Things people actually ask.

A 128-bit random string generated on your device at signup. It's combined with your Master Password to derive the vault unlock key. If our database leaks but your Secret Key never did, attackers cannot brute-force you — even with infinite GPU.

Yes. iOS, Chrome, Web vault, and the Rust crypto core under MPL-2.0. The sync server under AGPL-3.0 — you can self-host it. github.com/keevo.

Cure53 reviewed the cryptographic core, sync protocol, and recovery flow in March 2026. Full report (PDF + signed hash) available on the security page.

Use your Recovery Kit (the printable PDF you saved at signup). Pro accounts can also recover via a paired hardware key. If you lose all of those, your vault is unrecoverable.

No. By design — that's what "we can't read your data" actually requires. If support could reset, so could a malicious insider, a court order, or a phisher.

Generated automatically at signup. You can re-download it any time from Settings → Recovery while you're signed in (you must already be unlocked, naturally).

Yes. Vault lives on-device. Sync is opportunistic — encrypted deltas push when you have a connection. Read, write, unlock all work offline.

Q3 2026. The Rust core already builds for Android — we're writing the Jetpack Compose UI now. If you want early access, drop us an email.

All four. We map 1Password Categories and Bitwarden Folders to Keevo Tags automatically. CSV is also supported. The whole flow runs locally — your old export never reaches our server.

YubiKey, SoloKey, Nitrokey — anything WebAuthn-compatible. Pro plan only, used as a recovery factor. We deliberately do not let it replace your Master Password — that would weaken zero-knowledge.

Yes. Forever, every device, every item type, every sync. We pay for it through Pro subscriptions and donations. We don't run ads, sell data, or collect analytics.

Visa / Mastercard / Amex via Stripe. Apple Pay on iOS. Wise transfer for annual plans. Monero accepted at billing@keevo.tuanle.dev.