Your data stays on your device. Always.
PassKey never sends your data anywhere. No cloud, no servers, no analytics, no telemetry. Everything stays encrypted on your computer.
1. Overview
PassKey is a local-first password manager for Windows. The desktop application and its browser extension store and manage your credentials exclusively on your device. No account is required to use PassKey. No data is ever transmitted to any remote server — by design, there is no remote server to transmit data to.
This policy describes what information PassKey reads or processes while running on your computer and how that information is used.
2. Data Storage
- All vault data (passwords, credit cards, identities, secure notes) is stored in an encrypted SQLite database on your local disk.
- Default location:
%LOCALAPPDATA%\PassKey\vault.db - Encryption: AES-256-GCM, keys derived from your master password via Argon2id (or PBKDF2-SHA256 for vaults created on older versions).
- Your master password is never persisted — it is held in memory only for the duration it is needed to derive the decryption key, then zeroed.
3. Network Activity
PassKey makes zero outbound network connections. The only communication that occurs is between the browser extension and the PassKey Desktop application on your own computer, via the browser's Native Messaging API over a local Named Pipe:
- This communication never leaves your machine.
- The channel is protected with ephemeral ECDH P-256 + AES-256-GCM session keys negotiated at runtime.
There is no analytics, no telemetry, no crash reporting, no update checking, and no advertising — not now, not ever.
4. Browser Extension Permissions
The PassKey browser extension (available for Chrome, Edge, and Firefox) requests the minimum permissions necessary to operate. Below is a complete list of what each permission is used for:
| Permission | Why it is needed | What it accesses |
|---|---|---|
nativeMessaging |
Communicate with PassKey Desktop via the browser's Native Messaging API | Local IPC channel to PassKey Desktop — no internet access |
activeTab |
Read the URL of the current tab to find matching credentials | URL only — no page content, no cookies, no form data |
tabs |
Inject autofill into the active tab and keep the popup's tab reference current | Active tab ID and URL — no browsing history |
The extension reads the URL of the tab you are currently viewing solely to identify which saved credentials match the site. This URL is passed to the local PassKey Desktop app for matching and is never stored by the extension or sent anywhere else.
5. Data Sharing
PassKey does not share any data with third parties. There are no third-party SDKs, advertising networks, or analytics providers embedded in PassKey. There is no data to share because no data leaves your device.
6. Backups
Encrypted backups (.pkbak files) are stored locally at a location you
choose. Backups are independently encrypted with AES-256-GCM using an Argon2id-derived
key from a password you provide at backup time. PassKey does not offer or access any
cloud backup service.
7. Open Source & Auditability
PassKey is open-source software licensed under the GNU GPL v3. The complete source code is publicly available. You can audit every line of code that handles your data at github.com/pexatar/PassKey.
8. Changes to This Policy
If this policy is updated, the new version will be published at this URL with an updated date at the top. Because PassKey collects no personal data, changes will typically only reflect new features or clarifications to existing practices.
9. Contact
- Security issues: report privately via GitHub Security Advisories
- General questions and bug reports: GitHub Issues
- Email: pexatar@gmail.com