Info
KeePass Hub
A. Install
Activating Software
Next Steps
Updating Software
Zero Knowledge Encryption
IIS Hosting
Cloud Hosting
Hardware and Software Requirements
Azure Integration
Redirect HTTP Requests to HTTPS
New Blank Install
Setup Switches
Digital Signatures and Checksum Hashes
Sitemap
Info  >  KeePass Hub  >  A. Install  >  Zero Knowledge Encryption Page last modified Jan 19 2024, 15:08

Zero Knowledge Encryption

Share KeePass Passwords with your Team of multiple users

Enable client-side encryption right at the device level for Pleasant Password Server. 

Password Server provides End-To-End Encryption (E2EE) which allows secure password sharing with other users.

Users passwords are encrypted on the client machine, remaining encrypted in transit, and on the server. Decryption requires the unique user key, available only to the user, inaccessible to the server.

Even the server itself does not have the knowledge or ability to decrypt these keys, and so cannot access the user's passwords.

In version 8, each user has the ability enable Zero Knowledge Encryption to password entries.

Zero Knowledge Passwords, Zero Knowledge ArchitectureZero Knowledge Server, Zero Knowledge Database

Applies to: 

  • Version 8 
  • Enterprise+SSO Edition
  • Password Server & Web client app
  • In the future it is expected: all client apps

 

Have Questions?  Contact Us!

 

Pleasant Password Server Version 8

Each user has their own secret encrypted access based on their own Secret Key or Encryption Password.

Conveniently the user's Secret Keys can be securely stored on the user's devices, with an easy-transfer to subsequent devices. 

 

Encryption Security Methods:

  • Secret Keys
  • User Encryption Password

Sharing Secrets:

  • A secure copy of the encrypted data is securely provided for each user granted access

Client Safeguards:

  • Incompatible requests are securely blocked from accessing the E2EE encrypted values: other client apps, client types, older client versions, and other API requests 

Feature Support:

  • Share Secrets securely with other users
  • Passwordless Sign-In (with SAML SSO)
  • Encryption Keys
  • Corporate Key Architecture
  •  Authentication Methods:
    • Secret Keys
    • User Encryption Passwords
    • Secret Keys or Encryption Passwords
  • Password Resets
    • Admin - with Corporate Keys
    • User - Self-Serve Reset
  • Active Directory / LDAP Integration
  • New Device Easy-Transfer - of Secret Keys
  • Client logging to server
  • Secure Shared Web Worker Technology - web client support
  • Military Grade Encryption: AES256-GCM, RSA 2048-bit Asymmetric

Zero Knowledge Encryption

Password Server has implemented End-To-End Encryption from client to other shared clients.

Implemented with the following specifications:

  • AES256-GCM
  • RSA 2048-bit Asymmetric Encryption
  • Salt, PBKDF2-HMAC SHA256 with 100,000 iterations

Zero Knowledge Security

Has the following benefits:

  • Protects secrets from Hosting / Cloud Partners
  • Protects secrets from Internal threat actors
  • Provides another layer of encryption
    • on the database & server
    • in transit from the device

Go Passwordless!

Passwordless Encryption Method

At this time this layer of encryption is enabled via General Systems, allowing the administrative user to decide which workflows they wish to enable

  • User Secret Keys - which can be stored on any the user's device(s)

In this method, 1 user will have 1 Secret Key across devices.

 

Alternatively, you may choose to base encryption on: 

  • Encryption Passwords, or
  • Secret Keys & Encryption Passwords (both methods)

Device Level Encryption

Each web application client will encrypt/decrypt using the user's encryption keys, which are based on the method (above) chosen by the administrator.

Zero Knowledge Passwords

Secret fields which are encrypted with this method are visibly indicated with a secure shield and include:

  • Passwords, TOTP Secrets

Expect additional fields in the future....