When it comes to online security and conversations around data breaches, we often talk about using password managers. Once we’ve impressed upon that best practice, one must also make an informed choice from several password managers available and how secure is our data with them.
Enpass is built on a ‘zero-knowledge architecture’. This means that all the information that a user stores on Enpass is accessible only to that user. Our servers do not interact with the user data at any point – whether you save it locally on your device or on your NAS or sync it via your preferred cloud service.
It’s your data, and not for us to peek for any kind of testing, analytics, or marketing.
Enpass was conceived as an offline password manager for this very reason, and data privacy and security has always been a top priority for us and a cornerstone of our product roadmap and developmental efforts.
Like all password managers, Enpass encrypts the data that the user adds. Moreover, both the encryption and decryption are done locally. Even in the case of cloud storage, the data is always transmitted in an encrypted format and decrypted locally.
Here’s a fun exercise. Open the Enpass data file on your device in a binary editor and all you’ll see is encrypted gibberish data.
Additionally, the key that encrypts your data is derived from your Master Password. This password is known only to you and hence Enpass does not have any record of the password or its derivative. Enpass also does not store the encryption key or its derivative.
Enpass uses one of the world’s leading cryptography algorithm to secure user data. All data is encrypted with 256-bit AES with 100,000 rounds of PBKDF2-HMAC-SHA512 using the peer-reviewed and open-source encryption engine SQLCipher.
This helps prevent your data against any brute force or side channel attacks. Even if an attacker gains access to your Enpass data file (like in that little exercise we did above), it is unusable until he/she has access to your master password. And with brute force, it will take the attacker years to crack and take a peek at your data.
You can read more about our security practices in this whitepaper.