Geslar logo
Geslar

How Encryption Works

AES-256-GCM, PBKDF2, zero-knowledge — explained.

Military-grade encryption, in your browser

Geslar uses the same encryption standards as banks, governments and military systems. Here's what happens to your data — technically, but understandably.

AES-256-GCM

AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) is the encryption Geslar uses for all data.

256-bit key
2²⁵⁶ possible keys — more than the number of atoms in the observable universe. Brute-force is physically impossible.
GCM mode
Provides both encryption (data is unreadable) and authentication (data hasn't been tampered with). If a single bit changes, decryption fails.
Unique IV per operation
Each encrypt operation uses a fresh 96-bit initialisation vector. The same data encrypted twice produces completely different output.
PBKDF2-SHA256 — from password to key

Your master password is not the encryption key. It goes through PBKDF2 (Password-Based Key Derivation Function 2):

  1. Master password + random salt (128 bits, unique per vault).
  2. 600,000 iterations of SHA-256 — deliberately slow.
  3. Result: a 256-bit master key.

600,000 iterations means that even a powerful GPU cluster needs hours to test a single password. A weak password is still weak — but PBKDF2 makes every guess expensive.

Zero-knowledge architecture
What this means
Geslar has zero knowledge of your data. We don't have your master password, your encryption key, or your decrypted data. We can't access your data even if we wanted to.
What this means in practice
If someone breaks into Geslar's server (future cloud version), they get encrypted blobs. Without your master password, the data is useless.
CSPRNG — true randomness

All random values in Geslar (salts, IVs, generated passwords) come from CSPRNG — the Web Crypto API's crypto.getRandomValues(). This is a hardware-backed random number generator, not a predictable algorithm.

How does Geslar compare?
vs Bitwarden
Same AES-256, same PBKDF2. Bitwarden uses 600,000 iterations (same as Geslar). Architecturally equivalent.
vs 1Password
1Password uses AES-256 + SRP protocol. Different approach, same security level. Both zero-knowledge.
vs Google Password Manager
Google has access to your passwords on their servers. Not zero-knowledge. Geslar never has access to your data.
Vendor lock-in?
Your data is on your device. Export to CSV and import into any other manager.
Related articles
Creating a master password Where is my data Forgotten master password