Working and Security

The simple and smooth browsing you do with Enpass is the result of mutual working of Enpass App, Enpass plugin (extension) and Enpass Helper. Each and every single component has its unique functionality. They communicate through a Highly Secure Web Socket , diminishing the chance of information effluence. Read about the working and scope of each component of Enpass down here:

Components of Enpass

  • Main Enpass App- This is the main application that you execute yourself from the launcher and it run as unique process in OS. Among all the components, only it can access the data from encrypted Enpass keychain. Enpass App needs to be running in order to use Browser Extension.
  • Enpass Extension- Enpass Extension is the browser plugin written in javascript that integrates into web browsers. It communicates with the Browsers after verifying them through code signature. It is the Enpass Extension which is responsible for filling the login and credit card details. Whenever you click on Extension icon or use a shortcut key for autofilling, it securely requests the main Enpass app asking for login credentials for that particular domain. In response to that, main Enpass App sends the desired information with username and passwords to Extension for autofilling.
  • Enpass Helper- It is the component that does all UI (user interface) work in the browser like presenting the list of items, taking user inputs and various other prompts. The Enpass Helper always runs in the background as a seperate process in OS with main Enpass App and closes automatically with that. Also there is no direct communication between Helper and Extension and every such requirement is fulfilled by Enpass App.


Enpass App communicates with Helper and Extension over a local web socket. We have tried to ensure maximum security so that no one can eavesdrop your sensitive data.

  • Extension Validity Check- When a browser extension tries to connect to main App, we verify the origin of the connection, it must be the unique identifier of our browser extension and browser will not allow any two extensions with same ID.
  • Browser Validity Check- When a browser extension tries to connect to main app, we also verify its authenticity by checking its code singing signature i.e. browser must be code signed with relevant company’s certificate (i.e Chrome is signed by Google ).


Browser Validity Check is not available on Linux as code singing is not available there.

Advice for users

For maximum security we advice users to

  • Download browsers from the legitimate sources only.
  • Carefully install the third party extensions.