What is a zero-knowledge password manager?
'Zero-knowledge' is one of the most important — and most misused — words in security. Here is what it actually means, how to verify it, and why it changes who can read your data.
The problem it solves
Most services that store your data can also read it. Their servers hold the encryption keys, so a breach, a rogue insider, or a legal demand can expose everything you saved. For a password manager — which holds the keys to your entire online life — that is exactly the wrong arrangement.
What zero-knowledge actually means
A zero-knowledge password manager encrypts your data on your own device before it is ever sent anywhere, using a key derived from your master password. That key never leaves your device, and the provider never receives it. When your vault syncs to the cloud, the server stores only an opaque, encrypted blob it has no way to decrypt. The provider has 'zero knowledge' of what's inside.
The practical result: even if the company's servers were fully compromised, attackers would get ciphertext, not your passwords. And the provider genuinely cannot read your vault — not for advertising, not for support, not under subpoena.
How to tell real zero-knowledge from marketing
- Encryption happens on the client. Look for explicit statements that data is encrypted on your device and that the master password is never transmitted.
- Named primitives. Reputable tools say which algorithms they use. IronVault, for example, derives your key with PBKDF2 (600,000 iterations, SHA-256) and encrypts every item with AES-256-GCM. You can read the details on the security page.
- Unrecoverable by the provider. The honest tell: if you forget your master password, the provider cannot reset it for you. That limitation is the proof the system works.
The trade-off worth understanding
Because only you hold the key, recovery is your responsibility. Set up a recovery code when you create your vault and store it somewhere safe and offline. This is a deliberate design choice: the provider is structurally incapable of seeing your data, even if it wanted to.
Where IronVault fits
IronVault is zero-knowledge by design across passwords, 2FA codes, cards, crypto seed phrases, notes and documents — one encrypted vault where only you hold the key. If you're comparing options, our honest comparisons lay out where each tool leads. You can also see how IronVault works as a day-to-day password manager.
Back to IronVault home · What Is a Zero-Knowledge Password Manager?