Changing Master Password vs Rotating account Keys

Can someone please clarify the difference between changing master password and rotating the account key? From what I can read from the doc, the account key is derived from the master password. I am asking mostly because it indicated that changing the key can result in data corruption.

  1. if the account key is derived from master password, wouldn’t changing the master password result in rotating the key?
  2. If this is the case, wouldn’t changing master password without logging out of everything be dangerous and could result in data corruptiion?
    3.If you change the key and something screws up, you can’t restore using the encrypted backup?
    4.Why would someone change the key without changing the master password any way? What’s the use case for that.

I have not change my master password, but now I am nervous about data corruption. I am thinking that I should.

  1. Make an unecrypted backup of the vault. This is because if the key messes up, the backup won’t help me. I just need to make sure it’s store somewhere offline and get destroy later or put into an encrypted volume.
  2. Log out of all of my clients.
  3. Carefully record my new master password before typing it in or better yet paste it in.

This has been explained well by @anon44418554 in this post:

Changing your master password cannot corrupt your vault. The vault can only become corrupted if you first rotate your “account encryption key” (a.k.a. Generated Symmetric Key) in the web app while other client apps remain logged in (using a now “stale” account encryption key), and if you subsequently attempt to use one of client apps to update the vault.

This has implications for those who use disk imaging software to back up their systems – if you rotate your encryption key and subsequently have to restore a disk image that contains locked vaults from before the key rotation, you will corrupt your web vault if you open a client app and make modifications to vault items.

1 Like

Thanks for the warning about backup and restore, but since the key is generated from the master password, wouldn’t changing it rotate the key? Why would master password not cause corruption while rotating the key would? Both operation would essentially rotate the key.

I am still not clear on why someone would rotate a key? Perhaps a security measure to prevent hacker decryption without changing your master password?

No, the “key” (i.e., the Generated Symmetric Key, a.k.a. “account encryption key”) is not generated from the master password — it is generated by a random-number generator.

The Generated Symmetric Key is symmetric, so it is used both to encrypt your secrets into cipher strings stored in your encrypted vault, and to decrypt those cipher strings into plain text. The Generated Symmetric Key is literally the key that unlocks your vault. It should be rotated if there is ever a chance that it has gotten into the wrong hands. This could probably happen several ways; for example, if you have set the vault timeout to “Never”, the Generated Symmetric Key is saved (unencrypted) in persistent storage on your device, so if a bad actor gets access to your device (e.g., an “evil maid” attack), they could easily image your harddrive without your knowledge, and then read the saved Generated Symmetric Key (which, along with your encrypted vault, which is also saved in persistent storage on your device, will provide full access to all of the secret information in your vault). Even if your vault timeout has not been set to “Never”, the Generated Symmetric Key could be written to persistent storage during routine memory management by the operating system, during hibernation, or as part of a memory dump file generated by a crash.

The master password is used to generate a Stretched Master Key, which is also a symmetric key; it is used both to encrypt the Generated Symmetric Key (producing the Protected Symmetric Key), and to obtain the account encryption key (Generated Symmetric Key) by decrypting the Protected Symmetric Key. Thus, in essence, the master password unlocks the account encryption key, which in turn unlocks the vault. An analogy would be that the master password acts like the key to a lock box that holds your vault key (the Generated Symmetric Key). Thus, changing the master password (lock box key) would not affect the vault key (Generated Symmetric Key) or the way that secrets are placed in the vault or taken out of the vault.

Problems occur when an app needs to make a change to an item stored in the vault. After you edit the item in the app, the app then encrypts the secret information (using the Generated Symmetric Key) to produce a cipher string, which is then transmitted to the cloud vault and stored in your vault database in the cloud. However, the Generated Symmetric Key available to the app is the one in the “lock box” that it received when it last logged in. If this Generated Symmetric Key is “stale”, because you have rotated the account encryption key in the web vault (thus generating a new random number for the Generated Symmetric Key), then the cipher string that was just uploaded into your vault by the app cannot be decrypted by the new account key! And when you close your app (unless you have disabled “Lock with master password on restart” or set the timeout to “Never”), you will lose access to the stale account key, so your newly uploaded data is now unrecoverable.

Similar problems will not occur when you just change your master password. Any app still logged in (using the stale master password) can still decrypt and encrypt items using the same account encryption key as before, so uploaded cipher strings can still be decrypted in future sessions. The only difference is that after logging out and logging back in, the app receives a new version of the lock box (which opens with a new key — the master password), but the vault key contained in the lock box is the same key that was previously used to lock up your secrets in the encrypted vault.