Best zero-knowledge password managers (end-to-end encrypted)
Zero-knowledge means your data is encrypted on your device before it is uploaded, so the provider stores only ciphertext and cannot read your passwords — even if compelled or breached. These managers are built that way; here is how they compare.
What zero-knowledge actually means
Your master password derives an encryption key on your device; only ciphertext leaves it. The server can never decrypt your vault, so a server breach, rogue employee or subpoena yields unreadable data. The trade-off is real: lose the master password and no one — not even the provider — can recover your data.
Proton Pass
End-to-end encrypted with a generous free tier from the Proton privacy suite; cloud-hosted in Switzerland.
Bitwarden
Zero-knowledge, open-source and audited, with cloud or self-hosted deployment and a strong free plan.
NordPass
Zero-knowledge and notable for using XChaCha20 encryption (the same modern cipher as storage-p); proprietary and cloud-only.
1Password
A polished proprietary manager combining your password with a Secret Key so the vault stays unreadable server-side; cloud-only, subscription.
Where storage-p fits
storage-p is zero-knowledge and self-hosted: Argon2id derives your key in the browser, the server holds only XChaCha20-Poly1305 ciphertext, and SQLCipher encrypts the database at rest. Uniquely among this list you also run and own the server, and get SSH/TLS keys, API keys and TOTP plus confirmable, scoped API access in the same vault.
How to choose
Want a managed cloud with the least effort — Proton Pass or 1Password. Open-source cloud with a free tier — Bitwarden. Zero-knowledge and self-owned, keys and API included — storage-p.