knowledge of your passwords.
Thus the concepts of Zero Knowledge Architecture, Zero Knowledge Data, Zero Knowledge Server, and Zero Knowledge Database are born.
Applies to:
- Version 8 SSO edition - Web app, Password Server
Pleasant Password Server version 8 (expected shortly!) adds the ability to encrypt at the device level using encryption keys, which are then kept private from the Server and Database.
Each user has their own secret encrypted access based on their own Secret Key or alternatively on their own Vault Password.
Conveniently the user's Secret Keys can be securely stored on the user's devices, and even conveniently uploaded to subsequent devices.
Client Safeguards:
- Incompatible requests are securely blocked from accessing the E2EE encrypted values: other client apps, client types, older client versions, and other API requests
Sharing Encrypted Secrets:
- A secure copy of the encrypted data can be securely provided for each user which has been granted access.
Feature Support:
- Passwordless (with SAML SSO)
- Share Secrets - with other users
- Password Resets:
- User
- Admin - using the concept of Corporate Keys
- Active Directory / LDAP Integration
- Etc.
Zero Knowledge Encryption
End-To-End Encryption (E2EE) is implemented with the following:
- AES256-GCM
- RSA 2048-bit Asymmetric Encryption
- Salt, PBKDF2-HMAC SHA256 with 100,000 iterations
Zero Knowledge Security
Has the following benefits:
- Protects secrets from Hosting / Cloud Partners
- Protects secrets from Internal threat actors
- Provides another layer of encryption
- on the database & server
- in transit from the device
Go Passwordless!
Passwordless Encryption Methods
At this time this layer of encryption is enabled via General Systems, allowing the administrative user to decide which workflows they wish to enable
- User Secret Keys - which can be stored on any the user's device(s)
In this method, 1 user will have 1 Secret Key across devices.
Vault Password Encryption Method
Alternatively, you may choose to base encryption on:
- Vault Passwords (only)
Both Encryption Methods
- Secret Keys & Vault Password
Device Level Encryption
Each web application client will encrypt/decrypt using the user's encryption keys, which are based on the method (above) chosen by the administrator.
Zero Knowledge Data
It's possible that you may safely store all your data in a Zero Knowledge Data format!
Data fields which are encrypted with this method are visibly indicated with a secure shield and include:
- User Names, Passwords, URLs, Notes, TOTP Secrets, Custom Field Values