The current system assumes a single email and password, which is then used to derive the encryption key and server password.
If a user only ever wants to use an app locally, it is not a great experience having to supply an email.
Could encryption be disabled until a server is used?
Could encryption happen at the networking layer only?
Could the encryption password be totally different than the server password?
Salt for KDF could be randomly generated and stored with protectedMasterKey locally. It can then be extracted from that data when the password is entered to decrypt the master key (same goes for passcode). When a user creates an account, the same KDF function from Encryption spec v1 could be used to generate the server password but the KDF output is not split. The protectedMasterKey value can then be uploaded when the user signs up. On login, this value can be downloaded and used to decrypt the users content when they enter their encryption password.
The current system assumes a single email and password, which is then used to derive the encryption key and server password.
If a user only ever wants to use an app locally, it is not a great experience having to supply an email.
protectedMasterKeylocally. It can then be extracted from that data when the password is entered to decrypt the master key (same goes for passcode). When a user creates an account, the same KDF function from Encryption spec v1 could be used to generate the server password but the KDF output is not split. TheprotectedMasterKeyvalue can then be uploaded when the user signs up. On login, this value can be downloaded and used to decrypt the users content when they enter their encryption password.