User Manual
Changing Your Password

Changing Your Password

You can change your master password at any time from the settings page. Because vaultctl is zero-knowledge, changing your password triggers a cryptographic re-keying process on your device.

What Happens When You Change Your Password

Changing your master password is not a simple update -- it involves several cryptographic steps performed entirely on your device:

  1. New key derivation -- A new encryption key is derived from your new password using Argon2id.
  2. Private key re-encryption -- Your RSA and Ed25519 private keys are re-encrypted with the new derived key.
  3. Session revocation -- All existing sessions across all devices are revoked immediately.
  4. Re-authentication required -- Every device must log in again with the new password.
⚠️

All other devices are logged out immediately when you change your password. Make sure you know your new password before confirming the change.

Steps to Change Your Password

Open settings

Go to Settings > Security > Change Password.

Step-up authentication

Re-enter your current master password to confirm your identity. If you have 2FA enabled, you will also need to enter a TOTP code.

Enter your new password

Type your new master password. Use a strong, unique password that you do not use anywhere else. The password strength meter provides real-time feedback.

Confirm your new password

Type the new password again to confirm.

Complete the change

Click Change Password. vaultctl re-derives your keys, re-encrypts your private keys, and revokes all sessions. This may take a few seconds.

After Changing Your Password

  • This device stays logged in with the new password.
  • All other devices (browser tabs, mobile, extension) are logged out and must log in with the new password.
  • Your vault data is unchanged. Items, folders, and shared vaults are not re-encrypted because they are protected by your vault key, not directly by your password.
  • Your recovery kit still works unless you regenerate it separately. Consider regenerating your recovery kit after a password change.

If you forget your current password, you cannot use this flow. Instead, use your recovery kit to set a new password.

Two-Factor Auth (2FA)Import & Export