Skip to main content

Two-secret Key Derivation

To ensure that keys stored on Locker’s servers can only be used by their owners, Locker applies a “two-secret key derivation” process when creating symmetric keys used to encrypt and decrypt data stored on the server. During the data encryption step before sending to the server, the user creates a stretched master key as the first secret. Then, the CSPRNG algorithm generates a cryptographically secure random symmetric key to encrypt the data, serving as the second secret. These two secrets are used as input parameters for the AES-256-CBC algorithm, producing an entirely new key for backup on the server. During the data decryption step, the stretched master key once again serves as the first secret, while the second secret is the new key generated from the step above, retrieved from the server. They are used to derive the original symmetric key, which then decrypts the data.