Set Up Encryption

Choose a PIN or passkey. Your PIN never leaves your device.

Why this is required

Gnosis encrypts your memories with a key derived from your PIN through OPAQUE — a zero-knowledge protocol where the server only sees blinded values. Without your PIN (or your recovery code), nobody — including Gnosis — can decrypt your data. That is the point.

The trade-off: we cannot reset your PIN for you. The recovery code you receive on the next step is the only fallback. Save it. We will hold the line on this.

Choose a PIN

Minimum 6 characters. Not all the same character; not a sequence like 123456.

PIN Confirm PIN

Your Recovery Code

We cannot recover this for you. Write it down.
If you forget your PIN and lose this code, your encrypted memories are unrecoverable. Not by us. Not by anyone.

Copying is convenient, not a substitute for writing it down.

Your clipboard may keep a copy of these words. Clear your clipboard after pasting into your password manager.

Retype the 12 words below exactly as shown to confirm you have a copy.

I have written this down somewhere only I can read.

Enroll a passkey

Your device (Touch ID, Windows Hello, hardware key, or platform passkey) generates a key pair bound to this account. Use this if you trust your device's biometric lock. You can add a PIN later from /account.

A recovery code is still required to recover from a lost device. We will generate one after enrollment.

What we send to the server

Blinded OPAQUE handshake messages, an encrypted blob containing your random data-encryption key (wrapped under your PIN-derived export key), and the encrypted blob's twin wrapped under your recovery code. Your PIN, your data-encryption key, and your recovery code stay in this browser.