Encryption before storage
When you create or update a secret, PassHero encrypts the sensitive value before it is saved. The API receives encrypted payloads, IVs, and encrypted keys rather than plain-text secret values.
That pattern applies across supported secret types, including login details, notes, simple secrets, and payment card details. The vault can show useful labels without exposing the protected value.
Encryption before sharing
Sharing is also handled through encryption. When you share with another PassHero user, the client encrypts the secret for the recipient using their public key so the recipient can decrypt it on their own device.
This avoids the common habit of copying passwords into email, chat, tickets, or documents. PassHero keeps sharing inside the vault and gives the owner controls for access level and removal.
What the server still does
The PassHero service still has important jobs: authentication, account state, subscription state, sharing records, and encrypted payload storage. End-to-end encryption does not mean there is no server.
It means the most sensitive content is protected before the server handles it, which is the security boundary a password manager should care about most.
How this shows up in PassHero
Secret encryption happens in client code before mutations are sent.
Shared secret updates re-encrypt values for authorised recipients.
The app uses browser cryptography for payload encryption and key wrapping.
Secret reveal flows decrypt values only when the user requests access.
FAQ
What types of data are encrypted?
Sensitive secret values such as passwords, notes, and card numbers are encrypted before storage. Some non-sensitive labels may remain available so the vault can be searched and organised.
Can encrypted sharing still be revoked?
PassHero lets owners remove shared access records so the recipient no longer has active access through the vault.