What zero-knowledge password storage means

“Zero-knowledge” sounds like marketing until you look at what it actually requires. It means the service that stores your passwords cannot read them — not that it won’t, that it can’t.

Here is the mechanic. Your secrets are encrypted on your own device with a key derived from a Master Password that never leaves it. The server only ever receives ciphertext: a scrambled blob it holds no key to open.

That is different from “encrypted at rest,” which nearly every service advertises. Encrypted-at-rest means the provider holds the keys and could decrypt your data — to display it, to answer a legal request, or in the worst case if an attacker reaches their key store. Zero-knowledge takes the provider out of the trust equation entirely.

The trade-off is honest and worth understanding up front: if the provider can’t decrypt your data, it also can’t recover it. Forget your Master Password and there is no reset link that brings your vault back. The same property that protects you from the provider means the provider can’t rescue you — so write your Master Password down and keep it somewhere safe.

For a password manager, that is the right trade. You are storing the keys to everything else; the one thing you cannot afford is a vendor that can quietly open the box.