Locker uses the AES-256-CBC Encryption algorithm to encrypt Vault and uses the Password-based Key Derivation Function 2 algorithm to generate encryption keys for the AES-256-CBC Encryption.
Locker always encrypts and/or hashes user data on the user’s local device before sending anything to the servers for storing. The Locker servers are only used to store encrypted data. The Vault can only be decrypted with the encryption keys derived from the user’s Master Password. It should be noted that Locker is a zero-knowledge solution which means the user is the only person who has access to the encryption keys and can decrypt the Vault.
Only after successful authentication can the user add items to the Vault and will data encryption begin. The main ideas behind this process are:
- The Client retrieves Encrypted Symmetric Key from Locker servers.
- The Client calculates Stretched Master Key from the given Master Password.
- The Client calculates Symmetric Key by using AES-256-CBC Encryption with Stretched Master Key as the private key and Encrypted Symmetric Key as the payload.
- The Client encrypts the given Vault Item (eg. passwords, credit card information, identity information…) by using AES-256-CBC Encryption with Symmetric Key as the private key.
- The Client gets Encrypted Vault Item and then stores it on Locker servers.
The process is described in the diagram below.