Unlocking the PasswordLab Master Vault

When the master vault is locked, all access to PasswordLab is restricted, including the admin dashboard and user logins. This lock state ensures the highest level of data security during server restarts or emergency situations.

To restore access, an administrator must unlock the master vault using a secure, multi-party key-sharing system.

When Does the Vault Get Locked?

The master vault is automatically locked in the following scenarios:

  • After a server reboot
  • After a PasswordLab service restart
  • When an admin manually locks the vault via the admin panel

Once locked, no users can log in or access stored credentials until it is unlocked.

Requirements to Unlock the Vault

To unlock the master vault, you’ll need:

  • 3 valid key pieces from any 5 of the key-piece holders
  • Entered via the PasswordLab Web App in any order

During installation, up to 5 key pieces were securely distributed to selected admins via email. Only 3 of those are required to reconstruct the master key.

Step-by-Step: Unlocking the Vault

1. Open the Unlock Screen

  • Navigate to your PasswordLab domain.
  • You will see the Vault Unlock screen.

2. Enter Key Pieces

  • Each key-piece holder must open the PasswordLab Web App and enter their part of the key.
  • Order does not matter.
  • Once the third valid key is entered, the server will attempt to reconstruct the master key.

3. Validation and Unlock

  • If all key pieces are valid:

    • The vault is instantly unlocked.
    • All services resume and users can log in.

  • If any key piece is invalid:

    • The reconstruction process fails.
    • The process must be restarted from the beginning.

Example Demo

In our demo:

  • We entered 3 key pieces from a pool of 5.
  • The pieces were entered in a random order.
  • The vault was successfully unlocked.
  • We verified by logging in with:
    • Email
    • Password
    • Two-factor code

Everything worked as expected.

Under the Hood

PasswordLab uses a secure threshold cryptography algorithm to split and reconstruct the master key. If you're curious about how this works, check out our “Internal Working” video series.

Summary

Unlocking the PasswordLab master vault is quick, secure, and designed for collaboration. With 3 valid key pieces, you can safely restore access to your vault without compromising your data.