I have spent hours to clarify what is the point of changing password while it doesn’t re-encryption your data.
And then, maybe, my conclusion is : If i want to change password (re-encryption my data with new key) i need to create a new vault (which mean create new key to encrypt my data), And this way only need if : Cloud service has previous version of file. Because change password doesn’t change KEY (used to encrypt data). so if someone can restore previous version can use old password to decrypt all my new and my old data.
If i use cryptomator on PC (local) that doesn’t turn on previous version of files, i can change password and I don’t need to create a new vault.
Am I right?
Another things :
Because moving files and folders between vaults, which mean need to be de-encrypted files from old vault and then encrypting to new vault. Because my files on my Onedrive on my PC always on Cloud, not available offline on my PC. This process made all my files and folders need to be download to my PC and then move to new vault ?
Use-Case 1: I wanted to give someone temporarily access to my vault. I gave him my password. Now I want to revoke this access. So I change the password.
Use-Case 2: my password got leaked. I have to set up a new one.
This is correct. If you want to re-encrypt your vault, you have to set up a new one. Keep in mind: if your vault is online, this means that the complete amount of data in your vault is once downloaded (if not already local available), and re-uploaded.
If you restore your old masterkey file from a backup that was done before the password change, you can of course open your vault and see all its content with the the old password. but you cant open it with the new password any more. The key to your vault is always the masterkey file and its corresponding password. You cant open your vault only with the file, or only with the password.
So, i have an idea, when i change password, which mean i change “masterkey.cryptomator” file, and then, to prevent everyone including me to restore previous versions of this “masterkey.cryptomator” file (which mean restore old password). I will download this masterkey file and save to local, and then delete “masterkey” file on Cloud (of course i will also delete it in “trash” if it goes into). after this, i will upload “masterkey” with new password to the Cloud.
This step made the Cloud service doesn’t has previous version of “masterkey.cryptomator” (old password).
What do you think about this? I’m using Onedrive (Microsoft service)
This should work. Please do not forget to make a backup and then delete online all the masterkey.bkup files that are created by cryptomator. Just to be sure. You do not need to upload them again. Cryptomator will create new backups after successfull vault unlock.