User data in the Vault has been fully encrypted before being saved to the Locker database. The data will be decrypted only at the Locker Client for users to access and view. Similar to data encryption, decryption is performed if and only if account authentication has been successful and implemented completely client-side.
Decryption involves the following steps:
- The Client gets Encrypted Symmetric Key and Encrypted Vault Item from Locker servers.
- The Client uses Master Password entered by the user to generate Stretched Master Key.
- The Client uses Stretched Master Key and AES-256-CBC Encryption algorithm to decrypt Encrypted Symmetric Key, then obtains Symmetric Key.
- The Client decrypts Encrypted Vault Item by using AES-256-CBC Encryption algorithm and Symmetric Key.
- The Client obtains Vault Item and displays it to the user.
Data decryption is illustrated in detail below.