Where does the password vault actually reside?

mrF
mrF Posts: 15 Enthusiast
edited July 2 in Password Vault

Hello,

This is very likely something explained somewhere on the F-secure website but TBH, I don´t really know where to look for that information. But anyways... I´d like to know if the password vault within F-Secure ID Protection and Total products resides (encrypted) on some cloud storage owned by F-Secure or if it´s just local to the devices on which the products are installed?

Put in another way, is it an online vault like Lastpass , Bitwarden and the like or is it just some local vault synced via F-Secure infrastructure but without any online copy.

Thanks in advance for any insight!

Accepted Answer

  • PawełP
    PawełP Posts: 396 Moderator
    Answer ✓

    Hello @mrF

    This is very good question. Data security is our top priority, so this is all the more important when it comes to storing and synchronizing passwords in Password Vault.

    F-Secure Password Vault stores your passwords on the computer or mobile device you use to run the Password Vault. Your passwords are stored in encrypted format, and nobody can access them unless they know your master password and get access to your device.

    When you connect more devices, you can sync your passwords across your devices. For security reasons, we do not provide access to the passwords through F-Secure servers. We recommend that you sync your passwords with another device running the Password Vault, just in case you lose or break your device. No matter what happens to one of your devices, sync ensures that you will always have access to your passwords on the other devices.

    With F-Secure Password Vault, the data stored in the app is encrypted and decrypted only on your own device. Every time you enter your Password Vault master password, the Password Vault master password is used to generate an encryption key that descrambles your Password Vault data. This is done by using the PBKDF2 (Password-Based Key Derivation Function 2) standard, which adds a salt (random data) value to the password and hashes the resulting data with the HMAC-SHA256 function. This process gets repeated 20,000 times.

    Due to the double layer of encryption, the encryption key that descrambles your data is generated every time you enter your master password. In addition, the data you store in Password Vault cannot be accessed by anyone else. Neither the encryption key, nor your master password is stored on the device. When you turn off F-Secure Password Vault, the encryption key is destroyed.

    For additional information, see the discussion in our forum at this link: Does ID Protection send my passwords over Internet when I synchronize two devices? — F-Secure Community

    I hope it will be helpful.

    Have a good one.

    Pawel 

    Making every digital moment secure, for everyone


Answers

  • mrF
    mrF Posts: 15 Enthusiast

    Thank you for the reply and the technical details. 😁

    The thread you mention is giving the tl;dr:

    "During syncing, this same encrypted json structure is sent to the backend via HTTPS. and then other devices get it when they are running, still fully encrypted. So, the password data never get decrypted during its travel from one device to another. Only the local devices themselves are able to perform the decrypting."

    https://community.f-secure.com/en/discussion/comment/129866/#Comment_129866

    👍️

This discussion has been closed.