Registering a Locker account needs 2 main steps:

In this step, you will be asked to enter your email, set an account password, and provide some other information. You can also create a Locker account using OAuth supported by Google, Facebook, GitHub, and AppleID.

The Master Password is the key to encrypt and decrypt all data of a user in Locker.

The Master Password is different from the Account Password created in the first step. The Account Password is used for external authentication, not involved in data encryption, and can be re-issued. In contrast, the Master Password participates in all encryption or decryption processes; it should be emphasized that the Master Password cannot be re-issued if the user loses it.

Locker uses the PBKDF2 Key Derivation algorithm with the default iteration count of 100,000 to stretch the Master Password (the salt here is the user’s email address). The result is a 256-bit Master Key.

Then, the Master Key is also stretched to a 512-bit Stretched Master Key by using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) algorithm.

In addition, a 512-bit Symmetric Key and an Initialization Vector (IV) are generated by the Cryptographically Secure Pseudorandom Number Generator. The Symmetric Key is encrypted by the AES-256-CBC Encryption algorithm with the key being the Stretched Master Key and the IV being the aforementioned Initialization Vector. As a result, an Encrypted Symmetric Key is created; it is the unique value corresponding to each user and saved to the Locker servers.

A hash of the Master Password is also produced using PBKDF-SHA256 with the Master Key as the payload and the Master Password as the salt. Later, this value is sent to the Locker servers upon account creation and login to authenticate the user’s Locker account. After being transferred to the servers, it is further hashed by PBKDF2-SHA256 with a random salt and 216,000 iterations before being saved to the database.

At the same time, an asymmetric key pair (RSA Key Pair) is generated when a user registers an account. This key pair is used for data sharing in the Organizations or User Groups described later.