Understanding Your Security

Your Secret Key is a unique 34-character code that is automatically generated when you create your account. It works together with your Master Password to encrypt and protect your data. Because your Secret Key is long and randomly generated, it adds a powerful layer of security that guards your account even in the unlikely event of a server breach.

You should store your Secret Key somewhere safe, such as in a printed copy kept in a secure location. We do not have access to your Secret Key, which means only you can unlock your data.

Your Master Password is the password you create and use every time you sign in. It should be strong, memorable, and known only to you. A good Master Password is typically long, uses a mix of unrelated words or characters, and avoids anything easily guessed like birthdays or common phrases.

Unlike your Secret Key, which protects your account at the server level, your Master Password is what protects your data on your own devices. We never store or transmit your Master Password, so it is essential that you remember it — if you lose it, we cannot recover it for you.

Every piece of data you store in GBpass — your passwords, usernames, notes, and other vault items — is encrypted using AES-256 (Advanced Encryption Standard with a 256-bit key). AES-256 is the same encryption standard used by governments, militaries, and financial institutions around the world to protect classified and sensitive information. It is widely regarded as one of the strongest encryption algorithms available today, and no practical attack against it is currently known.

The encryption key used to protect your vault is derived from your Master Password and Secret Key using PBKDF2, a key derivation function that applies thousands of rounds of hashing to make brute-force attempts computationally expensive. This means that even if someone obtained your encrypted vault data, they could not read it without knowing both your Master Password and Secret Key — and deriving the key from guesses alone would take an impractically long time even with powerful hardware.

Encryption happens entirely on your device before any data is sent to our servers. Our servers only ever receive and store your vault in its encrypted form. We have no way to decrypt your data, and neither does anyone else — not even GBpass employees. Your plaintext passwords exist only on your own devices, never on ours.

When you sign in, we use a security protocol called SRP (Secure Remote Password) to verify your identity. SRP is a special authentication method that allows you to prove you know your Master Password without ever actually sending it to our servers. Instead of transmitting your password over the internet, SRP uses a series of mathematical exchanges between your device and our server so that both sides can confirm you are who you say you are — all without exposing your actual credentials during the process.

This means that even if someone were to intercept the communication between your device and our server, they would not be able to extract your Master Password from the data being exchanged. Unlike traditional login systems where your password is sent to the server and checked against a stored copy, SRP ensures that your password never leaves your device in any form. Our server never receives, stores, or even briefly handles your Master Password at any point during the login process.

By using SRP, we eliminate many of the most common risks associated with online authentication, such as password theft through server breaches or man-in-the-middle attacks. Your credentials stay on your device where they belong, and the entire sign-in process remains secure from start to finish.

We use a security approach called Zero-Knowledge Encryption, which means that we have absolutely no way to see, access, or read your stored data. Your information is encrypted on your device before it is sent to our servers, and only you hold the keys — your Master Password and Secret Key — needed to decrypt it. We never receive or store these keys, so even our own team cannot view your data at any point. In simple terms, we protect your information without ever knowing what that information is.

This approach means that even in the worst-case scenario — such as a server breach or an unauthorized attempt to access our systems — your data remains fully encrypted and completely unreadable to anyone, including us. Because we have zero knowledge of your encryption keys, there is nothing we could hand over or expose, even if compelled to do so. Your data is yours alone, and no one else can unlock it.

Zero-Knowledge Encryption represents the highest standard of data privacy available today. It means you do not have to place blind trust in us to keep your data safe — the system is designed so that trust is not required. The math and encryption do the work for you. Your privacy is not just a policy we follow; it is built into the very architecture of how your data is stored and protected.