A Password Manager That Doesn’t Trust Its Own Server

Most password managers say they are secure.

But very few are built on a simple idea:

The server should not be able to read your data at all.

I recently started using a tool called Lockly — a password manager built with a zero-knowledge architecture.

Lockly password manager focuses on doing one thing right — secure storage and synchronization of sensitive data.

No big launch. No marketing noise.

Just quietly released.

What makes it different

The core idea is zero-knowledge architecture.

All sensitive data is encrypted on the client side, before it ever leaves your device.

The server only stores ciphertext.

It literally has no ability to decrypt anything.

How it works (simplified)

Encryption flow looks like this:

• You have a secret phrase
• It is processed using Argon2id (key derivation)
• A strong encryption key is generated
• Data is encrypted using AES-256-GCM
• Only encrypted data is sent to the server

Even if someone gets full access to the database:

→ they only see encrypted blobs

Without your secret — it’s useless.

What is actually encrypted

Everything that matters:

• logins
• passwords
• URLs
• notes

There is no “partial protection” — it’s all encrypted before sync.

Local-first approach

Another interesting part — it’s offline-first.

The app stores data locally in the browser (IndexedDB), encrypted as well.

This gives you:

• instant access without waiting for network
• full functionality offline
• sync happens in the background

Sync without trust

Synchronization is handled separately:

• local changes are queued
• when online — pushed to server
• remote updates are pulled back

The backend only coordinates this process.

It does not participate in decryption.

Why browser-based actually matters

There’s no heavy client installation required.

You can use it directly from a browser.

Even in incognito mode.

That means:

• nothing persistent on the machine (if you don’t want it)
• no obvious installed app
• works across devices instantly

Depending on your threat model — this can be either convenience or an extra layer of operational security.

Why I’m sharing this

I’ve tried a lot of password managers.

Most of them are:

• overloaded
• too “cloud-dependent”
• or require trusting the backend too much

This one is different.

It’s minimal.

This makes Lockly password manager a practical solution for users who care about privacy and control.

But it gets the fundamentals right:

• encryption before transport
• zero-knowledge backend
• simple and predictable sync

And honestly — that’s what matters most.

Final thought

Security is not about features.

It’s about what the system is fundamentally capable of doing.

And in this case:

The system is fundamentally incapable of reading your data.

—

If you're curious, I can share more details about the architecture or setup.