Bkmker

Your bookmarks,
encrypted and private.

Bkmker stores your bookmarks so that only you can read them. Every link is encrypted on your device before it ever reaches our servers — we have no way to see what you've saved.

Create a free account Log in
426 bookmarks encrypted and stored

Zero-knowledge encryption

A Secret Key generated on your device encrypts everything. The server stores only ciphertext.

No tracking, no profiling

Your URLs and titles are never visible to us. Even in a data breach, your bookmarks stay private.

Sync everywhere

One encrypted vault, accessible from any browser. Local apps and extensions coming soon.

Pricing

Simple, honest pricing

Start free. Upgrade when you're ready. No hidden fees, no data selling — ever.

Free

$0 / forever
  • Encrypted bookmarks
  • 1 vault
  • Browser extension
Get started free

Monthly

$3 / month
  • Everything in Free
  • Unlimited vaults
  • Secret Key rotation
  • Priority support
Get started
Best Value

Yearly

$20 / year

Save 44% vs monthly

  • Everything in Monthly
  • 2 months free
Get started

Lifetime

$80 once

Pay once, use forever

  • Everything in Yearly
  • No recurring charges
  • All future updates
Buy lifetime access
Security by design

How your privacy is protected

We believe you shouldn't have to take our word for it. Here is exactly what happens to your data — from the moment you save a link to the moment it appears in your vault. Every step is verifiable and every claim is technically precise.

1

Your Secret Key is born on your device

When you register, your browser generates a cryptographically random 256-bit Secret Key using crypto.getRandomValues() — the same Web Crypto API your browser uses for TLS. This happens entirely inside your browser tab.

The key is displayed to you once, formatted as LL-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX. You are responsible for saving it — Bkmker never receives, stores, or transmits it.

If you lose your Secret Key, your bookmarks cannot be recovered — not by you, not by us. There is no password reset for encryption.
2

A unique encryption key is derived per vault

Each vault has a random 256-bit salt stored on the server. When you unlock, your browser combines your Secret Key with that salt using PBKDF2-SHA256 with 600,000 iterations to produce the vault's AES-256 encryption key.

600,000 iterations is the OWASP-recommended minimum for PBKDF2-SHA256 as of 2024. It means an attacker who stole your encrypted bookmarks and your vault salt would still need to brute-force your Secret Key across 2256 possibilities — computationally infeasible.

PBKDF2(secret_key, vault_salt, 600_000, SHA-256) → AES-256 key
3

Every bookmark is encrypted before it leaves your device

When you save a link, your browser encrypts the entire payload — URL, title, tags, notes, and description — using AES-256-GCM. A fresh random 96-bit nonce is generated for every single bookmark, so no two ciphertexts are ever identical even if the content is the same.

GCM mode provides both confidentiality and authentication. The authentication tag means any tampering with the ciphertext is detected and rejected before decryption. The server receives and stores only the ciphertext and nonce — it has no access to the key.

AES-256-GCM(aes_key, random_nonce, {url, title, tags, notes})
ciphertext + auth_tag
4

What Bkmker actually stores

Our database contains no readable information about your browsing. Here is a representative row from what is actually stored — every field is either opaque binary data or structural metadata needed to serve it back to you.

Column Example value What it reveals
id 550e8400-e29b-41d4-a716-… A random identifier. Nothing more.
user_id be054491-3f7a-4d2c-… Which account owns this record.
vault_id a3f1c820-9e44-11ef-… Which vault it belongs to.
nonce \\x9f3a21bc04d87e… 12-byte random value. Required for decryption. Harmless without the key.
encrypted_data \\x4d2f89a031c7e8b5f1… Opaque binary. Indistinguishable from random bytes without your key.
inserted_at 2025-03-20 14:32:11 When the record was created. No content info.
5

Decryption never leaves your browser

When you open your vault, the server sends back the encrypted blobs. Your browser re-derives the vault key from your Secret Key (or PIN), then decrypts every bookmark locally using the Web Crypto API — the same built-in API used by your browser for HTTPS.

Decrypted bookmarks exist only in your browser's memory for the duration of your session. They are never written to disk and never sent anywhere. Closing the tab discards them entirely.

The IndexedDB cache stores only the encrypted blobs — the same format as the server. Even if someone extracted your browser's local storage, they would see only ciphertext.

6

PIN protection keeps things convenient without sacrificing security

Typing a 64-character key every session would be tedious. Bkmker lets you set a PIN that encrypts your Secret Key locally on your device. The PIN never leaves your browser — it is used purely to encrypt and decrypt a locally stored blob using its own PBKDF2-derived key (200,000 iterations, SHA-256).

PBKDF2(pin, random_pin_salt, 200_000, SHA-256) → pin_key
AES-256-GCM(pin_key, nonce, secret_key_hex) → encrypted_secret_key

The encrypted blob is stored in localStorage. The PIN salt, nonce, and ciphertext are all stored together — but without the PIN itself they cannot be used to recover the Secret Key.

What Bkmker cannot see — ever

This is not a policy promise. It is a technical guarantee that flows from the architecture above.

The URLs you bookmark
Titles, tags, or notes you save
What topics or sites you visit
Your Secret Key — we never receive it
The content of any specific bookmark
Readable data even in a breach

Don't just take our word for it — the encryption logic lives in assets/js/vault.js, assets/js/bookmarks.js, and extension/shared/crypto.js. Open your browser's developer tools and inspect every network request — you will never see a plaintext URL leave your device.