BY TECHNOBLEST · ARPASS.IO

Arpass — Passwords + Files, Encrypted Forever

Passwords + Files. Forever Encrypted.
Passwords + Files. Forever Encrypted.

Blockchain-backed permanent storage. Even if we shut down, your data survives.
Password manager + file vault (OCR auto-fills accounting docs).
Free to start, ~$0.03 per save. Files under 100 KiB are free.

No credit card required
Works in your browser only
Automated security scanning (CodeQL, Dependabot, regression grep)
USE CASES

Passwords. Receipts. Contracts. Anything you want to keep forever.

Start with password management. Auto-fill receipts via OCR. Any file type supported (PDF / image / text / Word / Excel...).

🔐
Password Manager
2-of-3 recovery, Passkey support, multi-device. A Bitwarden / 1Password alternative.
🧾
Receipts + OCR Auto-fill
Snap a receipt photo or upload PDF. Date / amount / vendor are auto-extracted. Compatible with Japan's electronic bookkeeping law.
📜
Contracts & Any File
PDF / Word / Excel / image / text / etc. — encrypted permanently. Up to 1 MB per file, files under 100 KiB are free.
🏥
Medical & Private
Health check reports, prescriptions, sensitive family records. Client-side encryption — even cloud providers can't see your data.

💡 OCR is optional, available when you configure your own OpenAI API key (images are sent directly to OpenAI, never via Arpass server).
You can also use Arpass without OCR for fully manual entry.

SECURITY MODES

You choose how to hold the keys.

Arpass offers two ways to hold your keys. You can start right away without a YubiKey, or rely on YubiKeys alone.

🔑
Standard mode (2-of-3)
Master password + passkey + Recovery Secret. The passkey can be a synced passkey (iCloud / Google) or a YubiKey. The basic mode anyone can start with right away.
🔐
YubiKey-only mode
No master password and no paper Recovery — just touch a registered YubiKey. Nothing to memorize. For those who want everything anchored to a physical key (two or more YubiKeys).

→ Read the YubiKey buying guide

PROBLEM

Password fatigue is a global problem.

The average user manages 100+ accounts, with 70% reused across sites. Stolen passwords remain the #1 cause of data breaches.

100+
Average accounts
managed per person
72%
Of Gen Z reuses
the same password
22%
Of breaches start with
stolen credentials
1 Industry estimate as of 2025 (Freemindtronic, 2025). The password manager industry reports 100-150 per person.
2 Bitwarden World Password Day Global Survey 2025 (2,391 employed adults across Japan, US, UK, Germany, France, and Australia).
3 Verizon 2025 Data Breach Investigations Report (analysis of 22,000+ incidents, stolen credentials are the top initial access vector).

And existing password managers leave these worries unanswered:

  • What happens to your passwords if the company shuts down?
  • If their cloud is breached, what leaks even though it's encrypted?
  • If you forget the master password, is losing everything the only option?
  • If you lose your phone, can you really not access anything else?
HOW IT WORKS

Encrypt in your browser. Persist on the blockchain.

All encryption happens in your browser. We never see the contents. The encrypted blob is stored on Arweave — a decentralized storage network — and never disappears.

🔑

1. Master password

Remember just one password.
Keys are derived in-browser.

🔒

2. Encrypt in your browser

Your password collection
is encrypted on-device.

3. Persistent storage

Written to Arweave,
replicated across networks.

🌐

4. Decrypt anywhere

Access from any browser
in the world.

The operator can see neither your drive contents nor your personal data. Only an anonymous ID and a usage record exist on our side.
WHY TECHNOBLEST

Four guarantees existing services structurally can't make.

Blockchain × zero-knowledge encryption × deterministic ID derivation. This combination delivers strength no other service can.

Survives our shutdown

Encrypted data lives on Arweave forever. Even if Technoblest goes out of business, you can recover your data on your own using our published spec and client code. This is Exit Strategy by Design.

🛡 Zero personal data with us

We keep only an anonymous ID and a usage record. Name, email, address, drive contents — none of it is visible to us. Less than 1% of what a typical password manager holds.

💰 $0.03 per save — pay only when you use it

No monthly fee. No subscription fatigue. Reading and copying are free. Only adding or changing entries adds ≈{perWrite} to your usage, billed after use. Typical usage costs around $0.65 a year.

Recoverable even if you forget

2-of-3 recovery: any two of {Master password, Passkey, Recovery Secret} can restore access. Other services say "forgot it? game over." We can recover.

CRYPTOGRAPHIC STRENGTH

Arpass strength, in numbers.

Since the data sits on a public blockchain, anyone in the world can see the ciphertext. Here's why it's still safe — with concrete numbers.

2/3factors required

Ciphertext alone is useless

Even if attackers see the ciphertext on Arweave, they can't decrypt a single bit without 2 of 3 factors: master password × Passkey × Recovery Secret. The Passkey lives inside the device's Secure Enclave and cannot be exfiltrated without biometric auth. Arpass operators hold no keys.

100M years

Worst case: Recovery Secret leaked

Only if the printed Recovery Secret is physically stolen can an attacker even begin brute-forcing your master password. Even then, a 12+ character master password would take ~1 million years against 100 Bitcoin-miner-class ASICs ($300K investment). 10 characters: 120 years.

2040+

Safe past quantum computers

AES-256 retains 128-bit effective security under Grover's algorithm. Even after cryptographically-relevant quantum computers arrive (NIST estimates 2030–2040), your vault remains unbreakable.

1025years

Recovery Secret itself outlasts the universe

The Recovery Secret is a 160-bit machine-generated random (not a memorized password). Brute-forcing it directly takes ~4.6×10²⁵ years against 100 ASICs — 3 quadrillion times the age of the universe. About 10¹⁹ times stronger than the master password's "1 million years" — physically protect the paper and you're effectively unbreakable.

* The "1 million years" figure assumes a 12+ character alphanumeric+symbol master password and Argon2id (memory-hard, 64 MiB / t=3 / p=4), in the worst case where the Recovery Secret has been physically stolen. Brute-forcing the Recovery Secret itself (160-bit random) directly is on the order of 10²⁵ years, so the only realistic attack path is breaking the master password. Without any factor leaked, the ciphertext alone gives attackers no foothold at all. The Passkey is held in the Secure Enclave and cannot be extracted without biometric authentication, so the only realistic leak vector is the printed Recovery paper. Weak passwords (8 characters or fewer) may be broken in days to weeks. See arpass-spec and Help for the full math.

PRICING

Postpaid. Only what you use.

Try the full feature set free. When you're ready to add more passwords, top up with a small one-time charge.

from $0.03
/ per write (approx.)
Free to start. Your data, yours forever. Only ~$0.03 when you use it.

料金プラン

Pay only for what you use — later, whenever you like, all at once. Just a $2 registration. No monthly fee, no subscription.

💡 Files under 100 KiB are free.
ArDrive Turbo's Free Tier (sponsoring uploads under 100 KiB) is passed through directly. When the actual cost is $0, your Arpass cost is $0 too.
Typical use cases — small receipts, config files, memos — often don't incur per-write charges.

* Write costs above 100 KiB are linked to the AR token market price (Arweave permanent storage infrastructure). Packs are credited to your balance in USD at purchase and consumed at the current rate per save. Actual cost varies with file size and AR price (estimate: vault update ~$0.03, 200 KiB receipt image ~$0.05, 500 KiB ~$0.07, 1 MB ~$0.15). Larger files get less bundling discount, so compress images when you can. Any over-estimate is refunded immediately after the write.

How Arpass compares

Feature Arpass Commercial cloud Open source OS built-in
Typical annual cost $2 $35+ $10+ Free
Survives provider shutdown × × ×
Self-recovery without provider × × ×
Recoverable after password loss × ×
Provider can't see PII × × ×
Works in browser only ×
Client crypto code published × ×

Prices shown in USD for reference. All charges are in JPY (Japanese Yen) — your card converts at current rates.

ROADMAP

Your permanent storage — passwords through documents.

Arpass is a personal encrypted secure drive on the blockchain.
Password manager + permanent file storage (any type). Receipts and invoices auto-filled via OCR.
Timestamp / proof-of-existence and more, coming soon.

Password manager
2-of-3 recovery, Passkey support, multi-device. Available now.
Available
File storage + Receipt OCR
Store receipts, invoices, contracts, medical records, or any file encrypted. Accounting docs auto-fill via BYO-key OpenAI Vision OCR.
Live
📜
Digital will & last messages
Workflows that combine external trust services and lawyers to pass on to your heirs.
Q4 2026
Timestamping & proof of existence
Third-party-verifiable proof that a document existed at a specific time, on Arweave.
Under consideration
FAQ

Frequently asked questions

If you have technical questions, you'll likely find answers here.

Will my data really survive even if you shut down?
Yes. Your passwords are encrypted and stored on Arweave, a decentralized storage network replicated across miner nodes worldwide. They survive even if Technoblest goes out of business. Furthermore, the client-side cryptography code and specification are published under AGPL-3.0 at github.com/technoblest/arpass-spec, so third parties can build recovery sites or you can run the code yourself to retrieve your data.
What happens if I forget my master password?
Through 2-of-3 recovery, you can set a new master password if you have both your Passkey (device biometric) and Emergency Kit (the paper Recovery Secret issued at registration). We strongly recommend printing the Emergency Kit and storing it in a secure location (like a locked drawer).
What information do you actually hold?
Arpass servers keep only a 22-character anonymous identifier (public-key hash), a usage record, and write metadata (the latest Arweave transaction ID etc.). No name, email, address, drive contents, activity history, or IP logs. Less than 1% of what a typical password manager holds.

Payment details (name, email, card number) are handled directly by Stripe and never reach Arpass.
How do I receive a receipt?
After each payment, Stripe automatically emails you a receipt. Arpass is not involved in this process, so your email address never reaches us.

Stripe also supports Japanese qualified invoices. If you need a formal invoice for business use, contact support.
Can I get a refund? Who do I contact?
Yes. From the link in your receipt email, access Stripe's hosted portal and request a refund directly. You don't need to disclose your email to Arpass.

If you contact support directly, we'll temporarily hold your email for handling purposes (after resolution, it's not stored in the product database).
You mention ~$0.03 per save — am I charged each time I view?
No. Reading and copying are always free. Your usage only grows when a write to the drive happens — adding, changing, or deleting a password. Even before you pay, reading your existing passwords is possible forever.
What encryption algorithms do you use?
Symmetric encryption uses AES-256-GCM (authenticated encryption), key derivation uses Argon2id (memory-hard, 64 MiB / t=3 / p=4), key composition uses HKDF-SHA256, Passkey integration uses the WebAuthn PRF extension, and request authentication uses ECDSA P-256. Everything is implemented with the browser-standard Web Crypto API; no external libraries.

Furthermore, the signing private key itself is stored locally on-device encrypted with AES-256-GCM using Passkey PRF output (v4.1). Even if your browser profile is stolen, decryption requires Passkey biometric authentication, so attackers cannot steal write permissions. Full client-side crypto code and the specification are published under AGPL-3.0 at github.com/technoblest/arpass-spec.
Is it really safe to store on the blockchain? Will the encryption be broken in the future?
Encrypted data being on public storage is part of the design. To decrypt, you need at least 2 of the 3 factors: Master password × Passkey × Recovery Secret. We plan a phased migration to post-quantum cryptography to address future risks from quantum computers.
Which devices and browsers are supported?
Arpass works only on devices and browsers that support Passkey + WebAuthn PRF extension:
  • iOS / iPadOS: Safari 17 or later
  • Android: Chrome 13 or later
  • macOS: Safari / Chrome / Edge on macOS 14 (Sonoma) or later
  • Windows: Windows 11 + latest Chrome / Edge (Windows Hello integration)
  • Linux: Latest Chrome / Edge with platform authenticator
Not supported: Firefox (no PRF extension), Tor Browser, Internet Explorer, Android < 13, iOS < 17.

Mobile browsers work fully. Passkey supports iOS Face ID / Touch ID and Android biometrics. Native apps are planned for V2 or later.
Can I use Arpass on a device without Passkey support?
No. Arpass intentionally drops master-password-only mode. The reason is to guarantee that even users with weak passwords cannot have their public-storage ciphertext decrypted. By requiring Passkey + WebAuthn PRF, we provide a uniform security floor for all users, independent of password strength.

If you don't have a supported device, you'll need to access from one of the supported devices listed above. We plan to expand supported devices, but we won't allow signup in Passkey-unsupported environments (this would break the security model).
What happens if I clear my browser data (history, cookies, site data)?
The device-local identifiers (encrypted private key, Passkey credential ID, etc.) are wiped, but your actual data persists on Arweave and isn't lost.

Recovery is the same as device-switching: from the "📲 Restore vault from another device" screen, enter both your master password and Recovery Secret to reconnect to the same drive. Your Passkey gets re-registered on this device.

The Recovery Secret is displayed only once at registration and is never stored on the Arpass side. Please write it down on paper and store securely.
Have you been audited?
We operate on a Best Effort + transparency policy. Current posture (Tier 1):
• Full disclosure of client-side crypto code (arpass-spec, AGPL-3.0)
• GitHub CodeQL static analysis automated in CI (detects XSS / SSRF / insecure randomness, etc.)
• GitHub Dependabot for automatic vulnerability detection in dependencies
• Regression-prevention grep tests (mechanically guards in CI against accidental removal of v4.1 invariants)
• HTTP security headers A+ (SSL Labs / Mozilla Observatory / SecurityHeaders.com)
• Vulnerability disclosure channel (SECURITY.md) and Bug Bounty program

As the user base grows, we plan to escalate to Tier 2 (lightweight audit by independent crypto consultants) → Tier 3 (formal audit by mid-size specialty firms).

We cannot promise "absolute" safety — there's no "absolute" in cryptography (quantum computers, undiscovered mathematical attacks, implementation bugs always pose risks). This service meets industry-standard levels by providing best-effort security + high transparency + independent verifiability. For extremely high-importance accounts (primary financial institutions, government-issued ID related, primary email accounts, etc.), we strongly recommend distributing risk by using multiple password managers in combination with Arpass rather than relying on Arpass alone.
What does the name "Arpass" mean? What is "Ar"?
Ar = Archive (permanent storage). Taken from Arweave, the decentralized storage that powers Arpass. Arweave itself was originally named "Archain" (Archive + Chain) — a decentralized blockchain whose mission is permanent data preservation.

Poetically, we also embrace the "Ark" metaphor — as our tagline "Your password, on the Ark." implies, a vessel of password preservation that survives anything. Both "Ar" and "Ark" interpretations align with Arpass's permanence mission.

Arpass = Ar + pass = "permanently archived pass(word)" — the design philosophy compressed into one brand name.
What are Arweave / ArDrive / Turbo? What are their roles?
Arpass's infrastructure consists of 3 layers:

Arweave: A decentralized permanent storage blockchain. Pay once, data lives forever (lump-sum prepayment model). Replicated across miner nodes worldwide; data persists even if Technoblest dissolves. This is the physical foundation of Arpass's permanence.

ArDrive: A company providing file management services in the Arweave ecosystem. Also operates Turbo. Arpass partners with ArDrive to optimize data writes, but the architecture allows switching to other bundlers (e.g. Irys) or self-hosted bundling at any time.

Turbo: ArDrive's bundling service. Aggregates many small data items into single Arweave transactions for cost reduction and speed. Essential for keeping each password write (on-chain ~110 KiB) at about $0.33.

Summary: Arpass provides the password management UI → Turbo (operated by ArDrive) bundles for speed → Arweave stores permanently.
Can anyone track my writes on Arweave? How is anonymity handled?
Encryption is the primary defense. What's stored on Arweave is "a byte sequence that nobody but you (the key holder) can decrypt". Arpass operators included, no one can read your data.

This is the same model used by Bitcoin, Ethereum, and other blockchains. Blockchain design assumes anyone can download the stored data; security comes from strong cryptography protecting the contents. Arpass follows the same principle: AES-256-GCM double encryption + 2-of-3 key management protects your data.

How well the existence of a write is hidden depends on your plan:

Personal: Arpass operates a wallet pool shared among multiple users. On Arweave GraphQL you'll see writes from multiple users emerging from the same wallet address — but there's no way to tell whose, and the contents are unreadable.

Business / Team: A dedicated wallet is exclusively assigned to your company or family. The address is never disclosed externally, making the very existence of your team's writes hard to discover on Arweave.

Across all plans, "encrypted data, even if obtained, cannot be decrypted" is the final defense. Wallet sharing or exclusivity is an additional layer protecting observability.

See Security & Trust hub for details.
Can I store receipts and invoices? What is OCR?
Yes — through the Files tab, you can encrypt and permanently store PDFs, images, and any file. It's ideal for accounting documents (receipts, invoices, contracts, health check reports, etc.).

OCR (Optical Character Recognition) is an optional feature that auto-fills date, amount, counterparty, description, and tags from uploaded images / PDFs. You'll need to provide your own OpenAI API key (images are sent directly to OpenAI; Arpass servers are not involved).

You can use Arpass without OCR via manual entry. Configure your API key in Settings (⚙️) to enable the OCR button.
Is it really free for files under 100 KiB?
Yes. Arweave's bundling service (ArDrive Turbo) sponsors files under 100 KiB, and Arpass passes that benefit directly to you.

Small receipt images (~200 KB after compression), text notes, config files, and transcribed receipts can be stored permanently for free (if compressed below 100 KiB).

Files of 100 KiB or more add an AR-linked amount to your usage at that day's rate, paid after use (~{costMax} for a 1 MB photo). If the actual cost is lower than the estimate, the difference is deducted from your usage immediately.
Can I store photos taken with my iPhone? They're big though, right?
Yes. iPhone photos are typically 2-5 MB, but Arpass's Compress button shrinks them to 200-500 KB before storage (you can also save originals, but the storage limit is 1 MB).

Compression happens fully client-side (in your browser); images are never sent externally. HEIC format auto-converts to JPEG via iOS Safari.

Acceptance limit 30 MB / storage limit 1 MB. Flow: select file → preview shown → click "🗜️ Compress" button.
Can I recover a file if I delete it by mistake?
Arpass uses logical deletion (tombstone): the original data and the file body on Arweave are preserved permanently — only hidden from the list view. Deletion events are recorded in the audit history (compatible with Japan's electronic bookkeeping law).

Arweave is an immutable blockchain, so physical deletion is impossible — but this also means "the trail remains for tax audits."

A restore UI for accidentally-deleted files is planned, but the Arweave data is safe regardless, so technical recovery is always possible.
Are you compliant with Japan's electronic bookkeeping preservation law?
Arpass's file storage feature is designed with the law's truthfulness / searchability requirements in mind:

Searchable: by transaction date / amount / counterparty (Article 4). Japanese-normalized search included.
Truthful: corrections / deletions are recorded as an append-only audit history. Tamper-proof via Arweave blockchain.
Related document linking: tag-based associations between documents.
CSV download: tabular export for tax audits.

However, we have not received formal certification from Japan's National Tax Agency (e.g., JIIMA). For strict legal compliance, consult a tax accountant. Arpass provides a compliant technical foundation, but final compliance depends on the customer's operational practices.

End password fatigue.

Start free. Your data is yours forever. Just remember your master password and access from anywhere in the world.