What happens exactly when I change password of a vault?


#1

I know that the encryption and MAC keys are derived from the password using masterkey.cryptomator and these keys are used to decrypt/encrypt the files.

But when I change password of a vault, what happens exactly? I am able to read old files and also create new files, but the old password is gone which means the old encryption and MAC keys are gone which means I shouldn’t be able to read the old files but I am.

Thanks in advance.


Max length of the password/passphrase?
#2

Nope. The password is used to derive a KEK, which is then used to encrypt futher keys. The KEK changes, but the keys encrypted with the KEK will stay the same.

The actual files will not get re-encrypted, meaning you can not upgrade a weak passphrase to a stronger one once the data has been synced to a service that allows recovery of older versions of the masterkey file.


#3

That’s interesting.
So, if I’d like to encrypt old data with new, stronger password, I have to re-encrypt everything, right?


#4

Yes, in that case you need to create a new vault and drag the data from the old to the new one. Make sure to wipe all backups of the old vault afterwards.