Skip to content
peach by asha.software

Technical deep-dive

Security without a server perimeter.

Peach is built so that the strongest claims are architectural, not procedural: no hosted vaults, no account database, and no product telemetry stream to "promise" not to misuse. The trust boundary stays on your device and on explicitly paired peers on the local network.

peach:v3:entries=247:zstd:aes256gcm:argon2id

Zero-knowledge vault encryption

Zero server dependency

No account creation

No product telemetry

Local-network peer-to-peer sync only

Portable PeachScript restore path

Vault container

Peach encrypts vault data locally before it ever leaves process memory boundaries intended for serialization. PeachScript backups are derived from the encrypted container rather than from plaintext records.

  • Compression: Zstandard on the structured vault payload before encryption.
  • Encryption: AES-256-GCM for authenticated confidentiality.
  • Key derivation: Argon2id with per-vault salt and high-memory parameters tuned for interactive unlocks.

Zero-knowledge architecture

There is no hosted account system and no recovery server. Recovery is handled on-device: a 12-word sequence generated locally when you set up Peach, and PeachScript backups you export yourself.

  • No email addresses, usernames, or device identifiers are required for unlock or restore. Your master passphrase still is.
  • No vault material is escrowed on remote infrastructure.
  • All restore flows are deterministic from user-held material.
  • Generic website analytics, when present, are limited to traffic and performance measurement and are not tied to product accounts because no product accounts exist.
  • Purchases are processed by Polar. No payment data is retained in Peach product infrastructure.

PeachScript encoding

PeachScript is a dense textual transport wrapper around the encrypted vault package. Each export is a point-in-time snapshot of the vault data in that moment. Peach maps encrypted bytes into private-use runes so the backup remains copyable, storable, and restorable with the backup password instead of any vendor backend.

  • Why PeachScript: the private symbol set keeps the export visibly distinct from ordinary text while remaining copyable.
  • Snapshot semantics: the backup reflects the vault state at export time rather than acting as live sync.
  • Header format: `peach:v2:entries=247:zstd:aes256gcm:argon2id`.
  • Payload: compressed encrypted vault blocks encoded into the PeachScript private-use range.
  • Integrity: authenticated decryption rejects tampered or truncated backups.

Peach Sync protocol

Sync is peer-to-peer on the local network. New devices are introduced through Chirp — an ultrasonic audio handshake — and after that, paired devices authenticate each other with Noise XX on every connection and exchange encrypted vault deltas without relaying through a third-party service.

  • Pairing uses a Noise NK handshake over ephemeral X25519 keys carried in the chirp; long-term identity keys are exchanged inside the encrypted channel and persisted to the paired-device registry.
  • Every later sync runs Noise XX mutual authentication with those long-term keys before any vault frame is sent. Unknown peers are rejected at handshake time.
  • Transport is limited to user-paired devices on the same network segment. Session keys are ephemeral and scoped to sync traffic rather than reused as the vault master key.
  • If no paired peer is reachable, nothing leaves the device.

Threat model

Peach is designed to remove server-side breach classes, account takeover risk, and silent product telemetry collection. It does not claim to defeat a fully compromised endpoint or a user who reveals the unlock secret.

  • Protects against hosted vault theft because no hosted vault exists.
  • Protects against passive network collection when no sync or breach check is initiated.
  • Does not protect against malware already controlling the unlocked device.

security fundamentals

The architecture is the promise.

Peach doesn't ask you to trust a company. The security claims are enforced by the code running on your machine.

Peach is built on TypeScript and SolidJS.

KEY DERIVATION Argon2id | 64MB memory | 3 iterations | OWASP 2025
ENCRYPTION AES-256-GCM | authenticated | fresh nonce per write
INTEGRITY BLAKE3 | 256-bit digest | length-extension resistant
PAIRING Chirp | ultrasonic audio | Noise NK | ephemeral X25519
SYNC TRANSPORT Noise XX | X25519 | ChaCha20-Poly1305 | forward secrecy
BACKUP FORMAT PeachScript | printable code | zstd compressed | copy or scan
LICENSE VALIDATION Ed25519 signature | offline | no server required
We designed Peach so that even we cannot read your passwords.

No product telemetry.

The only outbound connections are opt-in breach monitoring and an opt-in bug reporting system. Bug reports record only device type — for example, iPhone 15 or MacBook Air M2. No user IDs, no IP addresses, no account required.

No account.

Peach never asks for your email, your name, or any identifying information to use the product. There is no user database. There are no users—only installations.

Payments stay with the processor.

Checkout is handled by Polar. Licenses are generated after payment and sent to your email within seconds. Purchaser information is not passed into Peach product infrastructure.

No infrastructure to breach.

There is no Peach backend, no hosted vault service, no account system, and no customer database. When Peach is “breached,” there is no central vault trove or user table to steal.

Export anytime. To anywhere.

Your vault is yours. Export as a standard CSV to move to any password manager, as PeachScript to restore into Peach on another device, or as a Peach Codex to keep a physical backup in a safe. No lock-in. No export fee.

No kill switch.

Your license works offline forever. If Peach development stopped tomorrow, your installed copy would keep working indefinitely. No phone-home, no expiration.

Where Peach runs.

Chrome

extension | service worker | passkeys

Firefox

extension | service worker | passkeys

Android

Keystore TEE | biometric | autofill service | beta

iOSComing soon

Secure Enclave | Face ID

Network behavior

Default state

Peach does not require network access to unlock, browse, edit, export, or continue using a licensed installation. With no user-initiated action, there is no background service to contact.

Explicit exceptions

Three flows can touch the network: Peach Sync when paired devices exchange encrypted data on the local network; breach monitoring when a k-anonymity prefix is sent for password exposure checks; and an optional, opt-in feedback and bug reporting system. The feedback system records no user-identifiable information — only device type (for example, iPhone 15 or MacBook Air M2). None of these paths creates a hosted Peach account or remote Peach vault.