Data Encryption
Locker uses the AES-256-CBC encryption algorithm to encrypt the secret vault and the PBKDF2 SHA-256 algorithm to derive keys for AES-256-CBC. Locker always encrypts and/or hashes your data on your local device before sending anything to the server for storage. Locker servers are only used to store encrypted data. The secret vault can only be decrypted using keys derived from your Master Password. Locker is a zero-knowledge solution, meaning you are the only person who has access to the keys and can decrypt data in your secret vault. The user data encryption process is only performed if and only if account authentication has been successfully completed beforehand. The main idea of this process includes:- The Client retrieves the Encrypted Symmetric Key from the Locker server.
- The Client uses the Master Password entered by the user to generate the Stretched Master Key.
- The Client uses the Stretched Master Key and the AES-CBC-256 algorithm to decrypt the Encrypted Symmetric Key, obtaining the Symmetric Key.
- The Client encrypts the data entered by the user, Vault Item (e.g., passwords, credit card information, user identity information, etc.) using the AES-CBC-256 algorithm with the Symmetric Key as the key.
- The Client sends the encrypted data, Encrypted Vault Item, to be stored on the Locker server.
