User Guide
How to use Arpass, organized by scenario.
π Learn more: How to choose a YubiKey or passkey is covered in our guide articles.
π First-time use
The initial flow for creating your secure drive.
Visit arpass.io. The "Create secure drive" screen appears.
Enter a master password twice. This is your Arpass login password β never share it, and remember it.
Click "Create secure drive". Then register a Passkey (device authentication) using Touch ID / Face ID.
The Recovery Secret is displayed only once (format: RS1-XXXX-XXXX-β¦). Store it in a safe place.
Click "I understand" to enter the drive.
π Protect your keys (Passkey) and Recovery SecretThe easiest way to open your drive on a new device is a
synced passkey (iCloud Keychain / Google Password Manager) or a
security key such as a YubiKey. With one of these, a new device opens with just "master password + passkey" (no Recovery needed).
- The Recovery Secret is your last-resort recovery method for when you lose all of your passkeys at once. It is shown only once, so print it or note it down in a safe place.
- If you lose all three β master password, every passkey, and the Recovery Secret β recovery is impossible (Arpass does not retain them).
- Keep the Recovery Secret in a different place from your master password.
π Daily use
Retrieve a password
Visit arpass.io β lock screen
Enter master password β authenticate with Touch ID / Face ID
The password list appears. Use the search box to filter by site name.
Click an entry β detail view. Use "π Show" to reveal the password, "π Copy" to copy to clipboard.
Save a new password
Click "+ Add new"
Enter site name, URL, username, and password. Use "π² Generate" for a strong password.
Click "Save" to write to Arweave (consumes 1 credit)
π File Storage
Store PDFs, images, and any file encrypted forever. Ideal for accounting documents (receipts / invoices / contracts / health check reports). Compatible with Japan's electronic bookkeeping law's searchability requirements (date / amount / counterparty).
Adding a file
Open the "π Files" tab at the top of the app
Click "+ Add file"
Pick a file (PDF / image / text / Word / Excel etc., up to 30 MB)
Preview appears. For large images, use "ποΈ Compress" to shrink (200-500 KB typical)
Enter Counterparty or Title (one of them required); date / amount / currency are optional
Click "Save" to encrypt + write to Arweave
π‘ Files under 100 KiB cost \$0 (Turbo Free Tier passed through). A 1 MB photo costs ~\$0.13. If the actual cost is below the estimate, the difference is refunded instantly.
OCR auto-fill (optional)
Auto-extract date / amount / counterparty / description / tags from receipt or invoice images / PDFs. Requires your own OpenAI API key (images are sent directly to OpenAI; Arpass servers are not involved).
In Arpass Settings (βοΈ) β bottom section "π· Receipt OCR (optional)" β enter key β "Save & Verify"
When you pick an image / PDF, the "π· Auto-fill from image (OpenAI)" button appears
Click to extract; ~\$0.005 per image charged to your OpenAI account
Empty fields are filled automatically (always overwrites β review and edit as needed)
Searching files
Search box at top: filter by date / amount / counterparty / title β instant narrowing
Click "ποΈ" for advanced filters: date range, amount range, counterparty/title, type, tags, AND-combined
Japanese counterparty searches use NFKC + hiraganaβkatakana normalization ("γ»γγ³" matches "γγΆγ")
Correcting and deleting files
Click a row in the file list β detail modal opens
"βοΈ Edit" button for correction (reason required, recorded append-only)
"ποΈ Delete" button for logical deletion (reason required; original and Arweave data preserved)
"π History" button shows the audit log (creation / corrections / deletions all visible)
π Correction/deletion history is append-only, useful as evidence for tax audits (compatible with Japan's electronic bookkeeping law). Physical deletion isn't possible, but this also means "the trail is preserved" β a legal advantage.
Downloading as CSV
Click the "π₯ CSV" button in the Files tab header
All file metadata downloads as arpass-files-YYYY-MM-DD.csv
UTF-8 BOM ensures Japanese text doesn't break in Excel / Numbers / Google Sheets
Columns: id / type / date / counterparty / title / amount / currency / description / tags / createdAt / version / txId / sha256 / arweave_url
π± Device switch (Open the same drive on a new device)
When you've bought a new iPhone or Mac and want to access your existing drive. If you have a synced passkey or a security key (YubiKey), you can open it with just your master password and passkey β no Recovery needed.
Open arpass.io on the new device β click "π² Restore a vault created on another device"
If you have a synced passkey (iCloud Keychain / Google Password Manager) or a YubiKey: click "π Restore with passkey + Master Password (no Recovery)", enter your master password β authenticate with the passkey. No Recovery is needed.
If you don't have a passkey on hand: enter your master password + the paper Recovery Secret (π· QR scan also works).
Once unlock succeeds, a dedicated Passkey is automatically registered on this new device.
From now on, this device unlocks with just "master password + Touch ID / Face ID".
π Forgot master password
You forgot the password you memorized, or maybe changed it by mistake.
On the lock screen, click "π Forgot Master β Reset with Passkey + Recovery"
Enter the paper Recovery Secret (π· QR scan also works)
Authenticate via Passkey with Touch ID / Face ID
The "Set a new master password" prompt appears β enter a new password
The drive opens + the new password is automatically applied to each wrap
π‘ Setting or changing your master password creates one new Passkey on this device (the old Passkey can no longer unlock, so you can delete it from "Manage registered devices" if you no longer need it). If you use a synced passkey, on your other devices you just pick the new Passkey and enter the new password next time. If each device has its own Passkey, re-open on those devices with "new password + Recovery Secret".
π How to save the Recovery Secret
When you create a vault, the Recovery Secret is shown only once. Pick the right method from the 4-tier picker in the app based on your environment.
π BEST β Print on paper
Click "π¨ Print now" β browser print dialog β print on paper
Keep in a safe or locked drawer, physically secure
Store it in a different place than your master password
π‘ Print later is also available. But you must print before proceeding (= it's shown only once).
π₯ GREAT β Switch to YubiKey-only mode
A mode where the Recovery Secret itself doesn't exist. For physical-security-focused users. See π YubiKey-only mode.
π₯ OK (mobile / PC compatible) β Save image
The "πΈ Save image" button creates a PNG (= Recovery Secret + QR code). On mobile, save via the share sheet to iCloud Photos / Google Photos. On PC, it's downloaded to your Downloads folder.
β Requirement: E2E encryption ON
You need iCloud Photos Advanced Data Protection, or Google One Backup E2E encryption ON before saving. Without this, Apple / Google still have technical access.
iCloud ADP check: Settings β [Apple ID name] β iCloud β "Advanced Data Protection" ON.
Google E2E backup check: Google account β Backup β "End-to-end encryption" ON (Android 13+ partial support).
π« Avoid
- Sending to yourself via plain Email / LINE / Slack / Discord
- Saving to Dropbox / OneDrive / regular Google Drive (= no E2E)
- Storing in the same place as your master password
- Taking a screenshot of the QR code (= screen capture is outside the app β use the "Save image" button above which is optimized for naming and size)
π² How to restore later
To restore on a new device:
Open arpass.io on the new device β "π² Restore a drive created on another device"
Enter master password β tap the π· QR scan icon
In the QR scanner, tap "πΌ Scan image" (= NEW)
Select the saved PNG image β Recovery Secret is read and filled in
Drive unlocks
π This device's Passkey is gone
When the Passkey is gone β e.g. Mac Keychain was reset, you cleared browser data, etc.
On the lock screen: "π± Lost Passkey β Unlock with Master + Recovery"
Enter master password + paper Recovery (QR scan OK)
Unlock succeeds β Settings β "π Register Passkey on this device" to create a new Passkey
From now on this device can unlock with "master password + Touch ID" again
π YubiKey-only mode
A mode that opens your drive with a security key such as a YubiKey alone β no master password and no Recovery Secret. There is nothing to memorize: just touch any one of your registered YubiKeys to unlock. It is an advanced option for people who want to rely entirely on a physical key.
π‘ More on YubiKey itself: What is YubiKey and how to choose one / Price tiers explained / Using with Arpass
β οΈ Please read before creatingYubiKey-only mode has
no master-password fallback and no Recovery Secret. If you lose
all of your registered YubiKeys, the drive can
never be opened again (we cannot recover it either).
- For this reason you must register two or more YubiKeys when you create the drive β so that losing or breaking one still leaves another that can open it.
- Keep the spare key(s) in a separate, safe place (a backup key).
- If you don't mind memorizing a password, the standard mode (master password + Passkey) has more recovery options and is safer.
Create a YubiKey-only drive
Open arpass.io β on the "Create a secure drive" screen choose "π Use YubiKey only"
Choose how many YubiKeys to register (two or more)
Tick the checkbox confirming you understand the drive cannot be recovered if all YubiKeys are lost
Press "Create in YubiKey mode" and, following the prompts, insert (or tap via NFC) and touch your first YubiKey
Register the remaining YubiKeys one by one (you will be prompted to swap keys)
Once all are registered the drive is created and opens straight away
Open it on another device
On the other device open arpass.io β click "π² Restore a secure drive created on another device"
Choose "π Open your drive with a YubiKey from another device"
Insert (or tap via NFC) and touch any one of your registered YubiKeys
The drive opens β no master password and no Recovery needed
Add a YubiKey
With the drive open, go to Settings (β) β open the "π Registered YubiKeys" section
Press "+ Add a YubiKey"
First touch one of your already-registered YubiKeys to confirm it is you
Then swap to the new YubiKey you want to add and touch it
The new YubiKey is registered and can open the drive from then on
π² Set up another device fast with a device-add code
From a device that can already unlock, pass <strong>credentialId and Arweave index tag</strong> to another device (= one that should also unlock with the same YubiKey). This is faster and more reliable than "Open with another device's YubiKey". On Android Chrome it is effectively required because of a Chrome bug that prevents the normal picker from working.
π‘ Security: The code contains only public info (credentialId + Arweave tag). It does not include PRF / crypto keys / Recovery / Master, so even if leaked, no one can unlock without the physical YubiKey. Treat it as ephemeral (delete after pasting) for cleanliness.
Display side (already-unlocked device): With the drive open, Settings (β) β "π Registered YubiKeys"
Tap "π² Show code for another device"
A string starting with "AP1...." and a QR code appear
Input side (new device): On the arpass.io create screen, tap "π² Open with device-add code (AP1....)" link at the bottom
Paste the code OR tap the π· button to scan the QR via camera
Tap "Apply code β Open with YubiKey" and touch your YubiKey
Unlock completes, and this device can now unlock normally going forward
π‘ Use cases: (1) Make Android Chrome work (required), (2) On Mac/Win/iPhone too, skip picker tap for faster setup, (3) Standard route when rolling out one YubiKey across many devices. Works any device β any device.
π‘ About Safari on Mac: Safari on Mac implements WebAuthn differently from other browsers, so a YubiKey drive created or used in Mac Safari becomes Mac-Safari-only and cannot be opened in Chrome, Edge, iPhone, or Android (and vice versa). To share the same drive across several environments, use a browser other than Safari (Chrome / Edge) on your Mac.
π’ Sign up as an employee (Business mode)
If your company has deployed Arpass, you receive an invite code from the admin to join. Employees don't hold Recovery themselves β the admin manages it centrally (password loss / device loss recovery is performed via admin approval).
Get the invite code from admin (e.g., ARPASS-XXXX-XXXX) β in person / Slack DM preferred, share only the code, not a URL
Open arpass.io β click 'π² Employees: join with a code'
Enter the invite code in the prompt β moves to create view + yellow banner 'π’ Employee mode signup'
Set your master password (memorize it β admin does not know it)
'Create the company vault' β Touch ID to create Passkey
Lands on vault view. Recovery is auto-sent to admin (never shown on screen)
π‘ The admin must have opened the app at least once (so their public key is registered on server). If you see 'Failed to join company or send Recovery', ask the admin.
π² Employee device-add / total lockout recovery
If an employee wants to add a new device or has lost all their devices, the admin issues a <strong>device-add code</strong> (8 chars, valid 5 min). It's bound to the employee + single-use + IP rate-limited.
Employee contacts admin to 'add a new device'
Admin tab β employee row β 'π² Device-add code' β 'Auto-approve?' (recommended: Cancel = manual approval required)
Admin sees the 8-char code β relays to employee in person / Slack DM (code only)
Employee opens arpass.io on new device β 'π² Employees: join with a code' (or the same button on the 'Get started' view if picker is empty)
Enter code β device name β master password (the one set at signup) β 'Redeem code'
Progress view (big spinner + 10:00 countdown) shows the wait for admin approval
Admin tab's inbox shows 'π² Device-add' request β 'β
Approve' (auto-approve mode handles automatically)
Employee device auto-unlocks the vault + registers Passkey β vault view + toast 'β
This device is registered'
π‘ Even if the device-add code is stolen, with auto-approve OFF the admin must approve, providing one defense layer. Admin can also see the requesting IP in the inbox.
π³ Fees & payment
Billing is postpaid. Each save operation (add, edit, delete) adds that day's rate to your usage, and you can pay it all at once whenever you like. Reading and copying are free.
With the drive unlocked, click "π³ Balance" in the upper-right header
The pack selection modal opens (Starter / Standard / Heavy / Business / Family)
Click a pack β Stripe checkout opens in a new tab
Enter credit card info β complete payment
The new tab auto-closes and you return to the drive β toast: "β
+N credits applied"
π‘ Your unlocked state is preserved. No re-login required during payment.
π Reissue Recovery Secret
When you want to renew Recovery β paper lost, suspect the old Recovery has leaked, etc.
Drive screen β Settings (β icon) β "Reissue Recovery Secret" section
Enter your current master password
Choose between two modes:
- A. Light (recommended): For when paper is lost but you suspect no theft. Fastest, no server operation.
- B. Full (suspected theft): For when the old Recovery may have leaked. Re-encrypts the body and switches to a new account identifier.
Click "Issue new Recovery Secret"
The new Recovery appears on screen β always print and store safely
Difference between Case A and B (important):
- Case A: Old data on Arweave can still be decrypted by anyone who has the old Recovery + Master. "Past data safety" is NOT preserved.
- Case B: Old Arweave data is permanently undecryptable to anyone without the old MEK. Note: the old Arweave envelopes themselves cannot be deleted (Arweave is immutable).
π Manage registered devices
Check which devices have Passkeys registered, rename them, or remove them.
Drive screen β Settings β "π Registered devices" section
The list of registered devices appears (this device is highlighted in yellow)
"Rename" button: change to a meaningful name (e.g., "Mac Studio", "iPhone 15")
"Remove" button (devices other than this one): unbind that device's Passkey from the vault
Limit of removal: if a copy of the MEK remains on the removed device, past Arweave data can still be decrypted. Complete invalidation requires Recovery Secret reissue (Case B, MEK rotation).
β FAQ
What if I lose all three: master password, Passkey, and Recovery?
You cannot recover. Arpass operations does not retain anything, so we cannot help. This is the cost of zero-knowledge design β we cannot see anyone's passwords, but losing all 3 factors means complete loss.
Losing 2 is still recoverable (the remaining 1 can restore). Before losing all 3, copy the Recovery Secret to multiple locations.
Can operations see my passwords?
No. All encryption happens in your browser, and the body stored on Arweave is double-encrypted before passing through Cloudflare servers.
- Inner: AES-256-GCM (key = MEK, randomly generated, never sent to the server)
- Outer: AES-256-GCM (key = HKDF(Recovery Secret), the Recovery Secret is also never sent to the server)
- What the server sees: encrypted random bytes (undecodable) + balance info
Details verifiable at the code level on the public mirror arpass-spec (AGPL-3.0).
Does the encrypted data on Arweave remain forever?
Yes β Arweave is permanent storage, so written data does not disappear. This is both a benefit ("your passwords still exist 200 years later") and a drawback ("past data remains forever").
Even if you change a password, the old ciphertext remains on Arweave. But the old ciphertext can only be decrypted with the old MEK, which only you know. After a Recovery Secret reissue (Case B), subsequent writes are encrypted with a new key unrelated to the past.
How much does it cost?
Adding, editing, or deleting a password each consumes 1 credit. Saving 10 passwords β 10 credits. The "Starter 100" pack ($2) is enough for daily use. Most users only need to buy a pack once or twice a year.
Is it OK to save the QR code as a photo?
OK under conditions. Save via the in-app γSave imageγ button, then ensure your iCloud Photos has Advanced Data Protection ON, or Google One Backup has E2E encryption ON. This makes the photo unreadable even to Apple / Google.
Without these E2E settings, regular cloud sync leaves the provider with technical access β paper printing is strongly preferred.
For maximum safety, switch to YubiKey-only mode β no Recovery Secret needed at all.
What if I edit on multiple devices simultaneously?
Arpass uses optimistic concurrency control, so the second device to save gets an "Updated on another device" error. Unlock again to fetch the latest version, then re-edit.
π‘οΈ Security best practices
Arpass uses 2-of-3 decryption (any 2 of: master password + Passkey + Recovery Secret can decrypt). By design, leaking only 1 factor does not decrypt the vault. However, simultaneous leakage of multiple factors is dangerous. Follow these guidelines.
β
Recommended
- Use the master password for Arpass only. Do not reuse on other services (= so a leak elsewhere doesn't cascade to Arpass)
- Print Recovery Secret on paper and store physically (safe, drawer, trusted family, etc.)
- Store Recovery Secret in a different place from the master password (so both can't be stolen at once)
- Have multiple trusted devices (so you have a recovery path if a Passkey is lost)
- Periodically test backup operations (e.g., try "π² Register this device" on another device)
β Avoid
- Recovery Secret saved to iCloud / Google Photos without E2E settings ON (= provider technically has access)
- Recovery Secret sent via plain Email / LINE / Slack / Discord (= stored on provider, persists in history)
- Recovery Secret saved to Dropbox / OneDrive / regular Google Drive (= no E2E)
- Master password stored in browser autofill / Keychain (= passkey and master password on the same device)
- Master password sent to others via Slack / email / SMS
- Recovery Secret paper stored in the same place as the master password note
β οΈ Unsuitable use cases
This service is a general-purpose password manager for individuals and small businesses. It is not suitable for:
- State-secret / military-related credentials
- Administrator credentials for major financial institutions (regular consumer bank logins are within scope)
- Patient record access for healthcare institutions (HIPAA / specific data-protection-law domains)
- Cryptocurrency wallet seed phrases (use a dedicated hardware wallet)
We bear no responsibility for any damage arising from use of this service in these scenarios. See the Terms of Service for details.
π¨ If you suspect a leak
If either the master password or the Recovery Secret may have leaked, act immediately:
- Master only: Settings β "Change master password"
- Recovery only: Settings β "Security incident response" β Recovery reissue (Case A, light)
- Both, or device theft: Settings β "Security incident response" β Recovery reissue (Case B, MEK rotation invalidates wraps on the lost device and old Recovery)
See the Security incident response in the Settings of the app screen for details.
π¬ Cryptographic design overview (advanced)
Arpass's cryptographic design is 2-of-3 decryption. Any 2 of the 3 factors can decrypt the vault.
- A: Master password (memorized; Argon2id (memory-hard, 64 MiB / t=3 / p=4))
- B: Passkey (stored in the device's Secure Enclave; 32-byte output via WebAuthn PRF)
- C: Recovery Secret (paper memo; 160-bit entropy)
Decryption paths
- A + B: Daily unlock (password + Touch ID) β fastest. With envelope v7, if you have a synced passkey / YubiKey, even a new device opens with just these two
- A + C: When Passkey is broken (password + paper)
- B + C: When password is forgotten (Touch ID + paper)
Body encryption and outer encryption
Encrypted in two layers:
- Inner: AES-256-GCM(MEK, IV, vault data). The MEK is a random 256-bit key generated at vault creation, wrapped by any 2 of the 3 factors above.
- Outer: AES-256-GCM(HKDF(Recovery Secret), IV, inner envelope). The outer key is derived directly from your Recovery Secret and is never exposed to the server or Arweave.
The bytes on Arweave appear as completely random; the JSON structure and algorithm names are externally indistinguishable. Even the Arweave tag name attached to each write is randomized per-user, so external observers cannot identify which transactions belong to Arpass.
With envelope v7, this outer key is also stored inside the Passkey (WebAuthn user.id). The key is protected by the Passkey hardware and never appears in public Arweave data, so a new device can decrypt the outer layer without entering the Recovery Secret.
What's on the server
The only thing stored server-side in Cloudflare KV is your usage record. Accounts are identified by a hash of your public key (ECDSA P-256); the outer encryption key, master password, and Recovery Secret never reach the server.
For the full specification: