Locker always encrypts and/or hashes user data on the user’s local device before sending anything to the servers for storing. The Locker servers are only used to store encrypted data. The Vault can only be decrypted with the encryption keys derived from the user’s Master Password. It should be noted that Locker is a zero-knowledge solution which means the user is the only person who has access to the encryption keys and can decrypt the Vault.
- The Client retrieves Encrypted Symmetric Key from Locker servers.
- The Client calculates Stretched Master Key from the given Master Password.
- The Client calculates Symmetric Key by using AES-256-CBC Encryption with Stretched Master Key as the private key and Encrypted Symmetric Key as the payload.
- The Client encrypts the given Vault Item (eg. passwords, credit card information, identity information…) by using AES-256-CBC Encryption with Symmetric Key as the private key.
- The Client gets Encrypted Vault Item and then stores it on Locker servers.
The process is described in the diagram below.