How Zero-Knowledge Sync Works#

RabbitKey supports syncing your vault across devices using iCloud Drive, Google Drive, or WebDAV. The mechanism is designed so that the sync provider — Apple, Google, or your WebDAV host — never has access to the contents of your vault. Here is how that works, and what "zero-knowledge" means in this context.

What Gets Uploaded#

When you enable sync, RabbitKey uploads a single file: the encrypted vault file. This file is produced on-device after all encryption has already occurred.

The sync provider receives:

• An encrypted binary blob
• No decryption key
• No plaintext credentials
• No metadata about how many entries the vault contains or what they are named

Your master password and the derived encryption key stay on your device. They are never sent to the sync provider, and they are never sent to RabbitKey (which has no servers in this path anyway).

Why This Is "Zero-Knowledge" with Respect to the Provider#

"Zero-knowledge" in this context means the sync provider learns nothing about the vault's contents from what it receives. This is distinct from the cryptographic proof system also called zero-knowledge — the term here describes the information-theoretic outcome: the provider holds ciphertext and gains zero knowledge of the plaintext.

This property holds because:

1. Encryption happens first. The vault is encrypted on-device with XChaCha20-Poly1305 before any sync operation begins. The sync layer never touches unencrypted data.
2. The keys never travel with the ciphertext. Neither your master password, nor the key derived from it, nor the vault's master key is uploaded. The provider cannot decrypt the file even if compelled to do so.
3. RabbitKey has no server role. There is no RabbitKey relay, no intermediary that could intercept the plaintext or the key before upload.

For details on the encryption, see How RabbitKey Encrypts Your Vault.

Supported Providers#

iCloud Drive#

The encrypted vault file is stored in your iCloud Drive container. Syncing across iOS and macOS devices that share the same Apple ID is automatic once iCloud Drive is enabled. Apple's infrastructure transports the encrypted blob; Apple cannot decrypt it.

Google Drive#

The encrypted vault file is stored in RabbitKey's private app-data space on your Google Drive (a hidden area scoped to the app, not a folder you browse). Google stores and syncs the encrypted blob; Google cannot decrypt it.

WebDAV#

WebDAV is a protocol, not a specific service — you can point RabbitKey at any WebDAV-compatible server (Nextcloud, a NAS, a hosted WebDAV service). The encrypted vault file is written to the configured path. Your WebDAV host sees the encrypted file.

When setting up a new device with WebDAV sync, RabbitKey can transfer the account to the new device via a QR code scan — including the WebDAV server URL and credentials, so it re-configures in one step without manual entry. (That QR also carries the master key and master password, so treat it as sensitive.) See Restoring Your Vault on a New Device for the full transfer flow.

Conflict Resolution#

Conflicts arise when two devices modify the vault while offline and then both try to sync. RabbitKey handles this non-destructively:

• Neither version of the vault is silently discarded
• The conflict is surfaced in the UI, showing both versions
• You choose which version to keep

This is the safe choice. Silently picking "most recent" or "largest file" risks discarding legitimate changes. Manual resolution is a small inconvenience compared to silently losing entries.

What Sync Does Not Protect Against#

Sync zero-knowledge properties apply to the provider. Threats this model does not address:

• Compromised device — if your device is unlocked and an attacker has access to it, they can reach the decrypted vault in memory. This is a device security problem, not a sync problem.
• Compromised cloud account — if your Apple ID or Google account is taken over, the attacker obtains the encrypted vault file. They still need your master password or Recovery Kit to decrypt it. This is why master password strength matters independently of sync provider security.
• WebDAV transport security — use HTTPS for your WebDAV endpoint. HTTP over a public network exposes the encrypted vault file to interception (though an intercepted ciphertext is still unreadable without the key, transport encryption is best practice).

Sync Is Optional#

Sync is not required to use RabbitKey. The vault functions entirely locally without any cloud connection. Sync adds convenience (multi-device access, offsite encrypted copy) but also adds dependency on a third-party service. The choice is yours.