Client-side encryption

two levels of data protection passwork protects your passwords at two levels server side encryption works always — all password data is automatically encrypted with aes algorithm before being written to the database this mechanism requires no actions from the administrator client side encryption (cse) adds a second layer of protection when enabled, data is encrypted directly in the user's browser, mobile application, or extensions, and only encrypted text reaches the server by default, this mode is disabled, so users work without master passwords — this simplifies everyday system usage how client side encryption works when client side encryption is enabled, a key chain is created for users vaults records (passwords and shortcuts) password links the user sets a master password, from which a master key is generated using the pbkdf2 algorithm this key decrypts the user's private rsa key, which in turn provides access to vault master keys using the vault master key, the system decrypts the record master key, and the record master key allows decryption of password data users can share a password within passwork without adding another user to the vault in this case, using the user's private rsa key, the system decrypts the specific record master key main scenarios through vault user master password → user master key → user private rsa key → vault master key → record master key → password data through incoming section user master password → user master key → user private rsa key → record master key → password data it's important to note that all keys (rsa, vault master key, record master keys) are created on the client side (in the browser) using cryptographic algorithms and are not transmitted to the server in plain text, making data decryption on the server side impossible on the client side, all password fields, additional fields, totp secrets, attachments, and all record revisions are encrypted however, record names, main login, tags, urls, and comments are not encrypted on the client side, which enables search functionality the scheme with separate keys for vaults and records enables zero knowledge architecture and end to end encryption both for specific passwords and in shared vaults when to use client side encryption client side encryption is recommended to ensure a zero knowledge model when passwork is deployed in the cloud or when compliance with security standards is required (in your company or globally) client side encryption is especially important when storing critically important data — root accounts, ssh keys, or cryptocurrency wallet seed phrases if passwork is deployed in an isolated corporate network under full organizational control, server side encryption is usually sufficient in this case, the absence of master passwords simplifies user workflow setup and access recovery the user's master password is never transmitted to the server therefore, if a user forgets their master password, there's no way to recover it without the master password, the user cannot authenticate in the system and decrypt their data in such cases, a passwork administrator can reset the user's master password, then the user can set a new master password (and generate a new rsa key pair) vault or folder administrators must re confirm such users in their vaults, after which all rights are automatically restored working with groups client side encryption is compatible with the group system and ldap synchronization when adding a user to a group, access requests are created for all associated vaults the vault administrator confirms the request, and the vault master key is securely transmitted through rsa encryption this ensures a zero knowledge scheme while maintaining automation through groups technical implementation the system uses proven cryptographic algorithms pbkdf2 sha 256 for key derivation, aes 256 cbc for data encryption, rsa 2048 for secure vault key transmission client side encryption is supported in all official passwork clients — web interface, browser extensions, and mobile applications for server integrations, a python connector with the same encryption logic is available enable сlient side encryption docid\ uj7fjvv5x5byzvk7tt3oj