PasswordLab Master Vault Unlocking Guide

Unlocking the master vault is a critical process in PasswordLab, restoring access to all stored credentials and secrets after a lock event. This guide explains when the vault is locked, how to unlock it, and best practices for secure and efficient unlocking.

When is the Master Vault Locked?

The master vault is locked in the following scenarios:

• Server reboot
• Manual restart of the PasswordLab service
• Administrator-initiated lock (for emergencies or maintenance)

When locked, no user or API can access any data until the vault is unlocked.

What is Needed to Unlock the Vault?

• At least 3 valid master key pieces (out of 5, as per default configuration)
• Key piece holders can be located anywhere in the world
• Each key piece holder enters their key directly into the PasswordLab web app no need to share or transmit keys to others

Step-by-Step: Unlocking the Master Vault

1. Access the Unlock Screen

• Open the PasswordLab web app in your browser
• The system will display the vault unlock screen, prompting for key pieces

2. Enter Key Pieces

• Each key piece holder logs in from their own device, anywhere in the world
• Enter your unique key piece in the provided field
• Key pieces can be entered in any order and at any time no coordination or sequence required

3. Automatic Assembly and Validation

• Once the required number of key pieces (e.g., 3) are entered, PasswordLab will:
  • Mathematically reconstruct the master key using Shamir's Secret Sharing
  • Attempt to unlock the master vault
• If any key piece is invalid:
  • The process is aborted for security
  • All entered key pieces are cleared
  • The process must be restarted from the beginning

4. Successful Unlock

• If all key pieces are valid, the master vault is unlocked
• All users regain access to credentials and secrets
• Normal login and 2FA processes resume

Security and Privacy Benefits

• No need to transmit key pieces: Each holder enters their key directly, reducing risk of interception
• Global participation: Key holders can be anywhere with internet access
• No single point of failure: No one person can unlock the vault alone

Best Practices

• Keep key pieces secure and private never share your key with others
• Coordinate with other key holders when unlocking is required
• Test the unlock process periodically to ensure all key holders are familiar with the procedure

Troubleshooting

• Not enough key pieces: Contact other key holders to participate
• Invalid key piece entered: Start the process again and ensure correct entry
• Cannot access unlock screen: Ensure the vault is actually locked (check with your admin)

By following this guide, you can securely and efficiently unlock the master vault in PasswordLab, ensuring business continuity and strong security at all times.