How it works

Account recovery

True end-to-end encryption usually means “lose your device, lose your account.” Privex offers recovery — without ever letting the server recover your keys for you.

If you want to recover with a password, here’s the trick: the server is built so it never sees your password, not even hashed. It’s mathematically blind to it — so stealing the whole database still doesn’t let anyone guess passwords against it offline, unless they also steal a second secret kept elsewhere. You can also split a recovery key among trusted friends, or write down a 24-word phrase.

Four independent paths, all zero-knowledge to the live server. OPAQUE (Ristretto255 OPRF + Argon2id) stores an OPRF record + an encrypted envelope — never a password-derived value. Shamir shares are sealed to trustees’ keys (storage live; retrieval deferred). A BIP-39 seed regenerates the identity deterministically. Multi-device linking transfers keys device-to-device over an encrypted channel.

Four recovery paths
what each needs, and what the server holds
fully live partial / deferred
Figure. Only the OPAQUE record and Shamir shares are stored server-side, both as ciphertext the server can’t open. The seed phrase is never stored anywhere.

OPAQUE, step by step

1Client

Wraps your key material in an encrypted envelope whose key is derived from your password via an oblivious protocol.

2Postgres

Stores an OPRF record + the envelope + a MAC — no password, no password hash, nothing password-derived.

3API → Redis

On a new device, runs a short-lived login (opq:<hmac>, 120 s), returning dummy envelopes for accounts that don’t exist (anti-enumeration).

4Client

Completes the OPAQUE exchange, decrypts the envelope with the password-derived key, and recovers the master seed locally.

What the server learns

Server can observe

  • That recovery is enrolled; the opaque record bytes and encrypted shares.
  • Login-attempt timing.

Server cannot learn

  • Your password, a password hash, or the recovered master secret.
  • The trustee (friend) graph, or any share plaintext.
Honest tradeoff OPAQUE is opt-in and hard-deleted on disable. If the database and a separately-kept OPRF key were both stolen, weak recovery passwords become offline-guessable — so a strong recovery password matters.