Technical documentation

This document explains how Privacy Guardian protects your data, how end-to-end encryption is applied, and why even our engineers cannot see your passwords.

High-level architecture

Privacy Guardian is a zero-knowledge password manager. Your vault data (passwords, usernames, secure notes, WiFi credentials, and MFA secrets) is encrypted on your device before it is sent to our servers. The backend and database store only encrypted blobs and non-sensitive metadata.

  • Client-side encryption: All sensitive fields are encrypted in the browser or app before network transmission.
  • Zero-knowledge server: The server never sees your master password or any usable decryption key.
  • Standard database & hosting: Encrypted data is stored in a MySQL database on standard infrastructure; only ciphertext is stored.

End-to-end encryption (E2EE)

Privacy Guardian uses application-level end-to-end encryption derived from your master password. Encryption and decryption happen only on your device. The server is used for authentication, sync, and storage of ciphertext.

  • Key derivation: We derive an encryption key from your master password using PBKDF2-HMAC-SHA-256 with a unique per-user salt and high iteration count. This slows down brute-force attempts and ensures the same password for two users yields different keys.
  • Content encryption: Vault data is encrypted with AES-256-GCM (an authenticated cipher) using a fresh random IV (nonce) for every encryption operation.
  • Integrity protection: AES-GCM includes an authentication tag so any tampering with the ciphertext is detected when decryption is attempted.

Why we cannot see your passwords

Your master password never leaves your device. When you unlock your vault, your browser derives an encryption key in memory using your password and your personal salt. That key is used to decrypt and encrypt entries locally and is never sent to our servers.

  • Server stores ciphertext only: Database fields for passwords, notes, WiFi keys, and OTP secrets contain only encrypted values (for example strings prefixed with enc:).
  • No master password on the server: We never receive or log your master password. Losing or compromising the server does not reveal your vault contents.
  • One-way hashes for analytics: When we need to detect reused passwords, we store a one-way hash of the password (SHA-256) that cannot be reversed into the original value.

Practically, this means that even our developers and database administrators cannot view or recover your passwords. If you lose your master password, we cannot reset or decrypt your existing vault.

Encryption and sync workflow

The steps below describe the main data flow when you save and retrieve items from your vault.

  1. You enter your master password in the app and unlock your vault.
  2. The client requests your encryption salt from the server, then uses PBKDF2-HMAC-SHA-256 to derive a 256-bit AES-GCM key in memory.
  3. When you create or edit an item, the client encrypts sensitive fields (password, notes, OTP secret, WiFi key) with AES-GCM using a fresh random IV.
  4. The client sends only ciphertext and metadata (titles, folder IDs, creation times, etc.) to the API, which writes them to the database.
  5. When you open your vault on another device, the same key-derivation process runs locally and the client decrypts the stored ciphertext into plaintext in memory.

Conceptual architecture

At a high level, Privacy Guardian separates responsibilities between the client (encryption and decryption) and the server (authentication, API, and encrypted storage):

Client (browser & extension)

  • Derives encryption key from master password and salt.
  • Encrypts and decrypts vault data with AES-GCM.
  • Displays your vault, Overwatch score, and breach results.
  • Fills passwords into websites via the browser extension.

Server & database

  • Authenticates users and manages sessions or API tokens.
  • Stores encrypted vault entries and metadata in MySQL.
  • Performs breach checks and security analytics on hashed data.
  • Never sees your master password or decrypted vault content.

Security guarantees and limitations

  • Guarantee: A database or server compromise alone does not reveal your passwords; attackers obtain only ciphertext and metadata.
  • Guarantee: Your master password is never stored or transmitted to our servers.
  • Limitation: If your device is compromised (malware, keyloggers) or an attacker learns your master password, they can access your vault just like you can.