How can app be synced if they are Encrypted

How can Proton Mail, Notesnook, Proton Drive, etc allow you to connect to a totally new device even while your others devices are disconnected from the internet and sync your data ?

Since you are supposed to own the decryption key, how can they send this decription key to your new device ?

Note : I am using device to describe every session so could be app, browser, etc.

I can’t speak for all services, but most backup your masterKey after encrypting it with another key that is derived from your password.

When you sign in on a new device, they derive the key from the password you entered, and use that key to decrypt your encrypted masterKey that was previously stored on their servers.

Note that key-derivation is an expensive operation that cannot be brute forced.

There is a more detailed explanation for how we do this at Ente here: Architecture.

13 Likes