Locker uses the AES-256-CBC Encryption algorithm to encrypt Vault and uses the Password-based Key Derivation Function 2 algorithm to generate encryption keys for the AES-256-CBC Encryption.

Locker always encrypts and/or hashes user data on the user’s local device before sending anything to the servers for storing. The Locker servers are only used to store encrypted data. The Vault can only be decrypted with the encryption keys derived from the user’s Master Password. It should be noted that Locker is a zero-knowledge solution which means the user is the only person who has access to the encryption keys and can decrypt the Vault.

Only after successful authentication can the user add items to the Vault and will data encryption begin. The main ideas behind this process are:

The process is described in the diagram below.