End-to-End Encryption Explained

🔒 Your Data is Private

Zero-knowledge architecture:
ZZPass cannot read your passwords, even if we wanted to. Your primary password never leaves your device, and we don't have the decryption keys.

This means:
• We can't access your passwords
• We can't recover your account if you forget your primary password
• Government or hackers can't force us to hand over your data
• Your privacy is guaranteed by design

🛡️ Military-Grade Security

AES-256 encryption:
ZZPass uses AES-256, the same encryption standard used by governments and militaries worldwide to protect classified information.

How strong is AES-256?
It would take billions of years for a supercomputer to crack AES-256 encryption through brute force. Your passwords are protected by virtually unbreakable encryption.

🔐 Encrypted Everywhere

Your passwords are encrypted:
• On your device (at rest)
• During iCloud sync (in transit)
• On iCloud servers (in storage)
• During AutoFill (in memory)

At no point are your passwords ever stored in plain text or accessible to anyone but you.

Step 1: Creating Your Account

Your Primary Password:
When you create your ZZPass account, you choose a primary password. This password is the master key to your encrypted vault.

Key Derivation:
ZZPass uses PBKDF2 (Password-Based Key Derivation Function 2) with 100,000+ iterations to derive an encryption key from your primary password.

Important:
Your primary password never leaves your device and is never sent to our servers. We only store encrypted data that we cannot decrypt.

Step 2: Encrypting Your Passwords

Local Encryption:
When you save a password in ZZPass:
1. The password is encrypted on your device
2. Using AES-256 encryption
3. With your derived encryption key
4. Before it's ever stored or synced

Unique Encryption Keys:
Each piece of data is encrypted with unique cryptographic keys, adding an extra layer of security.

Step 3: Syncing via iCloud

Double Encryption:
When syncing to iCloud:
1. Data is already encrypted by ZZPass
2. Apple adds another layer of encryption
3. Data travels encrypted over HTTPS
4. Stored encrypted on iCloud servers

Even if iCloud is compromised, your ZZPass data remains encrypted and unreadable.

Step 4: Accessing Your Passwords

Local Decryption:
When you unlock ZZPass:
1. You enter your primary password
2. The encryption key is derived on your device
3. Encrypted data is downloaded from iCloud
4. Data is decrypted locally on your device
5. You can view your passwords

Decryption happens entirely on your device - never on our servers or in the cloud.

Step 5: AutoFill Security

Secure Memory:
When using AutoFill:
• Passwords are decrypted in secure memory
• Only visible during authentication
• Cleared immediately after use
• Never written to disk unencrypted

Face ID/Touch ID adds an extra authentication layer before passwords are decrypted.

Step 6: Device Security

iOS/macOS Security:
ZZPass leverages Apple's Secure Enclave:
• Biometric data never leaves the Secure Enclave
• Encryption keys protected by hardware
• Isolated from the main processor
• Tamper-resistant design

What We Know

ZZPass can see:
• Your account exists
• When you last synced
• How much encrypted data you have
• Your email address (if provided)

This metadata helps us provide the service but reveals nothing about your actual passwords.

What We Don't Know

ZZPass cannot see:
• Your primary password
• Your passwords or usernames
• Your secure notes
• Which websites you use
• TOTP codes
• Any decrypted content

We literally cannot access this information - it's encrypted with keys we don't have.

Why This Matters

Privacy by Design:
Even if:
• Our servers are hacked
• We're legally compelled to hand over data
• Rogue employees try to access data
• iCloud is compromised

Your passwords remain safe because they're encrypted with keys only you possess.

Encryption Algorithms

AES-256-GCM:
• Advanced Encryption Standard
• 256-bit key length
• Galois/Counter Mode for authenticated encryption
• Protects against tampering

Key Derivation:
• PBKDF2 with SHA-256
• 100,000+ iterations
• Per-user salt
• Protects against brute force attacks

Data Protection

At Rest:
• Encrypted local database
• iOS Data Protection API
• Complete encryption when device is locked

In Transit:
• TLS 1.3 for network communications
• Certificate pinning
• Perfect forward secrecy

In Use:
• Secure memory allocation
• Memory wiping after use
• Protection against memory dumps

Additional Security

Authentication:
• Face ID / Touch ID
• Biometric data never synced
• Hardware-backed authentication

Recovery:
• Emergency kit
• Offline backup support
• No password reset via email

→ Learn about account recovery

Can ZZPass recover my password?

No. If you forget your primary password, we cannot recover it or reset it because we don't have access to your encryption keys.

This is actually a feature - it proves that we truly cannot access your data. Use your emergency kit to regain access.

Is iCloud sync secure?

Yes. Your data is encrypted by ZZPass before being synced to iCloud, then encrypted again by Apple. Even if iCloud is compromised, your passwords remain protected.

You benefit from double encryption: ZZPass's E2EE plus Apple's iCloud encryption.

What if my device is stolen?

Your data remains safe. Without your primary password or biometric authentication, the encrypted vault cannot be opened.

Additional protections:
• iOS/macOS device passcode required
• Auto-lock after inactivity
• Encrypted local storage

Can employees access my data?

No. ZZPass employees cannot access your passwords because they're encrypted with keys derived from your primary password, which we never receive or store.

What about government requests?

We can only provide encrypted data if legally compelled. Since we don't have decryption keys, we cannot provide readable passwords to anyone - including governments.

Is encryption enabled by default?

Yes. All passwords are encrypted automatically. You don't need to enable encryption - it's always on and cannot be disabled.

vs. Browser Password Managers

Browser managers (Chrome, Safari):
• Often sync passwords unencrypted or with weaker encryption
• Tied to your account login (easier to compromise)
• May allow password reset via email

ZZPass:
• End-to-end encrypted with zero-knowledge
• No password reset option (proves security)
• Military-grade AES-256 encryption

vs. Non-E2EE Services

Services without E2EE:
• Can access your passwords
• Can reset your password
• Vulnerable to insider threats
• Must comply with government data requests

ZZPass:
• Cannot access your passwords
• Cannot reset your password
• No insider access possible
• Can only provide encrypted data

Industry Standard

ZZPass uses the same encryption standards as:
• 1Password
• Bitwarden
• Signal (messaging app)
• Government classified systems

We follow industry best practices and security standards recommended by cryptography experts.