July 25, 2016
Passwords and AxCrypt
When a file is encrypted with AxCrypt, a very random 128- or 256-bit key as appropriate is generated by AxCrypt. This key, which is never really seen by anyone, is used to encrypt the file with AES-128 or AES-256. This key we call the master encryption key.
The master encryption key in turn, is encrypted with your password, and stored along with the encrypted file data in the resulting AxCrypt-encrypted file.
This design, which is standard good practice for encryption, also means we can do exciting things by encrypting that same master encryption key in other ways. Which we do, but that’s not the topic for this article.
Thus, as long as you know the password used to originally encrypt a file you can decrypt it with AxCrypt.
We also by default use the same password for the online account where we store your subscription status, your online password manager data if used, and your AxCrypt ID which is used primarily for the key sharing feature.
If you use the password change feature of the web or the AxCrypt app, what happens is that we change the password for data that we keep online, which includes re-encryption anything you may keep in the password manager, and also your AxCrypt ID which is stored as an AxCrypt encrypted piece of data in our system.
To change your password, you must know the old one, since otherwise we cannot decrypt the data we store before encrypting it again with your new password.
We do not actually change the password for every encrypted file, since to do that we’d need access to every single one and decrypt them with the old password, and re-encrypt with the new.
But since we change the password for your AxCrypt ID, you will actually be able to open old files with the new password. More on how that actually works in a different article.
If forget your password, you will lose access to everything ever encrypted with that password. On the server, this means your AxCrypt ID and your data in the online password manager.
But, you can still regain access to the web account, by requesting a password reset. This does not require you to know the old password, but it does require you to once again verify that you have access to the email account in question. This we do by sending an activation link once again to that email, and after clicking on that you can set a new password.
Remember, a password reset only gets you back so you can sign in and continue using the app and the web site, it does not allow you to regain access to files encrypted with the old password.
Svante, Developer and Co-Founder AxCrypt AB