Feature: Zero-Knowledge Encryption

Keeper protects your organization with zero-knowledge encryption.

Keeper’s zero-knowledge encryption ensures only you can access your data – no one else, not even Keeper.

How Keeper uses zero-knowledge encryption to protect your vault

Keeper’s zero-knowledge architecture ensures that your vault data is fully encrypted before it ever leaves your device. Decryption requires three components that only the end user controls:

Your authentication credentials

Whether logging in with a master password, Single Sign-On (SSO), Face ID, Touch ID or other authentication method, Keeper never stores or has access to your credentials. Authentication occurs securely on your device.

A device-generated encryption key

Keeper derives a 256-bit AES encryption key on the user’s device using PBKDF2 with a unique salt and a high iteration count. This key is used to encrypt and decrypt vault data locally. The key is never transmitted to Keeper’s servers or stored in the cloud.

Your encrypted vault data

Encrypted vault records which include attachments and metadata are stored on Keeper’s cloud. Without your credentials and encryption keys, the stored data cannot be decrypted.

Keeper delivers complete privacy with zero-knowledge encryption

Only you can access your data

Keeper’s zero-knowledge architecture ensures that only you can access your vault data. Because Keeper cannot decrypt your information, and neither can infrastructure providers, your data remains protected. In addition to storing the encrypted data, Keeper's cloud performs super-encryption using hardware security modules.

Supports regulatory compliance

Keeper’s zero-knowledge framework simplifies your compliance journey. Since no one but the end user can decrypt the data, demonstrating control and security during audits is straightforward. Keeper helps organizations meet the stringent requirements of standards like HIPAA, SOC 2, GDPR and others.

Secures data at rest, in transit and in use

With Keeper, encryption and decryption happen locally – on the user’s device – never in the cloud. Data is encrypted using 256-bit AES before it’s stored or synced across devices. Keeper protects all data in transit with an additional AES transmission layer, on top of TLS, to defend against Man-in-the-Middle (MITM) and replay attacks.

Protects privacy at the highest level

Zero knowledge means zero access. Keeper cannot view, share or decrypt your data, not even under subpoena. Because Keeper never has the keys, neither do any infrastructure providers or third-party systems. Your digital privacy is built into the foundation of the platform.

Learn more about Keeper’s security architecture

Keeper’s zero-knowledge encryption is just one part of a multilayered security model designed to protect your data at every level. From client-side encryption to zero-trust access controls, Keeper’s security architecture is engineered to deliver end-to-end security, privacy and compliance at scale.

Keeper’s Security Architecture

Frequently asked questions

What is zero-knowledge encryption?

Zero-knowledge encryption is a security model that uses encryption and data segregation to make data breaches irrelevant.

When a software platform is zero knowledge, the user’s data is encrypted and decrypted at the device level, not on the company's servers or in the cloud. The keys to decrypt and encrypt data are derived on the user's device. The application never stores plaintext data, and the provider’s server never receives data in plaintext. Because of this, only the user can decrypt their data, so even if a provider is breached, end users' data is not compromised.

Why is zero knowledge important?

Data stored in applications can contain highly sensitive Personally Identifiable Information (PII) about you, your employees, your customers, customer account data and confidential business information. Yet, most users don’t understand how their data is secured or whether their information is stored in a third-party cloud environment.

In the event that a zero-knowledge provider is breached, all of your data remains protected. The keys required to decrypt the information are only available to the user on their device. In addition to protecting end-user data, zero-knowledge security protects organizations against data breaches and simplifies compliance audits.

Is zero knowledge secure?

Yes, zero knowledge is secure. In fact, it’s one of the safest ways to store sensitive data. Without a zero-knowledge architecture, anyone who breaches a cloud provider's servers can access sensitive information such as confidential personal data, business data, employee information and Personally Identifiable Information (PII) belonging to current and previous customers.