Recrypt Security: Deep Dive

Key Features

  • 01Overview
  • 02Zero-Knowledge Protocol
  • 03Military Grade Encryption
  • 04Digital Organisation Structure
  • 05Granular Control & Monitoring
  • 06Compliance

01Overview

As developers ourselves, we understand the importance of keeping your credentials and personal information secure and away from prying eyes.

At Recrypt Ltd, we take the protection of your data seriously and we understand that it can be a daunting prospect switching to a new password manager or even starting to use one. To help you understand the steps we’re taking to protect your personal and business data, we’ve provided an overview of each security and encryption method that Recrypt makes use of.

You can also review our Privacy Policy, and Terms of Use here.

02Zero-Knowledge Protocol

We want you to have full control over how your personal information is managed and where it is stored. Recrypt is a zero-knowledge password manager, meaning none of your un-encrypted personal information actually leaves your workstation. Encryption & decryption happen locally, meaning there’s no chance of your plain-text secret being intercepted by unauthorised third parties.

Once your secret has been encrypted and converted into ciphertext, this is then stored on a server so that it can be shared amongst your team members. In the event your ciphertext was intercepted, there would be nothing a third-party could do with that information due to its dependencies on data stored only on your machine. This is why we make use of a blend of industry-standard symmetric and asymmetric encryption standards, which require data stored only on your machine. This data also needs to go through its own decryption process which is only ever done on your computer.

03Military Grade Encryption

When you enter a secret into Recrypt, PBKDF2 is applied to your plain-text password and email address to generate a cryptographic key for the Advanced Encryption Standard (AES-256) – this is also called the ‘master key’. Once this has been done, the key is repeatedly hashed using the Secure Hashing Algorithm 2 (SHA-256) standard with a 256-bit length key. The output of this function is the ciphertext representing your secret. In addition to using a hashing function on your credentials, your password is also ‘salted’, whereby an additional value is added to the end of the ciphertext to completely change its value. Salting a password helps to prevent rainbow table attacks by unauthorised entities. This ciphertext is then pushed to the server for storage. As SHA-256 is a ‘one-way’ encryption method, even if it were to be intercepted whilst being uploaded, there is no way it can be decrypted – it’s completely useless.

Whenever you share a password, you are simply sharing the ciphertext on the server – encrypting and decrypting your password happens on your machine. Once you want to decrypt a password, the ciphertext is transferred to your workstation. Recrypt uses a further two-levels of encryption – AES-256 and RSA-OAEP. The next two steps make use of both public and private keys as part of asymmetric cryptographic protocols. Firstly, AES-256 takes your ciphertext (or master key) and uses that to decrypt your private key. This is needed to decrypt your secret. Once the decrypted private key is available, RSA-OAEP is used to decrypt your secret. Your public key, private key and ciphertext are then applied to the RSA algorithm which decrypts your secret back to plain-text. Once finished, RSA then re-encrypts the plain-text secret by generating incredibly large numbers by multiplying these values together in a specific sequence.

RSA-OAEP, AES-256 and PBKDF2 are industry-standard cryptographic protocols that are used by government and military organisations. RSA requires a private key which is only known to your machine and AES requires a master key, generated by using PBKDF2. Without your private key, third-parties cannot decrypt a secret meaning your secrets are safe with us!

04Digital Organisation Structure

Whilst secret sharing helps you to give your users quicker access, it can often make user permissions difficult to manage. As software developers ourselves, we understand the importance of working as a team and having everything available for each team member. That’s why in Recrypt, you’re not just sharing your secrets with a group, you’re sharing the secret with a team.

As an administrator, you have the ability to group users together by teams to accurately reflect the structure of your business. With teams, you’ll be able to share specific secrets to all members in the team or even create specific chests that are only accessible through your team – an extra level of security!

05Granular Control & Monitoring

Recrypt offers three main profiles – Standard User, Administrator and Organisation Owner. Administrators and Organisation Owners have full access to a unique ‘Admin Area’ in Recrypt, providing both users with full control over security and data integrity. As an administrator, you can specify the permissions of individual users within each team, providing a granular level of user management to ensure your secrets can only be edited by those with permission. Not only are you able to structure your business within Recrypt, but have access controls on an individual employee level.

The integrity of your data is vital to you and therefore it’s vital to us. Recrypt offers full audit logs for each and every secret stored within the system. Administrators can view a secret’s history, the user who edited it, its last edit, the date and time of the change and the IP address of the user – it doesn’t get more detailed than that! If you notice that you have a user who’s up to no good, you can block them directly from the user’s profile in the Admin Area.

Secrets stored in a password manager are often crucial to people’s day-to-day lives, whether that be personal of professional. A secret being deleted from the software without authorisation can cause significant disruption, so we’ve taken steps to prevent that. Any user with the relevant permissions can mark a secret as deleted, but it’s just hidden from search results – that’s our soft-delete policy. Administrators and Organisation Owners can review the secrets that have been soft-deleted within each chest. Owners can immediately restore any secrets that have been deleted, or choose to permanently delete them from Recrypt.

The first account to be registered within Recrypt will be classed as the Organisation Owner. In addition to having full access to the Admin Area, owners will be able to manage their billing subscription, add users and even transfer, or delete the organisation from Recrypt. To ensure your payment details are secure, we use Stripe to handle all of your monthly payments. We don’t share any information with Stripe, they simply handle the finances on our behalf. If you would like more information on Stripe’s security, you can visit their dedicated page here.

06Compliance

GDPR Compliant

Recrypt is fully compliant with the GDPR and we are committed to ensuring that we provide the best security provisions possible to protect your data. You can find out more about our compliance with GDPR in our Privacy Policy.

Free

For Individuals

£

0

Start for free

Free includes

25 secrets
1 chest
AES-256 encryption and MFA

Teams Plan

For Business

£

3

/ per user

£3 per user / per month
Billed monthly / cancel anytime

Start your 30-day free trial

Team plan includes

Up to 50 users
Unlimited secrets
Unlimited chests / Team sharing
AES-256 encryption and MFA

Enterprise

Let's talk

Contact Us

Need something a little more bespoke? Get in touch with us to see how we can build a plan just right for you and your team.

Did we miss something?
Contact us today

Learn how Recrypt can support your business – complete the following form if you have any questions about the product and our tech team will offer their support.

hello@recrypt.app
Contact Us