The zero-knowledge model

Manifa is end-to-end encrypted: every cryptographic operation happens on your device, and the server stores and moves only ciphertext and public parameters. This page states honestly what that does and doesn't hide — see the full threat model for the complete list.

What the server never sees

  • File contents — chunked and sealed with AES-256-GCM-SIV under a key derived from the Vault Key. The Vault Key never leaves your devices.
  • Filenames and paths — encrypted inside the Manifest (the directory-tree record); only an opaque tag crosses the wire.
  • .env values — sealed as a single opaque blob (an EnvSet).
  • Any key material — your Account Master Key and Vault Keys exist only in client memory. The server stores only AMK-wrapped blobs it cannot open.

A compromise of the server — or anyone with a stolen session token — yields ciphertext and metadata. Never plaintext contents, names, or keys.

What the server can observe

This is the part most "zero-knowledge" products gloss over. An honest-but-curious server can infer:

  • Approximate file sizes — ciphertext size tracks plaintext size, so individual file sizes leak within a bucket.
  • File and chunk counts, and overall tree size — roughly how many files a vault holds and its shape.
  • Activity and cadence — when and how often you sync and edit secrets.
  • Authorship — which device made each change.
  • Device platform and enroll/revoke timestamps.
  • Name equality within a vault — the server can tell when two operations touch the same (still-unknown) name.
  • Key rotations — that a device revocation happened, not who or why.

If those are sensitive to you — "this repo has exactly one 4 KB secret that changes every Friday" — Manifa does not hide them today. For maximum metadata resistance on a secrets-only vault, prefer mani env push (a single opaque blob) over committing secrets as plain files in a synced tree.

The key hierarchy

password ──wraps──► Account Master Key (AMK) ──wraps──► Vault Key (VK) ──derives──► Chunk Key (CK)
recovery code ─────►        ▲
device keypair ────────────►
  • Account Master Key (AMK) — the 256-bit root of your account, generated client-side at signup and never transmitted in plaintext. Every Vault Key is wrapped by it.
  • Master password — wraps the AMK. This is distinct from your login (email/OTP or Google) — see onboarding for why there are two separate secrets.
  • Recovery code — a 12-word phrase shown once at mani init that also wraps the AMK. It's the only way back in if every device is lost.
  • Device keypair — generated locally on enrollment; the private key never leaves the device (held in the OS keystore — Keychain / secret-service). The AMK is wrapped to each enrolled device's public key.
  • Vault Key (VK) — a random 256-bit key per vault, wrapped by the AMK. Encrypts that vault's manifests and derives its chunk keys. Sharing a vault means wrapping the VK to another member.
  • Chunk Key (CK) — derived, not stored: CK = HMAC-SHA256(VK, hash(plaintext_chunk)). This deterministic derivation is what makes convergent encryption — and therefore content dedup — possible without leaking plaintext.

Lose every wrap (no device, no password, no recovery code) and the data is unrecoverable, by design.

Revocation

Revoking a device deletes its wrapped AMK and rotates the Vault Key for every vault that device had access to: new content is encrypted under the new VK; remaining devices keep reading old content via the prior key (an epoch-aware key ring, not a single overwritten key).