Safe Knowledge BaseHow Safe Protects Your Passwords
Safe uses end-to-end encryption — your passwords are encrypted on your device before they ever leave it. Nobody else can read them: not us, not your cloud provider, not anyone who might intercept the data in transit.
Your master password is the key
When you create a master password, Safe uses it to derive an encryption key. This key encrypts your entire database using AES-256, the same standard used by banks and governments worldwide. The encrypted database file is stored on your device — even if someone gets physical access to your phone or computer, they can't read anything without your master password.
Your master password never leaves your device. Safe does not send it to any server, does not store it anywhere, and has no way to recover it. This is intentional — it means that even if someone broke into our systems, there would be nothing useful to steal.
Your cloud copy is unreadable without your password
When your encrypted database is stored in Google Drive, Dropbox, or any other cloud provider, it looks like a block of random bytes — completely unreadable without your master password. This is sometimes called "zero-knowledge" encryption.
The cloud provider only stores the encrypted file. They have no way to decrypt it. Even if your Google account were compromised, the attacker would get an encrypted blob they cannot open.
Biometric unlock (Face ID, fingerprint)
Biometrics unlock the app, but they don't replace your master password. When you enable Face ID or fingerprint unlock, your master password is stored securely in the device's hardware security chip (iOS Keychain / Android Keystore). The biometric scan releases it — but the master password is still doing the actual decryption.
This means biometric unlock is as secure as the hardware security of your device.