By default, Enpass stores encrypted password vaults on users’ personal cloud accounts, locally on device, or in business clients’ internal cloud infrastructure.[1][6][7]
Privacy: The application features client-side encryption, using SQLCipher[10] to encrypt its keychain file locally with a user-defined master password. The Enpass app retains no user data on its company servers,[11][6] instead storing and syncing encrypted password vaults on storage controlled by the end user.
Enpass provides multiple client applications, including desktop applications, browser extensions and mobile apps. The desktop apps are available for Windows, macOS, and Linux,[15] while browser extensions are offered for Chrome, Firefox, Safari, Edge, Opera, Vivaldi and Brave.[16] Mobile apps are available for Android and iOS.[15]
Enpass products include Personal and Family editions that feature vault sharing via personal cloud accounts,[17] and Business and Enterprise editions with users’ vaults stored within each clients’ business-cloud infrastructure.[18] For personal and family users, the desktop app is free, and the mobile app is free up to 25 records, with more records and additional features available with a software subscription.[17][19] The Business and Enterprise editions are billed per user, per month, and include security audits, access recovery, and password-less vault sharing between invited co-workers.[18]
The entire database is protected using AES-256 encryption. SQLCipher is used to technically implement the AES-256 encryption.[20]
In addition, the encryption key is derived from the master password using PBKDF2-HMAC-SHA512 with 320,000 iterations, which makes brute-force attacks extremely difficult.[20]
Enpass provides official security whitepapers[21] that explain the security architecture and encryption methods in more detail. These whitepapers are available for download on the Enpass website and are part of the official documentation on security and encryption.
A 2024 study by Hutchinson et al. examined the “password checkup” features of 14 password managers, including Enpass, using weak, breached, and randomly generated passwords. The authors found that the evaluated products reported weak and compromised passwords inconsistently and sometimes incompletely. No manager successfully flagged all known breached passwords. The study concludes that such inconsistencies may give users a false sense of security.[9]
Security researcher Marek Tóth presented a vulnerability in browser extensions of several password managers, including Enpass, atDEF CON 33 on August 9, 2025. In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click.[22] The affected password manager vendors were notified in April 2025. According to Tóth, Enpass version 6.11.6 (released August 13, 2025) addressed this issue.[23]
^abcHutchinson, Adryana; Munyendo, Collins W.; Aviv, Adam J; Mayer, Peter (2024-05-11). "An Analysis of Password Managers' Password Checkup Tools".Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. CHI EA '24. New York, NY, USA: Association for Computing Machinery. pp. 1–7.doi:10.1145/3613905.3650741.ISBN979-8-4007-0331-7.
^"SQLCipher".GitHub.Archived from the original on 2017-07-01. Retrieved2019-02-22.
