Ok, it’s a little more complicated but I usually try to simplify it with the statement “An AxCrypt-encrypted file will always be possible to open if you know the original password used to encrypt it”.
Perhaps a better wording than “the original password used to encrypt it” would be the “the password used when the file was most recently (re-)encrypted”.
With AxCrypt 2, there are other factors involved as well. Here’s a more detailed description:
– The actual key used to encrypt the file is a purely random 128 or 256 bit key generated internally by AxCrypt. You never see this key. It’s called the Master Encryption Key in AxCrypt, in the literature it might be called a Session Key.
– This master key, is in turn encrypted essentially with your password. In AxCrypt 2, this is the password you used to sign in to AxCrypt with.
– With AxCrypt 2, you also get an AxCrypt ID which in technical terms is a RSA 4096-bit key pair. This is used for the key sharing feature, where an encrypted file can be shared with others and they can open it with their own passwords.
– Your own AxCrypt ID is also used to encrypt the master key. So for each file, the master key is encrypted at least twice – once with your password, and once with the sharing (public) part of your AxCrypt ID.
– If you use the key sharing feature, the same master key will be encrypted once for each recipient you share the key to the file with.
Now, if you change the password for your AxCrypt account, what really happens is that the secret (private) part of your AxCrypt ID is re-encrypted with your new password.
Let’s for this example also say that you’re sharing the key with one recipient.
You have an AxCrypt password for firstname.lastname@example.org : Secret4Alice
Your friend email@example.com has password : Bob4Ever
You sign in to AxCrypt with ‘Secret4Alice’.
You encrypt a file ‘CoolStuff.txt’.
AxCrypt generates a master key and encrypts ‘CoolStuff.txt’ into ‘CoolStuff-txt.axx’, and embeds the encrypted master key twice: once using your password ‘Secret4Alice’, and once using your AxCrypt ID.
You share the key to the file with bob. Now the master key is encrypted three times in the same file: once using your password ‘Secret4Alice’, once using the ‘firstname.lastname@example.org’ AxCrypt ID and finally also using ‘email@example.com’ AxCrypt ID.
It can now be decrypted with the password ‘Secret4Alice’ since it for one can decrypt the master key directly in the file, but since that is also the key to the encrypted AxCrypt ID you have, the master key can also be decrypted using that.
It can also be decrypted by Bob, since he has access to his private AxCrypt ID part, and can thus also decrypt one of the three copies of the master key embedded and encrypted in the file. Bob uses ‘Bob4Ever’ as his password for AxCrypt, so that’s the password that he is using to open the file.
Now you (Alice) change your AxCrypt password to ‘NewGood2Go’. This causes your (Alice’s) AxCrypt ID to be re-encrypted with the new password.
The situation we now have is that the file ‘CoolStuff-txt.axx’ can be opened with three different passwords:
1) The original password used when the file was encrypted: ‘Secret4Alice’.
2) The password to Alice’s AxCrypt ID: ‘NewGood2Go’.
3) The password to Bob’s AxCrypt ID: ‘Bob4Ever’.
This is what I mean that the file can always be decrypted with the original password used to (re-)encrypt the file.
Finally, you Alice decide to open the file and edit it. This causes ‘CoolStuff-txt.axx’ to be re-encrypted. Since you changed your AxCrypt sign in, you’re now using the password ‘NewGood2Go’ as the ‘original’ password. The file can now only be opened with two passwords (but actually in three ways):
1a) The original password used when the file was encrypted: ‘NewGood2Go’.
1b) The password to Alice’s AxCrypt ID: ‘NewGood2Go’.
2) The password to Bob’s AxCrypt ID: ‘Bob4Ever’.
Ok, I need to write this up with a few illustrations ;-)