johnozbay
commented
2 years ago Hi there! 👋🏻
In short, we use something called key-wrapping. You can read more about this here : https://en.wikipedia.org/wiki/Key_wrap
Basically, during signup, in your browser, Cryptee generates a long unique string to use as a strong encryption key, or a Data Encryption Key (DEK). Also during signup, the encryption key you've typed (EK) goes through a password-based key derivation function (PBKDF) and gets hashed (HEK), and the final result is used as your Key Encryption Key. (KEK) – then the generated DEK gets encrypted with your KEK.
All your files/data are encrypted using DEK.
And DEK is encrypted using KEK.
This way, you can change your EK, without having to download, decrypt and re-encrypt all your files (which were encrypted using DEK)
Neither of these DEK, EK or KEK are sent to Cryptee.
This flow is quite similar to how other client-side encrypted service providers like Protonmail etc tackles the challenge as well.
This flow is often called a convenience key / data encryption key in cryptography. If you’d like to learn more about some of these common cryptographic key flows / concepts, I’d recommend reading this article, it explains some of these concepts broadly:
https://en.wikipedia.org/wiki/Glossary_of_cryptographic_keys
Hoping this makes sense and helps! ✌🏻
Best, J
All files in cryptee are encrypted client side from the encryption key which only user knows and then stored in cryptee
When user changes encryption key, then how crypt will manage to decrypt files encrypted with previous encryption key??