Zentlock documentation
Zentlock is a free, zero-knowledge password and credential manager. It keeps your logins, payment cards, identities, secure notes, SSH keys and two-factor codes encrypted on your own device, and lets you share collections with people you trust — end to end. This guide walks through creating your vault, using it day to day, sharing safely, and the security that protects it all.
How it keeps you private
Zentlock is zero-knowledge: everything is encrypted on your device before it is stored or synced, using a chain of keys built from your master passphrase. No readable data is ever kept on any server, and the keys exist only in memory while the app is unlocked.
Your master passphrase
The one secret you remember. It is never sent anywhere and never stored — Zentlock cannot see it or reset it.
Master key
Derived from your passphrase with the memory-hard Argon2id algorithm and a unique salt, so guessing is slow and expensive.
Vault key
A strong random key that protects everything, kept wrapped by your master key and unlocked only in memory on your device.
Your encrypted items
Each collection has its own key and every item is encrypted, so a single share or revoke never exposes the rest of your vault.
Because every layer is encrypted, an exposed database — including the copy in your Google Drive — reveals only unreadable ciphertext. Zentlock uses AES-256-GCM to encrypt your data and the memory-hard Argon2id algorithm to derive keys from your passphrase, with public-key encryption for sharing.
Where it runs
Zentlock gives you one vault across all your devices. Use whichever fits the moment — they all share the same encrypted data and stay in sync through your own Google Drive.
| Platform | Good for | Highlights |
|---|---|---|
| Desktop app | A native app for your computer, with secure unlock built in. | Windows · macOS · Linux · Unlock with passphrase, PIN or biometrics |
| Web | Open your vault in any modern browser, nothing to install. | Chrome, Edge, Firefox, Brave, Safari · Same encrypted vault · Great for a quick check |
| Browser extension | Fill logins where you actually use them. | Detects login forms · Fills username, password and 2FA codes · Offers to save new logins |
| Mobile | Your vault in your pocket, with quick unlock. | iOS & Android · Fingerprint / Face unlock · Scan 2FA QR codes with the camera |
Browsers: Zentlock works in modern browsers including Chrome, Edge, Firefox, Brave and Safari. The browser extension can autofill your logins and 2FA codes and offer to save new ones.
Create your vault
The first time you open Zentlock, you set up your vault in a few steps:
- Enter your email and a master passphrase. The passphrase encrypts everything and should be long and unique — aim for at least 10 characters. Zentlock shows a live strength meter as you type.
- Save your recovery key. Zentlock can generate a one-time recovery key that restores access if you ever forget your passphrase. Store it somewhere safe — it is shown only once.
- Open your vault and add items. Create logins, cards, notes and more. Optionally connect Google Drive from Settings to sync across devices.
Items & types
Zentlock stores every kind of secret in one vault, organized by type:
- Logins — username, password, one or more website addresses, and an optional two-factor code.
- Cards — cardholder name, number, brand, expiry, and security code.
- Identities — name, email, phone, company, address, and other personal details you reuse on forms.
- Secure notes — encrypted free-form text for anything private.
- SSH keys — public key, private key, and fingerprint.
Sensitive values like passwords, card numbers and private keys are hidden by default — reveal them when you need to, or copy them straight to your clipboard without showing them on screen. Every item can also carry custom fields (text, hidden, or URL), tags, and a notes field. Logins with a website show the site's icon so they're easy to spot.
Organize & search
Keep a growing vault tidy and find anything in seconds:
- Collections group related items and are the unit you share with others. Give each a name and color.
- Favorites keep your most-used items one tap away.
- Archive tucks away items you want to keep but not see day to day; Trash holds deleted items so you can restore them.
- Search matches names, usernames, websites, identity emails, notes and tags as you type.
- Browse by type to focus on just logins, cards, notes, and so on.
Password generator
Zentlock includes a built-in generator for strong credentials — available on its own and while creating a login.
- Passwords — adjust the length and choose uppercase, lowercase, numbers and symbols. Optionally exclude ambiguous characters (like O and 0) so the result is easy to read and type.
- Passphrases — generate several memorable words, capitalized and joined with a number, when you'd rather type something you can remember.
- Strength meter — every result shows a strength rating and estimated bits of entropy, so you know how strong it is.
Tip: regenerate until you get one you like, then copy it with a single tap.
Authenticator (2FA)
Zentlock has a built-in authenticator that generates time-based one-time codes (TOTP), so it can fully replace a separate authenticator app.
- Open Authenticator and choose Add code.
- Paste an
otpauth://link or the secret a site shows you — or scan its QR code on devices with a camera. - Zentlock shows a live code with a countdown; copy it at sign-in. You can also attach a code directly to a login so the password and its 2FA live together.
Import & export
Your data is always yours to take with you.
- Import a JSON file to bring items in from another manager or restore a backup. Items are added to collections matching their names.
- Export your vault as plain JSON, or as encrypted JSON protected by a separate key you choose (independent of your master passphrase).
Accept an invite
If someone shared a collection with you using a one-time code:
- Open Zentlock, go to Collections, and choose Accept an invite.
- Enter the one-time invite code the sender gave you.
- The shared collection is added to your vault and re-secured under your own keys. The one-time code is then used up and useless.
Safety tip: the sender should give you the code through a separate channel (a text or a call), not alongside the invite itself. That separation is what keeps the share secure.
Revoke access
As the owner, you can remove someone from a shared collection at any time. When you do, Zentlock generates a brand-new key for the collection, re-encrypts its contents, and re-shares it only with the remaining members.
The result: the removed person can no longer decrypt any future changes. This key rotation is what makes revocation in Zentlock reliable. For high-trust shares, you can also compare a short security number with the other person to confirm you're sharing with exactly who you think.
Unlock methods
Zentlock locks your vault and offers a few ways to unlock it again:
- Master passphrase — your primary key, available everywhere.
- PIN — a 4–8 digit code for fast unlock on a trusted device.
- Biometrics — fingerprint or face, where your device supports it.
Recovery key
At setup, Zentlock can generate a one-time recovery key that restores access if you forget your master passphrase. It's shown only once, so store it somewhere safe.
Because Zentlock is zero-knowledge, your passphrase and recovery key are the only ways in — there is no back door, and we cannot reset your vault for you. That's exactly what keeps your data private. You can choose not to use a recovery key, accepting that a forgotten passphrase would mean the data can't be recovered.
Auto-lock & devices
- Auto-lock — Zentlock can lock after a period of inactivity you choose, clearing your keys from memory.
- Lock on restart — by default, Zentlock asks for your master passphrase again after the app restarts or the device reboots. You can opt to let a PIN or biometrics persist for more convenience.
- Change your passphrase anytime from Settings, after entering your current one.
- De-enroll a device to erase its local vault and stored keys — your data stays safe in Drive and on your other devices.
Privacy & data storage
Zentlock keeps your encrypted vault on your own device and can optionally sync it to your own Google Drive so it's available everywhere. In both places, only encrypted data is stored — no readable passwords or keys live on any server.
- Encrypted before storage — every item is sealed with AES-256-GCM on your device.
- Your keys stay with you — passphrase and keys live in memory only and are cleared on lock.
- Ciphertext only in the cloud — your Google Drive copy can't be read by Google or by us.
- No telemetry — Zentlock collects no usage data or analytics.
For the full details, see the Privacy Policy.
FAQ
Quick answers to the questions people ask most about Zentlock.
Is Zentlock really free?
Yes. Zentlock is completely free and open source under the MIT license, for both personal and everyday work use. There is no subscription and no paid tier.
Can anyone — including you — read my passwords?
No. Zentlock is zero-knowledge. Your data is encrypted on your device with AES-256-GCM, and the keys are derived from your master passphrase, which never leaves your device. Even if someone obtained the stored database — including the copy in your Google Drive — they would see only unreadable ciphertext.
Where is my data stored?
Your encrypted vault lives on your own device, and you can optionally sync it to your own Google Drive so it is available on every device. Only encrypted data is ever stored or synced — no readable passwords or keys are kept on any server.
What happens if I forget my master passphrase?
At setup Zentlock can generate a one-time recovery key that restores access if you forget your passphrase. Keep it somewhere safe. Without the passphrase or the recovery key, the vault cannot be decrypted — which is exactly what keeps it private.
Which platforms does Zentlock support?
Zentlock runs as a desktop app on Windows, macOS and Linux, in modern web browsers, as a browser extension that can autofill logins, and on mobile — all sharing one vault. It works offline and syncs your encrypted vault when you are online.
Can Zentlock handle two-factor (2FA) codes?
Yes. Zentlock has a built-in authenticator that generates time-based one-time codes. You can add codes by pasting an otpauth link or a secret (or scanning a QR code on devices with a camera), keep them standalone, or attach them to a login. It can fully replace a separate authenticator app.
Can I share passwords with my family or team?
Yes. You can share a whole collection with someone by email, choosing read-only or read & write access. Sharing is end-to-end encrypted, so only the recipient can decrypt it, and you can revoke access at any time — after which they can no longer see future changes.
Can I import my passwords from another manager?
Yes. Zentlock imports JSON files, mapping entries to logins, cards, identities and notes. You can also export your vault as plain or encrypted JSON for backups or to move it elsewhere — your data is always yours to take with you.
How strong is the encryption?
Zentlock uses AES-256-GCM authenticated encryption for your data and the memory-hard Argon2id algorithm to derive keys from your passphrase, with public-key encryption for sharing. These are widely trusted, industry-standard algorithms, strong enough for organization-level use.
Does Zentlock work offline?
Yes. Zentlock is offline-first — your vault is fully usable with no internet connection. When you reconnect, your encrypted changes sync in the background to your own Google Drive if you have it connected.