Security Architecture
Understanding how PKey protects your digital identity through advanced encryption and zero-knowledge protocols.
What is the Master Password?
The Master Password is your unique cryptographic key. It serves as the primary seed to encrypt and decrypt your sensitive data locally. PKey follows a strict zero-knowledge protocol: we never store, transmit, or have access to this password.
Is it stored on your servers?
No. We only store a non-reversible cryptographic hash of your Master Password for authentication purposes. The raw password is never saved in any database, ensuring that even in the event of a server breach, your actual key remains unknown.
How is the encryption handled?
PKey utilizes client-side encryption. This means the heavy lifting of securing your data happens directly in your browser using the AES-256-GCM standard via WebAssembly. Your data is encrypted before it ever leaves your device.
Session Security & Persistence
For your protection, the Master Password is held only in volatile memory (RAM). To prevent unauthorized access, the session automatically expires after 5 minutes of inactivity, requiring re-entry to unlock the vault.
Why Argon2id over standard hashing?
Unlike standard hashing algorithms, Argon2id is memory-hard. It actively consumes device RAM during key derivation, which effectively neutralizes botnets and GPU farms from attempting to crack your Master Password.
How is my Master Key protected?
PKey uses the HKDF (HMAC-based Key Derivation Function) protocol. Your master key is cryptographically split into two completely isolated keys, one strictly for authentication and one strictly for encryption, ensuring maximum architectural security.
What if I lose my Master Password?
Due to our zero-knowledge architecture, there is no 'Forgot Password' option. If the Master Password is lost, the encrypted data cannot be recovered. We recommend keeping a physical backup of your Master Password in a secure location.
Why is PKey Open Source?
Transparency is the foundation of security. By making PKey open-source, we allow the community to audit our encryption logic, ensuring there are no backdoors or hidden vulnerabilities. You can verify our claims on GitHub.
Can PKey access my data?
No. PKey follows a strict zero-knowledge architecture, meaning your data is encrypted before it reaches our servers. Even our team cannot view, access, or decrypt your stored information.
What happens if PKey servers are compromised?
Even in the unlikely event of a server breach, your data remains protected. All sensitive information is encrypted client-side, and without your Master Password, the encrypted data is useless and cannot be decrypted.
How strong is the encryption?
PKey uses AES-256-GCM authenticated encryption. Your Master Password is run through Argon2id (a memory-hard algorithm) to derive a secure key, making advanced GPU brute-force attacks nearly impossible.
Is syncing across devices secure?
Yes. Your data is always encrypted before syncing. This ensures that even while transferring between devices, your information remains protected and unreadable to anyone without your Master Password.
Is browser-based encryption safe and fast?
Yes. PKey leverages WebAssembly (WASM) and the Native Web Crypto API via Background Workers. This ensures military-grade cryptography happens locally without ever freezing or slowing down your device.
Do you track or collect my data?
No. PKey does not track, analyze, or sell your personal data. We only collect the minimum required information to provide the service.