To ensure the keys stored on the Locker servers can be used only by their owners, Locker applies the two-secret key derivation in symmetric key generation for encryption and decryption of data stored on the servers.

In the encryption step, the user will create a stretched master key as the first secret. Then the Cryptographically Secure Pseudorandom Number Generator will generate a secure random symmetric key to encrypt the data and to serve as the second secret. These two secrets are fed as input to the AES-256-CBC algorithm, which produces a completely new key for storage on the servers.

In the decryption step, the stretched master key again acts as the first secret, and the second secret is the key that is created from the encryption step described above and is retrieved from the servers. These secrets will be used to derive the original symmetric key for data decryption.