Skip to main content

Security

Designed so you can trust the math

Novash is built like a serious password manager: strong cryptography, a zero-knowledge posture, and server-side controls that match how people actually use mobile devices. Below is how we explain what we protect—and what we deliberately cannot see.

OWASP-aligned cryptography

Vault encryption and key derivation follow modern guidance—not ad-hoc choices from a blog post.

  • AES-256-GCM + Argon2id as core building blocks
  • Zero-knowledge: we do not need your plaintext vault
  • RLS and strict data scoping at the database layer

Details vary by platform release. When in doubt, verify on-device behavior and keep your apps updated.

Cryptography

Algorithms you can look up

Marketing pages love saying “military-grade.” Here is the more useful version: we publish the class of primitives we build on so customers, researchers, and competitors can evaluate the claim.

AES-256-GCM for vault data

Your vault contents are encrypted with modern authenticated encryption. That means confidentiality and integrity: tampering is detected, not silently accepted.

Argon2id for key derivation

Key derivation is tuned for real hardware: strong resistance to guessing attacks without punishing legitimate users on phones and tablets.

Native crypto in critical paths

Sensitive operations are implemented with care for platform APIs and memory lifetime—so security is not an afterthought bolted onto the UI.

Zero-knowledge

What we cannot do—on purpose

A password manager that can read your secrets is a liability dressed as convenience. Novash is architected so that “call support and recover my vault” is not a magic backdoor—because there is no copy of your keys sitting in plaintext for us to retrieve.

We never receive your master password

It is used on your devices to derive keys. It is not something we can “look up” in a database to unlock your vault.

Ciphertext leaves the device; plaintext stays with you

What syncs between your signed-in devices is encrypted payload. The design goal is straightforward: our infrastructure moves blobs, not secrets.

Recovery is yours to plan

If you lose access to recovery materials and your master password, no one can responsibly “reset” a true zero-knowledge vault without your keys.

Infrastructure

Server-side controls that match the threat model

Cryptography on the client does not excuse sloppy access control in the cloud. Your account data is protected with database policies and tight scoping—so one user cannot become another user by mistake—or malice.

Row Level Security on your data

Database access is scoped so accounts only touch what belongs to them. Least-privilege is the default posture—not an optional add-on.

Audit-friendly event streams

Security-relevant activity is designed to be observable where it matters: for you, for support, and for incident response—without turning logs into a second vault of secrets.

Transport & operations

From your device to our edge—and back

Attackers do not politely wait for you to finish reading the landing page. We combine transport security, pinning strategy, and continuously improving edge controls so abuse costs more than it pays.

TLS for every request

Client traffic uses modern transport security. We treat network attackers as real: encryption in transit is baseline, not a bullet point for the brochure only.

Certificate pinning strategy

We invest in pinning architecture so clients can bind to expected identities—not just “any valid certificate.” Pin rotation is staged carefully to avoid taking you offline when CAs rotate.

Edge hardening over time

Rate limits, abuse controls, and bot friction are part of an ongoing program. The internet is hostile; our job is to make abuse expensive and service reliable.

Clients

Sessions, biometrics, and the real world

A vault is only as safe as the device around it. We integrate with OS secure storage where available, encourage strong signup passwords, and treat session lifetime as a risk decision—not an infinite vacation for stolen devices.

  • Biometric unlock uses platform APIs; your master password is not “stored in a note.”
  • Account creation enforces strong password rules—because weak master passwords break every downstream guarantee.

A note for professionals

If you are evaluating Novash against Bitwarden, 1Password, or LastPass: compare the cryptography, the threat model, and the operational honesty. We would rather lose a deal than win one with vague promises we cannot defend under scrutiny.

Disclosure

Report a vulnerability

If you believe you have found a security issue, contact us privately. Include impact, affected components, and reproduction steps. We take valid reports seriously and work fixes with an eye toward protecting users first—then publishing what we can without helping attackers.

Contact securityRead FAQ

What helps us move fast

  • Clear severity and user impact
  • Minimal proof-of-concept, not noisy exploitation
  • A contact path that does not broadcast zero-days in public issues