How can “login with device” work if the master password is not cached in memory or stored on disk?
To decrypt my vault data, the account encryption key is needed. The encryption key is derived from the master password. When I “login with device”, I do not enter the master password anywhere. That would mean that either the master password or the account encryption key has to be available - stored somewhere.
If yes, where is it stored? And is it ever purged from memory/disk?
The device approving the login request uses the public key, provided by the device requesting for approval, to encrypt the account’s master key and master password hash that it knows as you have to unlock the device. The requesting device uses a private key that only it knows to decrypt the information.
That would mean that either the master password or the account encryption key has to be available - stored somewhere. If yes, where is it stored? And is it ever purged from memory/disk?
It is either stored in memory, or persistently on disk, either in the secure storage, or in some case, as a weakly encrypted (by the PIN) key along with your .json data.
On mobile devices, if you enable Biometrics unlock, it’s stored in the secure storage associated with the platform, and is only purged when logged out.
On mobile devices, if you enable PIN unlock, requiring a password on restart, then it’s only stored in memory. It’s purged from memory when you logout or reboot.
On Windows platform, if you enable Biometrics/PIN unlock, requiring a master password on restart, then it’s stored in memory, and is purged when logout or reboot.
ON Windows platform, if you enable Biometrics/PIN unlock, not requiring a master password on restart, then it’s stored in windows “secure storage”/.json file respectively, and is not purged until logged out.
Gotcha, thank you! So the encryption key is stored on the disk.
Btw, how do you know where on the disk it is stored? Browsing around I only found this:
When you setup a PIN or biometrics, a new encryption key derived from the PIN or biometric factor is used to encrypt the account encryption key, which you will have access to by virtue of being logged in, and stored on diskª.
ª - If you use the Lock with master password on restart option, this key is only stored in memory rather than on disk.