Encryption in Zero — How Your Data Stays Safe
Encryption in Zero: How Your Data Stays Safe
Security is at the core of Zero. Sensitive values are never stored in plain text — they’re encrypted and only decrypted on your device when you choose to view or copy them.
Even if someone gets your files, they cannot read encrypted fields without your secret.
What “encrypted” means in Zero
- Encrypted at rest: Protected on disk inside your vault files.
- Decrypted on demand: Unlocked only when you click to view/copy.
- You hold the key: Access is derived from your master password (or a recovery kit you created).
Important: Only fields you mark as encrypted are encrypted. This gives you control over what’s protected.
The master password
Your master password unlocks encrypted content in the current session.
- Required to reveal or copy encrypted values.
- The decryption key is kept in memory for the session and isn’t written to disk.
- You must remember it — without it (or a recovery kit you created earlier), encrypted data cannot be opened.
Recovery kit (optional but strongly recommended)
Zero supports an optional recovery kit that you generate while logged in. If you later forget your password, the kit can restore access and let you set a new password — without re-encrypting all your data.
How the recovery kit works
- You create a kit from the Account Recovery panel (download a small JSON file or copy a code).
- The kit can unlock your vault’s encryption key on this device. It does not contain your data.
- Keep it offline and private (e.g., password manager, USB, printed QR). Anyone with it can unlock your data.
If you never created a recovery kit and forget your password, the encrypted fields are unrecoverable.
Rotate, test, or disable the kit
- Rotate to replace the kit (the old one becomes invalid).
- Test confirms your saved kit is valid (without changing anything).
- Disable removes recovery from the vault metadata; you can re-enable later by creating a new kit.
What gets encrypted
- Text fields you flag as encrypted (e.g., passwords, private notes, recovery phrases).
- File fields when encryption is enabled for that field (works for files stored on disk or inside the DB).
- Any custom field you mark as encrypted in the schema.
Unencrypted fields remain visible and searchable like normal.
| Field | Encrypted? | Visible by default? |
|---|---|---|
| Password (encrypted) | Yes | No — click to reveal/copy |
| Notes (not encrypted) | No | Yes |
| File (encrypted) | Yes | No — download/view after unlock |
How decryption works (at a glance)
- You click view or copy on an encrypted field.
- Zero uses your active session key (derived from your password or recovery kit).
- The value is decrypted locally and shown/copied briefly, then hidden again.
When you restart the app, you’ll sign in again to unlock encrypted fields.
Encrypted files
- File fields can be stored in the database (best for small files) or on disk under your local
/mediafolder. - If the field is marked encrypted, the file content is encrypted and only decrypted on access.
- Text-like files (e.g., recovery codes) can be previewed directly; binaries are downloaded securely.
Backups and encryption
- Backups include your vault databases (and, optionally, media). Encrypted fields inside remain encrypted.
- Restoring a backup does not weaken protection; you still need your password or recovery kit to view encrypted values.
Why Zero avoids the cloud
Zero is local-first by design. Vaults are stored as .db files on your device; there are no background syncs or uploads. You decide how and where to back up.