Skip to main content

Master Password

Your master password is the single credential that protects every secret stored in CloudKeep. It is never transmitted to our servers in plain text and is never stored anywhere — not even in encrypted form. Instead, CloudKeep uses it locally on your device to derive the cryptographic keys that encrypt and decrypt your vaults.

What Is the Master Password?

The master password is a passphrase you choose during account setup. It serves two critical purposes:

  1. Authentication — proves you are the account owner without revealing the password itself (via a secure challenge-response flow).
  2. Key Derivation — generates the 256-bit encryption key used to lock and unlock your vault data.

How Key Derivation Works

When you enter your master password, CloudKeep runs the following process entirely in your browser:

  1. Your master password and a unique, per-account salt are fed into PBKDF2-HMAC-SHA256 with 600,000 iterations.
  2. The output is a 256-bit master key that is used to decrypt your encrypted vault key stored on the server.
  3. The decrypted vault key is then used to encrypt and decrypt individual secrets with AES-256-GCM.
masterPassword + salt → PBKDF2 (600k rounds) → masterKey
masterKey → decrypt(encryptedVaultKey) → vaultKey
vaultKey → AES-256-GCM → encrypt/decrypt secrets

Because the master password never leaves your device, CloudKeep operates under a zero-knowledge model — we cannot decrypt your data even if compelled to.

Choosing a Strong Master Password

Since the master password is the single point of entry to all your secrets, choosing a strong one is essential.

Do

  • Use at least 14 characters — longer is better
  • Use a passphrase of 4-6 random words (e.g., correct-horse-battery-staple)
  • Mix in numbers and symbols if you can remember them
  • Choose something unique — never reuse a password from another site

Don't

  • Use personal information (birthdays, pet names, addresses)
  • Use dictionary words without modification
  • Use passwords you have used elsewhere
  • Write it down in an unprotected digital file

Changing Your Master Password

You can change your master password at any time from Settings → Security.

  1. Enter your current master password to verify your identity.
  2. Enter and confirm a new master password.
  3. CloudKeep re-derives a new master key, re-encrypts your vault keys with the new master key, and stores the updated encrypted vault keys on the server.

Changing the master password does not re-encrypt every individual secret — only the vault key wrapper changes — so the operation is fast regardless of how many secrets you have.

What Happens If You Forget It

Because of the zero-knowledge design, CloudKeep cannot reset your master password. If you forget it, you have two options:

  1. Recovery Key — if you saved the recovery key generated during setup, you can use it to regain access and set a new master password. See the Account Recovery page.
  2. Emergency Access — if you have a trusted contact configured with emergency access, they can initiate the recovery process on your behalf after a waiting period. See Sharing & Emergency Access.

If neither option is available, your encrypted data is permanently inaccessible. This is an intentional security trade-off: nobody, including CloudKeep staff, can access your secrets without your master password or recovery key.

Related Documentation