> ## Documentation Index
> Fetch the complete documentation index at: https://support.locker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Two-secret Key Derivation

> Introduction to the two-secret key derivation process that Locker applies to protect keys stored on the server

## Two-secret Key Derivation

To ensure that keys stored on Locker's servers can only be used by their owners, Locker applies a "two-secret key derivation" process when creating symmetric keys used to encrypt and decrypt data stored on the server.

During the data encryption step before sending to the server, the user creates a stretched master key as the first secret. Then, the [CSPRNG algorithm](/en/locker-whitepaper/security-fundamentals/cryptographically-secure-pseudorandom-number-generator) generates a cryptographically secure random symmetric key to encrypt the data, serving as the second secret. These two secrets are used as input parameters for the [AES-256-CBC algorithm](/en/locker-whitepaper/security-fundamentals/aes-256-cbc-encryption), producing an entirely new key for backup on the server.

During the data decryption step, the stretched master key once again serves as the first secret, while the second secret is the new key generated from the step above, retrieved from the server. They are used to derive the original symmetric key, which then decrypts the data.