[Question]: where is the derived encryption key persisted?

[cre8]

When reading the security paper the algorithm of how to generate the key from the password is explained, but I found no information about where the key for de/encrypting for the files on the server is stored.

Is there any documentation about it? Of course the derived encryption key is useless without having a valid access token to download + decrypt relevant information.

[cre8]

Seems to be here:

webclient/js/security.js

Line 1217 in 98288cd

u_storage.k = JSON.stringify(masterKeyArray32);

There aren't better ways to store it with latest technology, are there?

[dbm-mega]

Hello.
Q1 Answer:
Nodes (files/folders) keys are stored in the node's metadata (we call them node's attributes). The node's key is passed to the server along with other attributes after it gets encrypted with the user's Master-key.
Therefore, the servers will have an encrypted form of the node's key which cant be used to decrypt the node's content (data).

Only the user can decrypt nodes data after fetching their keys and using their own Master-key to decrypt the node's key, then use the decrypted node key to decrypt the data.

Q2 Answer:
This key storing is made for the purpose of keeping the session active for the user without the need for re-login.
So, the key gets stored if the user ticked "remember me" or till they log out.

[cre8]

Thank you for clarification.