ProductsPassVault
🔑
BetaPassword Manager

PassVault

Zero-knowledge password manager with passkeys, TOTP 2FA, email masking via 47mail, and end-to-end encrypted vault sync across all your devices.

Get Early Access → Security Promise
vault.the47network.com
🔐Vault statusUnlocked ✓
🗝Passwords stored247
📱GitHub — passkey activePasskey
🔑Google — strong passwordTOTP ✓
🎭Amazon — alias emailmask@47m.io
Weak passwords detected3 to fix
🔄Sync statusAll devices
Features

Built different.

🔒

Zero-knowledge vault

Your vault is encrypted with keys only you hold. We store encrypted blobs — we cannot read your passwords even with full database access.

🪪

Passkey support

Go passwordless with FIDO2/WebAuthn passkeys. Works on any device with biometrics — Face ID, Touch ID, Windows Hello.

TOTP 2FA authenticator

Built-in TOTP 2FA authenticator. Your second factor is stored encrypted alongside your passwords — one app, everything.

🎭

47mail aliasing

Generate hide-my-email aliases on signup, directly from the vault. Powered by 47mail — no additional account needed.

🔍

Breach monitoring

Real-time Have I Been Pwned integration monitors your stored emails and passwords for known data breaches.

🔄

Encrypted sync

E2EE vault sync across unlimited devices. Offline mode — your vault works without internet, syncs when you reconnect.

Quick Info
StatusBeta
Domainvault.the47network.com
Auth47ID SSO
Self-hostableYes
Open protocolYes
Open PassVault →
Related Products
47mail🤖 Sven Agent🛡 Trust & Security ← All Products
Trust & Security

Zero-knowledge by default. Client-side encryption. No master keys. GDPR-compliant.

Security Promise →
How It Works

No magic. Just math.

01
🔑

Create your master passphrase

Your master passphrase is hashed client-side with Argon2id. It never leaves your device. We cannot recover it.

02
🔐

Vault encrypted locally

Your vault is encrypted with AES-256-GCM using a key derived from your master passphrase. Only encrypted blobs are synced.

03

Encrypted blobs synced

Only ciphertext hits our servers. No plaintext, no keys, no metadata in the clear. Sync is end-to-end secure.

04
📱

Decrypt on any device

Your device decrypts the vault locally using your master passphrase. Biometric unlock is a local convenience layer.

Technical Specs

Under the hood.

EncryptionAES-256-GCM
Key derivationArgon2id (t=3,m=64MB)
Passkey standardFIDO2 / WebAuthn
TOTP algorithmRFC 6238 TOTP
Breach APIHaveIBeenPwned (k-anon)
SyncE2EE, zero-knowledge
Offline modeFull vault access
DevicesUnlimited
Self-hostableYes
Auth47ID SSO + passkey
Pricing

Simple, transparent pricing.

No hidden fees. No automatic upsell. Cancel any time.

Personal
Free
forever

Zero-knowledge vault for individuals. Unlimited passwords, zero cost.

  • Unlimited passwords
  • Unlimited devices
  • TOTP authenticator built-in
  • FIDO2 passkey MFA
  • Secure notes & cards
Get started
Family
3
/month for 6 users

Shared vaults with granular permissions. Emergency access built in.

  • Everything in Personal ×6
  • Shared collections
  • Granular permissions
  • Emergency access system
  • 1GB encrypted attachments
Get started
Self-Hosted
Free
open source

Run PassVault on your own server. Docker Compose or Kubernetes.

  • Unlimited users
  • Your server, your data
  • Docker Compose + Helm
  • LDAP/AD sync
  • All paid features included
Get started
FAQ

Questions answered.

No — by design. Your master password never leaves your device. All encryption is performed client-side using AES-256-GCM with keys derived via Argon2id. Our servers store only ciphertext.
Because we have no master keys, we cannot recover your vault. This is deliberate — it means we also can't be compelled to hand over your data. Set up Emergency Access with a trusted contact as a recovery path.
You designate a trusted contact. They can request access if you're incapacitated. You have a configurable waiting period (1–90 days) to deny it. The handshake doesn't require sharing your master password.
PassVault can import Bitwarden exports directly. The self-hosted API surface is substantially Bitwarden-compatible, so most Bitwarden clients will work.
Functionally identical — same codebase, same encryption. Self-hosted means your encrypted data lives on your server, not ours. Both are zero-knowledge.

Ready to take control?

Get early access to PassVault — or explore the full 47Network ecosystem.

Get Access → All Products
Deployment scenarios

When teams choose PassVault.

PassVault fits teams that have outgrown browser-saved passwords but aren't ready to deploy Bitwarden or 1Password for Business.

SCENARIO 01

Remote-first teams

Teams where credentials are shared across contractors, part-time staff, and multiple timezones. PassVault's shared vault with granular access control means a contractor gets exactly the credentials they need — and loses access the moment their engagement ends.

SCENARIO 02

Regulated sectors

Healthcare, legal, and finance organisations with audit requirements. Every credential access is logged, timestamped, and exportable. GDPR breach notifications can reference exactly which credentials were in scope.

SCENARIO 03

Individuals stepping up

Power users who have graduated from a single browser's password manager but don't need enterprise fleet management. PassVault's zero-knowledge sync works across all devices without trusting the server — ever.

SCENARIO 04

Teams already using 47mail

PassVault integrates with 47mail to generate per-service alias email addresses from within the vault. One credential entry, one alias, zero email tracking across accounts.

From the blog

Further reading.

Technical deep-dives on the architecture and decisions behind PassVault.

Jan 14, 2026 · 10 min read

How PassVault achieves zero-knowledge: architecture deep-dive

The exact cryptographic construction — Argon2id key derivation, AES-256-GCM encryption, and why no master key exists.

Read →
Feb 24, 2026 · 10 min read

Argon2id vs bcrypt vs scrypt: choosing a password hashing algorithm

PassVault uses Argon2id with 256 MiB memory cost for master password derivation. Here's why Argon2id won and how to tune it.

Read →
Feb 24, 2026 · 12 min read

Building a tamper-proof audit trail

Every PassVault credential access is logged in an append-only audit trail with SHA-256 chaining. How the forensic audit log architecture works across all 47Network products.

Read →
Feb 24, 2026 · 12 min read

Passkeys and WebAuthn in 2026: implementation guide

WebAuthn registration and authentication flows, cross-device passkeys, and how PassVault integrates device passkeys as a second factor alongside Argon2id vault encryption.

Read →
February 25, 2026 · 11 min

JWT and Token Authentication: A Practical Security Guide

PassVault uses short-lived JWTs (15 min) issued by 47ID/Keycloak with RS256 signing — token validation against the JWKS endpoint, no secret sharing, and revocation for vault operations.

Read →