Geslar
Zero-knowledge architecture
What it means for your data — and why Geslar cannot see your passwords even if it wanted to.
Imagine a safe deposit box at a bank
You have a safe deposit box at a bank. The bank guards the box, but doesn't have the key. It doesn't know what's inside. It can't open it. Not even with a court order — because it physically doesn't possess the key.
That's zero-knowledge architecture. The service provider stores your (encrypted) data, but has no technical ability to read it.
Geslar goes one step further — there is no safe deposit box at the bank. Your data is only on your device. No servers, no cloud, no third parties.
That's zero-knowledge architecture. The service provider stores your (encrypted) data, but has no technical ability to read it.
Geslar goes one step further — there is no safe deposit box at the bank. Your data is only on your device. No servers, no cloud, no third parties.
How Geslar protects your data
1. Master password
You enter a master password. It is never stored — not on disk, not in memory after the vault locks. Geslar doesn't know your password.
2. Argon2id key derivation
From your master password, the Argon2id algorithm derives an encryption key. Argon2id is intentionally slow and memory-intensive — making brute force attacks impractical.
3. AES-256-GCM encryption
The vault is encrypted with the AES-256-GCM algorithm — the same used by military and government systems. A 256-bit key has 2^256 possible combinations — more than atoms in the universe.
4. Local storage
The encrypted vault stays on your device. No uploads, no syncing, no servers. Your data never leaves your device.
Technical details (for those who want to know)
Argon2id parameters:
Argon2id is the winner of the Password Hashing Competition (2015) and the recommended algorithm for key derivation. It is designed to be resistant to GPU and ASIC attacks because it requires a large amount of memory.
Unlike the older PBKDF2 (used by 1Password), Argon2id is memory-hard — an attacker cannot speed up brute force using thousands of GPU cores because each attempt requires a significant amount of RAM.
Argon2id is the winner of the Password Hashing Competition (2015) and the recommended algorithm for key derivation. It is designed to be resistant to GPU and ASIC attacks because it requires a large amount of memory.
Unlike the older PBKDF2 (used by 1Password), Argon2id is memory-hard — an attacker cannot speed up brute force using thousands of GPU cores because each attempt requires a significant amount of RAM.
AES-256-GCM:
GCM (Galois/Counter Mode) not only encrypts data but also authenticates it. This means it's impossible to modify encrypted data without detection — any tampering attempt results in a failed decryption.
Each encryption uses a unique nonce (one-time number) — even if you encrypt the same data twice, the result will be completely different.
GCM (Galois/Counter Mode) not only encrypts data but also authenticates it. This means it's impossible to modify encrypted data without detection — any tampering attempt results in a failed decryption.
Each encryption uses a unique nonce (one-time number) — even if you encrypt the same data twice, the result will be completely different.
Salt:
Each vault has a unique cryptographic salt — a random string added to the master password before key derivation. This means that even if two users have identical master passwords, their encryption keys are completely different.
Each vault has a unique cryptographic salt — a random string added to the master password before key derivation. This means that even if two users have identical master passwords, their encryption keys are completely different.
What does this mean in practice?
Geslar cannot read your data
Not even the development team. Not even with a court order. It is technically impossible to decrypt the vault without the master password.
A hacker cannot use a stolen vault
Even if someone physically steals your device and copies the vault file — without the master password, the data is a useless string of bytes.
No breach risk
Geslar has no servers to hack. No user database to steal. No central vault repository. Nothing to attack.
You are responsible for backup
The downside: if you lose your device and don't have a backup — your data is permanently lost. No one can recover it. That's why backup is important.
Geslar vs cloud password managers
1Password, Bitwarden, LastPass — all claim to be "zero-knowledge". And technically they are — encryption happens locally, and the server never sees your data in plain text.
But there's a key difference: they still store your encrypted vaults on their servers. This means:
But there's a key difference: they still store your encrypted vaults on their servers. This means:
Risk 1: If an attacker breaches the server, they get encrypted vaults. Now they have unlimited time to attempt brute force on your master password — offline, with no attempt limits.
Risk 2: A client software update can introduce a backdoor that sends the master password to the server. The user cannot detect this because the software is closed-source.
Risk 3: Government agencies can (secretly) demand access to encrypted data — which is exactly what is rumored to have happened with Lavabit and other services.
Risk 2: A client software update can introduce a backdoor that sends the master password to the server. The user cannot detect this because the software is closed-source.
Risk 3: Government agencies can (secretly) demand access to encrypted data — which is exactly what is rumored to have happened with Lavabit and other services.
Geslar eliminates all three risks. No servers = no encrypted vaults to steal. No cloud infrastructure = no attack surface. No account system = no user databases to compromise.
The only weakness: you
In a zero-knowledge system, security equals the strength of your master password. If you use "password123" as your master password — neither AES-256 nor Argon2id will save you.
Master password recommendations:
Master password recommendations:
Use a passphrase
Instead of "M@rk0_2024!" use "meadow-cloud-chocolate-chestnut". Longer, stronger, easier to remember. More about passphrases.
Never share it
The master password exists only in your head. There is no reason for anyone to ever know it — not a partner, not IT support, not the Geslar team.
Conclusion
Zero-knowledge is not a marketing term — it's an architectural decision that determines who can access your data. With Geslar, the answer is simple: only you.
No servers, no accounts, no telemetry. Your master password is the only key, and your device is the only vault. That's privacy as it should be.
No servers, no accounts, no telemetry. Your master password is the only key, and your device is the only vault. That's privacy as it should be.
Geslar — your data, your control. Free.