The latest articles on DEV Community by Ivan (@system_arch_ivan). https://dev.to/system_arch_ivan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3875241%2F952df2e5-a9e3-479c-8834-418e7f6b6ad2.png https://dev.to/system_arch_ivan en Ivan Sun, 12 Apr 2026 17:46:24 +0000 https://dev.to/system_arch_ivan/a-password-manager-that-doesnt-trust-its-own-server-5fi1 https://dev.to/system_arch_ivan/a-password-manager-that-doesnt-trust-its-own-server-5fi1 <p>Most password managers say they are secure.</p> <p>But very few are built on a simple idea:</p> <p>The server should not be able to read your data at all.</p> <p>I recently started using a tool called Lockly — a password manager built with a zero-knowledge architecture.</p> <p><a href="https://lockly.at" rel="noopener noreferrer">Lockly password manager</a> focuses on doing one thing right — secure storage and synchronization of sensitive data.</p> <p>No big launch. No marketing noise.</p> <p>Just quietly released.</p> <h2> What makes it different </h2> <p>The core idea is zero-knowledge architecture.</p> <p>All sensitive data is encrypted on the client side, before it ever leaves your device.</p> <p>The server only stores ciphertext.</p> <p>It literally has no ability to decrypt anything.</p> <h2> How it works (simplified) </h2> <p>Encryption flow looks like this:</p> <ul> <li>You have a secret phrase</li> <li>It is processed using Argon2id (key derivation)</li> <li>A strong encryption key is generated</li> <li>Data is encrypted using AES-256-GCM</li> <li>Only encrypted data is sent to the server</li> </ul> <p>Even if someone gets full access to the database:</p> <p>→ they only see encrypted blobs</p> <p>Without your secret — it’s useless.</p> <h2> What is actually encrypted </h2> <p>Everything that matters:</p> <ul> <li>logins</li> <li>passwords</li> <li>URLs</li> <li>notes</li> </ul> <p>There is no “partial protection” — it’s all encrypted before sync.</p> <h2> Local-first approach </h2> <p>Another interesting part — it’s offline-first.</p> <p>The app stores data locally in the browser (IndexedDB), encrypted as well.</p> <p>This gives you:</p> <ul> <li>instant access without waiting for network</li> <li>full functionality offline</li> <li>sync happens in the background</li> </ul> <h2> Sync without trust </h2> <p>Synchronization is handled separately:</p> <ul> <li>local changes are queued</li> <li>when online — pushed to server</li> <li>remote updates are pulled back</li> </ul> <p>The backend only coordinates this process.</p> <p>It does not participate in decryption.</p> <h2> Why browser-based actually matters </h2> <p>There’s no heavy client installation required.</p> <p>You can use it directly from a browser.</p> <p>Even in incognito mode.</p> <p>That means:</p> <ul> <li>nothing persistent on the machine (if you don’t want it)</li> <li>no obvious installed app</li> <li>works across devices instantly</li> </ul> <p>Depending on your threat model — this can be either convenience or an extra layer of operational security.</p> <h2> Why I’m sharing this </h2> <p>I’ve tried a lot of password managers.</p> <p>Most of them are:</p> <ul> <li>overloaded</li> <li>too “cloud-dependent”</li> <li>or require trusting the backend too much</li> </ul> <p>This one is different.</p> <p>It’s minimal.</p> <p>This makes Lockly password manager a practical solution for users who care about privacy and control.</p> <p>But it gets the fundamentals right:</p> <ul> <li>encryption before transport</li> <li>zero-knowledge backend</li> <li>simple and predictable sync</li> </ul> <p>And honestly — that’s what matters most.</p> <h2> Final thought </h2> <p>Security is not about features.</p> <p>It’s about what the system is fundamentally capable of doing.</p> <p>And in this case:</p> <p>The system is fundamentally incapable of reading your data.</p> <p>—</p> <p>If you're curious, I can share more details about the architecture or setup.</p> security encryption webdev privacy