Your password is the cornerstone of Tresorit's security model – it's never stored or transmitted in plain form, and Tresorit cannot access it. Instead, your password is used to derive cryptographic keys that protect your account and your data.
ℹ️ See how roaming and local profiles work.
Key derivation
Tresorit derives two cryptographically independent keys from your password:
- Master key – encrypts and decrypts your roaming profile.
- Authentication key – proves your identity to Tresorit's servers.
Both are generated using the scrypt key-derivation function (RFC 7914) with strong, memory-hard parameters designed to resist brute-force attacks.
Auto-login and device keys
Tresorit enables auto-login using device-specific private keys that never leave your device. One key authenticates you to Tresorit's servers, while the other decrypts your profile, allowing secure access without entering your password every time.
Single Sign-On (SSO)
If your organization uses SSO, Tresorit does not manage your password. For password changes or recovery, please contact your administrator.
Password change
Changing your password involves more than a simple update – it secures both your roaming profile and server authentication.
- The client first authenticates you with your old password using a challenge–response protocol.
- A new master key and authentication key are generated from your new password.
- Your roaming profile is re-encrypted locally with the new master key.
- The updated profile and authentication keys are uploaded to the cloud.
⚠️ Tresorit cannot recover forgotten passwords. If you lose your password and are not signed in on any device, your data will be permanently inaccessible.
Password recovery (while signed in)
If you forget your password but are still logged in on a device, recovery is possible.
- Your device already has a private key that can decrypt your roaming profile.
- Tresorit will send a one-time authentication code to your registered email.
- Use the code to create a new password and re-encrypt your roaming profile with fresh keys.
⚠️ Recovering your password does not sign you out of other devices. If needed, you can manually unlink devices to end those sessions.
Security principles
- Tresorit is built on zero-knowledge design: your password never leaves your device, and Tresorit cannot see or store it.
- Key derivation uses the memory-hard scrypt algorithm to protect against hardware cracking.
- Passwords can include any UTF-8 characters and have no theoretical length limit.
- Auto-login keys and certificates are generated on your device and stay there.
- First-time logins use challenge-response authentication; after that, SSL/TLS with client certificates secures communication.