πŸ“– Arpass β€” User Guide
β†’ Open drive

User Guide

How to use Arpass, organized by scenario.

Contents

πŸ“š Learn more: How to choose a YubiKey or passkey is covered in our guide articles.

πŸ†• First-time use

The initial flow for creating your secure drive.

Visit arpass.io. The "Create secure drive" screen appears.
Enter a master password twice. This is your Arpass login password β€” never share it, and remember it.
Click "Create secure drive". Then register a Passkey (device authentication) using Touch ID / Face ID.
The Recovery Secret is displayed only once (format: RS1-XXXX-XXXX-…). Store it in a safe place.
Click "I understand" to enter the drive.
πŸ”‘ Protect your keys (Passkey) and Recovery Secret
The easiest way to open your drive on a new device is a synced passkey (iCloud Keychain / Google Password Manager) or a security key such as a YubiKey. With one of these, a new device opens with just "master password + passkey" (no Recovery needed).

πŸ”“ Daily use

Retrieve a password

Visit arpass.io β†’ lock screen
Enter master password β†’ authenticate with Touch ID / Face ID
The password list appears. Use the search box to filter by site name.
Click an entry β†’ detail view. Use "πŸ‘ Show" to reveal the password, "πŸ“‹ Copy" to copy to clipboard.

Save a new password

Click "+ Add new"
Enter site name, URL, username, and password. Use "🎲 Generate" for a strong password.
Click "Save" to write to Arweave (consumes 1 credit)

πŸ“„ File Storage

Store PDFs, images, and any file encrypted forever. Ideal for accounting documents (receipts / invoices / contracts / health check reports). Compatible with Japan's electronic bookkeeping law's searchability requirements (date / amount / counterparty).

Adding a file

Open the "πŸ“„ Files" tab at the top of the app
Click "+ Add file"
Pick a file (PDF / image / text / Word / Excel etc., up to 30 MB)
Preview appears. For large images, use "πŸ—œοΈ Compress" to shrink (200-500 KB typical)
Enter Counterparty or Title (one of them required); date / amount / currency are optional
Click "Save" to encrypt + write to Arweave

πŸ’‘ Files under 100 KiB cost \$0 (Turbo Free Tier passed through). A 1 MB photo costs ~\$0.13. If the actual cost is below the estimate, the difference is refunded instantly.

OCR auto-fill (optional)

Auto-extract date / amount / counterparty / description / tags from receipt or invoice images / PDFs. Requires your own OpenAI API key (images are sent directly to OpenAI; Arpass servers are not involved).

Get an API key at platform.openai.com/api-keys
In Arpass Settings (βš™οΈ) β†’ bottom section "πŸ“· Receipt OCR (optional)" β†’ enter key β†’ "Save & Verify"
When you pick an image / PDF, the "πŸ“· Auto-fill from image (OpenAI)" button appears
Click to extract; ~\$0.005 per image charged to your OpenAI account
Empty fields are filled automatically (always overwrites β€” review and edit as needed)

Searching files

Search box at top: filter by date / amount / counterparty / title β€” instant narrowing
Click "πŸŽ›οΈ" for advanced filters: date range, amount range, counterparty/title, type, tags, AND-combined
Japanese counterparty searches use NFKC + hiragana⇄katakana normalization ("セブン" matches "せぢん")

Correcting and deleting files

Click a row in the file list β†’ detail modal opens
"✏️ Edit" button for correction (reason required, recorded append-only)
"πŸ—‘οΈ Delete" button for logical deletion (reason required; original and Arweave data preserved)
"πŸ“œ History" button shows the audit log (creation / corrections / deletions all visible)

πŸ“‹ Correction/deletion history is append-only, useful as evidence for tax audits (compatible with Japan's electronic bookkeeping law). Physical deletion isn't possible, but this also means "the trail is preserved" β€” a legal advantage.

Downloading as CSV

Click the "πŸ“₯ CSV" button in the Files tab header
All file metadata downloads as arpass-files-YYYY-MM-DD.csv
UTF-8 BOM ensures Japanese text doesn't break in Excel / Numbers / Google Sheets
Columns: id / type / date / counterparty / title / amount / currency / description / tags / createdAt / version / txId / sha256 / arweave_url

πŸ“± Device switch (Open the same drive on a new device)

When you've bought a new iPhone or Mac and want to access your existing drive. If you have a synced passkey or a security key (YubiKey), you can open it with just your master password and passkey β€” no Recovery needed.

Open arpass.io on the new device β†’ click "πŸ“² Restore a vault created on another device"
If you have a synced passkey (iCloud Keychain / Google Password Manager) or a YubiKey: click "πŸ”‘ Restore with passkey + Master Password (no Recovery)", enter your master password β†’ authenticate with the passkey. No Recovery is needed.
If you don't have a passkey on hand: enter your master password + the paper Recovery Secret (πŸ“· QR scan also works).
Once unlock succeeds, a dedicated Passkey is automatically registered on this new device.
From now on, this device unlocks with just "master password + Touch ID / Face ID".

πŸ”‘ Forgot master password

You forgot the password you memorized, or maybe changed it by mistake.

On the lock screen, click "πŸ”‘ Forgot Master β†’ Reset with Passkey + Recovery"
Enter the paper Recovery Secret (πŸ“· QR scan also works)
Authenticate via Passkey with Touch ID / Face ID
The "Set a new master password" prompt appears β†’ enter a new password
The drive opens + the new password is automatically applied to each wrap
πŸ’‘ Setting or changing your master password creates one new Passkey on this device (the old Passkey can no longer unlock, so you can delete it from "Manage registered devices" if you no longer need it). If you use a synced passkey, on your other devices you just pick the new Passkey and enter the new password next time. If each device has its own Passkey, re-open on those devices with "new password + Recovery Secret".

πŸ” How to save the Recovery Secret

When you create a vault, the Recovery Secret is shown only once. Pick the right method from the 4-tier picker in the app based on your environment.

πŸ† BEST β€” Print on paper

Click "πŸ–¨ Print now" β†’ browser print dialog β†’ print on paper
Keep in a safe or locked drawer, physically secure
Store it in a different place than your master password

πŸ’‘ Print later is also available. But you must print before proceeding (= it's shown only once).

πŸ₯ˆ GREAT β€” Switch to YubiKey-only mode

A mode where the Recovery Secret itself doesn't exist. For physical-security-focused users. See πŸ” YubiKey-only mode.

πŸ₯‰ OK (mobile / PC compatible) β€” Save image

The "πŸ“Έ Save image" button creates a PNG (= Recovery Secret + QR code). On mobile, save via the share sheet to iCloud Photos / Google Photos. On PC, it's downloaded to your Downloads folder.

⚠ Requirement: E2E encryption ON
You need iCloud Photos Advanced Data Protection, or Google One Backup E2E encryption ON before saving. Without this, Apple / Google still have technical access.

iCloud ADP check: Settings β†’ [Apple ID name] β†’ iCloud β†’ "Advanced Data Protection" ON.
Google E2E backup check: Google account β†’ Backup β†’ "End-to-end encryption" ON (Android 13+ partial support).

🚫 Avoid

πŸ“² How to restore later

To restore on a new device:

Open arpass.io on the new device β†’ "πŸ“² Restore a drive created on another device"
Enter master password β†’ tap the πŸ“· QR scan icon
In the QR scanner, tap "πŸ–Ό Scan image" (= NEW)
Select the saved PNG image β†’ Recovery Secret is read and filled in
Drive unlocks

πŸ†˜ This device's Passkey is gone

When the Passkey is gone β€” e.g. Mac Keychain was reset, you cleared browser data, etc.

On the lock screen: "πŸ“± Lost Passkey β†’ Unlock with Master + Recovery"
Enter master password + paper Recovery (QR scan OK)
Unlock succeeds β†’ Settings β†’ "πŸ” Register Passkey on this device" to create a new Passkey
From now on this device can unlock with "master password + Touch ID" again

πŸ” YubiKey-only mode

A mode that opens your drive with a security key such as a YubiKey alone β€” no master password and no Recovery Secret. There is nothing to memorize: just touch any one of your registered YubiKeys to unlock. It is an advanced option for people who want to rely entirely on a physical key.

πŸ’‘ More on YubiKey itself: What is YubiKey and how to choose one / Price tiers explained / Using with Arpass

⚠️ Please read before creating
YubiKey-only mode has no master-password fallback and no Recovery Secret. If you lose all of your registered YubiKeys, the drive can never be opened again (we cannot recover it either).

Create a YubiKey-only drive

Open arpass.io β†’ on the "Create a secure drive" screen choose "πŸ”‘ Use YubiKey only"
Choose how many YubiKeys to register (two or more)
Tick the checkbox confirming you understand the drive cannot be recovered if all YubiKeys are lost
Press "Create in YubiKey mode" and, following the prompts, insert (or tap via NFC) and touch your first YubiKey
Register the remaining YubiKeys one by one (you will be prompted to swap keys)
Once all are registered the drive is created and opens straight away

Open it on another device

On the other device open arpass.io β†’ click "πŸ“² Restore a secure drive created on another device"
Choose "πŸ”‘ Open your drive with a YubiKey from another device"
Insert (or tap via NFC) and touch any one of your registered YubiKeys
The drive opens β€” no master password and no Recovery needed

Add a YubiKey

With the drive open, go to Settings (βš™) β†’ open the "πŸ”‘ Registered YubiKeys" section
Press "+ Add a YubiKey"
First touch one of your already-registered YubiKeys to confirm it is you
Then swap to the new YubiKey you want to add and touch it
The new YubiKey is registered and can open the drive from then on

πŸ“² Set up another device fast with a device-add code

From a device that can already unlock, pass <strong>credentialId and Arweave index tag</strong> to another device (= one that should also unlock with the same YubiKey). This is faster and more reliable than "Open with another device's YubiKey". On Android Chrome it is effectively required because of a Chrome bug that prevents the normal picker from working.

πŸ’‘ Security: The code contains only public info (credentialId + Arweave tag). It does not include PRF / crypto keys / Recovery / Master, so even if leaked, no one can unlock without the physical YubiKey. Treat it as ephemeral (delete after pasting) for cleanliness.
Display side (already-unlocked device): With the drive open, Settings (βš™) β†’ "πŸ”‘ Registered YubiKeys"
Tap "πŸ“² Show code for another device"
A string starting with "AP1...." and a QR code appear
Input side (new device): On the arpass.io create screen, tap "πŸ“² Open with device-add code (AP1....)" link at the bottom
Paste the code OR tap the πŸ“· button to scan the QR via camera
Tap "Apply code β†’ Open with YubiKey" and touch your YubiKey
Unlock completes, and this device can now unlock normally going forward
πŸ’‘ Use cases: (1) Make Android Chrome work (required), (2) On Mac/Win/iPhone too, skip picker tap for faster setup, (3) Standard route when rolling out one YubiKey across many devices. Works any device β†’ any device.
πŸ’‘ About Safari on Mac: Safari on Mac implements WebAuthn differently from other browsers, so a YubiKey drive created or used in Mac Safari becomes Mac-Safari-only and cannot be opened in Chrome, Edge, iPhone, or Android (and vice versa). To share the same drive across several environments, use a browser other than Safari (Chrome / Edge) on your Mac.

🏒 Sign up as an employee (Business mode)

If your company has deployed Arpass, you receive an invite code from the admin to join. Employees don't hold Recovery themselves β€” the admin manages it centrally (password loss / device loss recovery is performed via admin approval).

Get the invite code from admin (e.g., ARPASS-XXXX-XXXX) β€” in person / Slack DM preferred, share only the code, not a URL
Open arpass.io β†’ click 'πŸ“² Employees: join with a code'
Enter the invite code in the prompt β†’ moves to create view + yellow banner '🏒 Employee mode signup'
Set your master password (memorize it β€” admin does not know it)
'Create the company vault' β†’ Touch ID to create Passkey
Lands on vault view. Recovery is auto-sent to admin (never shown on screen)
πŸ’‘ The admin must have opened the app at least once (so their public key is registered on server). If you see 'Failed to join company or send Recovery', ask the admin.

πŸ“² Employee device-add / total lockout recovery

If an employee wants to add a new device or has lost all their devices, the admin issues a <strong>device-add code</strong> (8 chars, valid 5 min). It's bound to the employee + single-use + IP rate-limited.

Employee contacts admin to 'add a new device'
Admin tab β†’ employee row β†’ 'πŸ“² Device-add code' β†’ 'Auto-approve?' (recommended: Cancel = manual approval required)
Admin sees the 8-char code β†’ relays to employee in person / Slack DM (code only)
Employee opens arpass.io on new device β†’ 'πŸ“² Employees: join with a code' (or the same button on the 'Get started' view if picker is empty)
Enter code β†’ device name β†’ master password (the one set at signup) β†’ 'Redeem code'
Progress view (big spinner + 10:00 countdown) shows the wait for admin approval
Admin tab's inbox shows 'πŸ“² Device-add' request β†’ 'βœ… Approve' (auto-approve mode handles automatically)
Employee device auto-unlocks the vault + registers Passkey β†’ vault view + toast 'βœ… This device is registered'
πŸ’‘ Even if the device-add code is stolen, with auto-approve OFF the admin must approve, providing one defense layer. Admin can also see the requesting IP in the inbox.

πŸ’³ Fees & payment

Billing is postpaid. Each save operation (add, edit, delete) adds that day's rate to your usage, and you can pay it all at once whenever you like. Reading and copying are free.

With the drive unlocked, click "πŸ’³ Balance" in the upper-right header
The pack selection modal opens (Starter / Standard / Heavy / Business / Family)
Click a pack β†’ Stripe checkout opens in a new tab
Enter credit card info β†’ complete payment
The new tab auto-closes and you return to the drive β†’ toast: "βœ… +N credits applied"
πŸ’‘ Your unlocked state is preserved. No re-login required during payment.

πŸ”„ Reissue Recovery Secret

When you want to renew Recovery β€” paper lost, suspect the old Recovery has leaked, etc.

Drive screen β†’ Settings (βš™ icon) β†’ "Reissue Recovery Secret" section
Enter your current master password
Choose between two modes:
  • A. Light (recommended): For when paper is lost but you suspect no theft. Fastest, no server operation.
  • B. Full (suspected theft): For when the old Recovery may have leaked. Re-encrypts the body and switches to a new account identifier.
Click "Issue new Recovery Secret"
The new Recovery appears on screen β†’ always print and store safely
Difference between Case A and B (important):

πŸ” Manage registered devices

Check which devices have Passkeys registered, rename them, or remove them.

Drive screen β†’ Settings β†’ "πŸ” Registered devices" section
The list of registered devices appears (this device is highlighted in yellow)
"Rename" button: change to a meaningful name (e.g., "Mac Studio", "iPhone 15")
"Remove" button (devices other than this one): unbind that device's Passkey from the vault
Limit of removal: if a copy of the MEK remains on the removed device, past Arweave data can still be decrypted. Complete invalidation requires Recovery Secret reissue (Case B, MEK rotation).

❓ FAQ

What if I lose all three: master password, Passkey, and Recovery?

You cannot recover. Arpass operations does not retain anything, so we cannot help. This is the cost of zero-knowledge design β€” we cannot see anyone's passwords, but losing all 3 factors means complete loss.

Losing 2 is still recoverable (the remaining 1 can restore). Before losing all 3, copy the Recovery Secret to multiple locations.

Can operations see my passwords?

No. All encryption happens in your browser, and the body stored on Arweave is double-encrypted before passing through Cloudflare servers.

  • Inner: AES-256-GCM (key = MEK, randomly generated, never sent to the server)
  • Outer: AES-256-GCM (key = HKDF(Recovery Secret), the Recovery Secret is also never sent to the server)
  • What the server sees: encrypted random bytes (undecodable) + balance info

Details verifiable at the code level on the public mirror arpass-spec (AGPL-3.0).

Does the encrypted data on Arweave remain forever?

Yes β€” Arweave is permanent storage, so written data does not disappear. This is both a benefit ("your passwords still exist 200 years later") and a drawback ("past data remains forever").

Even if you change a password, the old ciphertext remains on Arweave. But the old ciphertext can only be decrypted with the old MEK, which only you know. After a Recovery Secret reissue (Case B), subsequent writes are encrypted with a new key unrelated to the past.

How much does it cost?

Adding, editing, or deleting a password each consumes 1 credit. Saving 10 passwords β‰ˆ 10 credits. The "Starter 100" pack ($2) is enough for daily use. Most users only need to buy a pack once or twice a year.

Is it OK to save the QR code as a photo?

OK under conditions. Save via the in-app γ€ŒSave image」 button, then ensure your iCloud Photos has Advanced Data Protection ON, or Google One Backup has E2E encryption ON. This makes the photo unreadable even to Apple / Google.

Without these E2E settings, regular cloud sync leaves the provider with technical access β€” paper printing is strongly preferred.

For maximum safety, switch to YubiKey-only mode β€” no Recovery Secret needed at all.

What if I edit on multiple devices simultaneously?

Arpass uses optimistic concurrency control, so the second device to save gets an "Updated on another device" error. Unlock again to fetch the latest version, then re-edit.

πŸ›‘οΈ Security best practices

Arpass uses 2-of-3 decryption (any 2 of: master password + Passkey + Recovery Secret can decrypt). By design, leaking only 1 factor does not decrypt the vault. However, simultaneous leakage of multiple factors is dangerous. Follow these guidelines.

βœ… Recommended

❌ Avoid

⚠️ Unsuitable use cases

This service is a general-purpose password manager for individuals and small businesses. It is not suitable for:

We bear no responsibility for any damage arising from use of this service in these scenarios. See the Terms of Service for details.

🚨 If you suspect a leak

If either the master password or the Recovery Secret may have leaked, act immediately:

  1. Master only: Settings β†’ "Change master password"
  2. Recovery only: Settings β†’ "Security incident response" β†’ Recovery reissue (Case A, light)
  3. Both, or device theft: Settings β†’ "Security incident response" β†’ Recovery reissue (Case B, MEK rotation invalidates wraps on the lost device and old Recovery)

See the Security incident response in the Settings of the app screen for details.

πŸ”¬ Cryptographic design overview (advanced)

Arpass's cryptographic design is 2-of-3 decryption. Any 2 of the 3 factors can decrypt the vault.

Decryption paths

Body encryption and outer encryption

Encrypted in two layers:

The bytes on Arweave appear as completely random; the JSON structure and algorithm names are externally indistinguishable. Even the Arweave tag name attached to each write is randomized per-user, so external observers cannot identify which transactions belong to Arpass.

With envelope v7, this outer key is also stored inside the Passkey (WebAuthn user.id). The key is protected by the Passkey hardware and never appears in public Arweave data, so a new device can decrypt the outer layer without entering the Recovery Secret.

What's on the server

The only thing stored server-side in Cloudflare KV is your usage record. Accounts are identified by a hash of your public key (ECDSA P-256); the outer encryption key, master password, and Recovery Secret never reach the server.

For the full specification: