What happens exactly when I change password of a vault?


I know that the encryption and MAC keys are derived from the password using masterkey.cryptomator and these keys are used to decrypt/encrypt the files.

But when I change password of a vault, what happens exactly? I am able to read old files and also create new files, but the old password is gone which means the old encryption and MAC keys are gone which means I shouldn’t be able to read the old files but I am.

Thanks in advance.

Max length of the password/passphrase?

Nope. The password is used to derive a KEK, which is then used to encrypt futher keys. The KEK changes, but the keys encrypted with the KEK will stay the same.

The actual files will not get re-encrypted, meaning you can not upgrade a weak passphrase to a stronger one once the data has been synced to a service that allows recovery of older versions of the masterkey file.


That’s interesting.
So, if I’d like to encrypt old data with new, stronger password, I have to re-encrypt everything, right?


Yes, in that case you need to create a new vault and drag the data from the old to the new one. Make sure to wipe all backups of the old vault afterwards.