The Recovery QR Code: Your Safety Net for Zero-Knowledge Encryption

← Back to Blog

Zero-knowledge encryption is the gold standard for password managers. It means the server never sees your master password, never has access to your vault key and cannot decrypt your data under any circumstances. Not even if a government agency shows up with a court order. Not even if the company's own engineers want to look.

But this level of security comes with a trade-off that most people do not think about until it is too late: if you forget your master password, nobody can help you. There is no "Forgot Password" email. There is no support ticket that resets your account. Your data is encrypted with a key derived from your master password, and without that password, it is gone forever.

The Recovery QR code is the solution to this problem. It gives you a way to recover your master password without breaking the zero-knowledge model.

The Problem: Zero-Knowledge Means Zero Recovery

Traditional web applications store your password (or a hash of it) on their server. When you click "Forgot Password," they can verify your identity through email and let you set a new one. This works because the server is the authority on your credentials.

UnveilPass does not work this way. Your master password is never sent to the server in any recoverable form. Instead, it is processed through Argon2id to derive two things:

An authentication key (sent to the server, re-hashed) — this proves you know the password
A Key Encryption Key (KEK) derived via HKDF — this decrypts your vault key, and it never leaves your browser

Without the KEK, your vault key is just random bytes. Without the vault key, your encrypted entries are unreadable. Without your master password, you cannot derive the KEK. The chain is unbreakable by design.

Without a Recovery QR: If you forget your master password, your only option is to reset your account. This permanently deletes all your encrypted data — every vault entry, every secure note, every identity. There is no undo.

The Solution: Recovery QR

The Recovery QR code is a backup of your master password that is encrypted with a PIN you choose. Here is the key insight: the encryption happens entirely in your browser. The server stores the encrypted payload but cannot decrypt it because it never knows your PIN.

This preserves the zero-knowledge model completely. The server holds an encrypted blob that is useless without the PIN, and the PIN exists only in your head (and on the printed QR code you store in a safe place).

How It Works: Step by Step

Setting up the Recovery QR:

Open your Account settings by clicking your email in the top bar.
Go to the Recovery tab (green tab).
Choose a PIN — a numeric code that you will remember. This PIN is used to encrypt your master password.
Your browser encrypts your master password using PBKDF2 key derivation (100,000 iterations) combined with AES-256-GCM encryption, all keyed by your PIN.
The encrypted payload is sent to the server and stored with a short unique ID.
A QR code is generated that contains a URL: https://unveilpass.com/#/recover-qr?id=xxx
Print the QR code or save it in a secure location.

What the server stores: An encrypted blob and a short ID. That is it. The server does not know your PIN, does not know your master password and cannot derive either one from the stored data. The encryption key is derived from your PIN, which only you know.

Recovering your master password:

Scan the QR code with your phone's camera or a QR reader app.
The QR code opens UnveilPass at the recovery page with the encrypted payload ID.
Enter your PIN.
Your browser fetches the encrypted payload from the server, decrypts it locally using PBKDF2 + AES-256-GCM with your PIN and reveals your master password.
Use the master password to log in to your vault as normal.

The entire decryption happens in your browser. The PIN is never sent to the server. The master password is never sent to the server. The server simply hands over the encrypted blob and your browser does the rest.

The Security Model

The Recovery QR system is designed with multiple layers of protection:

Server cannot decrypt. The encrypted payload is meaningless without the PIN. Even if the server's database is breached, the attacker gets only encrypted blobs with no way to derive the decryption keys.
PIN never leaves your device. The PIN is used locally for key derivation. It is never transmitted over the network.
PBKDF2 with 100,000 iterations. Even if an attacker obtains the encrypted payload, brute-forcing the PIN requires significant computational effort per attempt.
AES-256-GCM authenticated encryption. Tampered payloads are detected and rejected. An attacker cannot modify the encrypted data to trick the decryption process.
QR code is physical. The recovery mechanism requires physical access to the printed QR code. A remote attacker cannot use it without being in the same room as your printed backup.
No direct link from login page. The recovery page is only accessible by scanning the QR code. There is no "Recover with QR" button on the login screen — this prevents phishing attacks that try to trick users into entering their PIN on a fake recovery page.

Choose a strong PIN. While 4 digits works, a 6-digit PIN is significantly more resistant to brute-force attacks. Avoid obvious choices like 000000, 123456 or your birth year.

Where to Store Your Recovery QR

The Recovery QR code is only useful if you can find it when you need it. Here are some recommendations:

Print it and store in a safe. A physical printout in a fireproof safe at home is the most reliable option. It survives device failures, cloud account lockouts and software bugs.
Store a copy at a second location. Consider keeping a second printout at your office, in a safety deposit box or with a trusted family member. If your home is damaged or inaccessible, you still have a backup.
Tell a trusted person where it is. You do not need to give anyone the QR code or the PIN. Just tell someone you trust — a spouse, a parent, a business partner — where the printed copy is stored. If something happens to you, they can find it.
Do not store it digitally on the same device. Saving a screenshot of the QR code on your phone or laptop defeats the purpose. If you lose access to that device, you lose the recovery method too. If the device is compromised, the attacker has your QR code.

Pro tip: Treat the Recovery QR like a house key. You do not carry your spare key in the same pocket as your main key. Keep the QR code somewhere separate from the devices you use to access your vault.

What Happens If You Change Your Master Password

This is important to understand: the Recovery QR code encrypts your current master password at the time you set it up. If you change your master password later, the old QR code still contains the old password — which no longer works.

After changing your master password, you must:

Go back to the Recovery tab in Account settings.
Generate a new Recovery QR with a new (or the same) PIN.
Print the new QR code.
Destroy the old printed copy — it is now useless and a potential source of confusion.

UnveilPass displays a reminder on the vault page if you have not set up a Recovery QR yet. This reminder includes a "Don't remind me again" checkbox if you prefer to dismiss it permanently. The reminder is designed to nudge you toward setting up this safety net before you need it — because by the time you need it, it is too late to set it up.

Do not skip this step. Changing your master password without regenerating the Recovery QR is a common mistake. Make it a habit: every time you update your master password, immediately generate a fresh QR code.

Recovery QR vs Account Reset

If you forget your master password and do not have a Recovery QR, the only option is an account reset. Here is the difference:

Recovery QR	Account Reset
Reveals your master password	Permanently deletes all encrypted data
All vault entries preserved	Vault entries, notes and identities destroyed
Requires PIN + printed QR code	Requires email verification only
Takes 30 seconds	Takes 30 seconds — but you start over from zero

The account reset page in UnveilPass explicitly warns you about data destruction and suggests using the Recovery QR instead. But if you never set one up, there is nothing to suggest.

Frequently Asked Questions

Can I have multiple Recovery QR codes? Each time you generate a new one, it replaces the previous one. Only one recovery payload is active at a time. However, you can print multiple copies of the same QR code and store them in different locations.

What if someone finds my QR code? They still need your PIN to decrypt it. Without the PIN, the QR code leads to an encrypted payload that is unreadable. That said, treat the QR code as sensitive material — do not leave it lying on your desk.

Can I use the Recovery QR from any device? Yes. The QR code contains a URL that works in any browser. Scan it with your phone, open the link on a friend's computer or type the URL manually. As long as you have the PIN, you can recover your password from anywhere.

Does the Recovery QR expire? The recovery payload remains on the server until you generate a new one or delete your account. It does not expire on its own.

Set It Up Now

If you are reading this and you have not set up your Recovery QR yet, do it now. It takes less than a minute. Open your Account settings, go to the Recovery tab, choose a PIN and print the QR code. Then put it somewhere safe.

You probably will never need it. But if you do, you will be grateful it exists.

Never Lose Access to Your Vault

Set up your Recovery QR code in under a minute. Your master password, encrypted with your PIN, printed as a QR code. The server cannot read it.

Create Your Vault