How it works
Account recovery
True end-to-end encryption usually means “lose your device, lose your account.” Privex offers recovery — without ever letting the server recover your keys for you.
If you want to recover with a password, here’s the trick: the server is built so it never sees your password, not even hashed. It’s mathematically blind to it — so stealing the whole database still doesn’t let anyone guess passwords against it offline, unless they also steal a second secret kept elsewhere. You can also split a recovery key among trusted friends, or write down a 24-word phrase.
Four independent paths, all zero-knowledge to the live server. OPAQUE (Ristretto255 OPRF + Argon2id) stores an OPRF record + an encrypted envelope — never a password-derived value. Shamir shares are sealed to trustees’ keys (storage live; retrieval deferred). A BIP-39 seed regenerates the identity deterministically. Multi-device linking transfers keys device-to-device over an encrypted channel.
OPAQUE, step by step
Wraps your key material in an encrypted envelope whose key is derived from your password via an oblivious protocol.
Stores an OPRF record + the envelope + a MAC — no password, no password hash, nothing password-derived.
On a new device, runs a short-lived login (opq:<hmac>, 120 s), returning dummy envelopes for accounts that don’t exist (anti-enumeration).
Completes the OPAQUE exchange, decrypts the envelope with the password-derived key, and recovers the master seed locally.
What the server learns
Server can observe
- That recovery is enrolled; the opaque record bytes and encrypted shares.
- Login-attempt timing.
Server cannot learn
- Your password, a password hash, or the recovered master secret.
- The trustee (friend) graph, or any share plaintext.