Skip to main content

Zero knowledge encryption and onboarding

While methods may differ, onboarding generally is a zero knowledge encryption process.

  1. A user is invited to join an enterprise Team.

  2. A master key is created using their master password and email.

  3. A public and private key combination is created.

  4. The private key is encrypted with the user's master key.

  5. A hash of the master key, encrypted private key, and public key is stored on the server.

  6. The user’s invitation is updated once accepted and their keys are established.

    The user cannot decrypt any of the data yet, so they cannot see the Team.

  7. The Team owner or administrator confirms the user's membership.

    1. The owner who is confirming access decrypts their copy of the Teams private key using their private key.

    2. The owner then encrypts the Teams private key with the new users public key and stores this server side.

  8. The next time the user logs in they can now:

    • Decrypt the Teams private key using their private key.

    • Decrypt the content of the Team they have access to.

    safe - onboarding users

See Encryption details.

In this section: