Password And Recovery Key

Each Cryptomator vault is secured by a password. The security of your vault depends directly on the strength of its password, so choosing a strong password is key.

Additionally for each vault a unique recovery key can be derived. This key ensures that if you forget your password, you are able to create a new one. It is a human readable form of your decrypted masterkey and therefore independent of the current vault password and highly confidential.

This section explains how to change a password for a vault, show its recovery key and reset the password to a new one. All actions are done in the Password tab of the vault options. You can access it over the main window by selecting the vault in question, lock it if necessary and then open its Vault Options.

Vault options allowing you to enter a recovery key

Change Password

You can change the password of an already existing vault. The only thing you need is to remember the current one.


The password is used to derive a KEK, which is then used to encrypt further keys. The KEK changes, but the keys encrypted with the KEK will stay the same. The actual files will not get re-encrypted, meaning you can not upgrade a weak passphrase to a stronger one once the data has been synced to a service that allows recovery of older versions of the masterkey file.

If you like to encrypt your vault files with a new, stronger password, you need to create a new vault and drag the data from the old to the new one. Make sure to wipe all backups of the old vault afterwards.

To do so, click on the Change Password button in the Password tab of the vault options. In the opened window, you see three text input fields:

After entering your current password, enter your new one and confirm it
  1. In the first you need to enter the current password of the vault.

  2. The second one takes the new password in and as already said, we suggest to follow the creation rules for good passwords.

  3. In the third for confirmation you need to enter the new password again.

In order to proceed, you need to confirm what you are doing by selecting the checkbox.

To finish the workflow and really change the password, click now on the Change button.


Only if the second and third text input fields match and the checkbox is selected, the Change button is activated.

Show Recovery Key

It is not a problem, if you missed to display the recovery key during vault creation. You are still able to derive it and view it at a later point in time. To increase security, Cryptomator does not store it on your hard drive and always derives it on the fly.


Bear in mind that due to the ability of the recovery key to reset the current password, it is highly confidential. Ensure that only trusted persons have access to it and keep it at a safe spot.

To do so, click on the Display Recovery Key in the Password tab of the Vault Options and enter your password. A new window will open. It shows a sequence of words inside a text field. This sequence is the recovery key of the vault.

This shows your recoverykey

You can copy it to your clipboard or print it to paper. If you are finished, close the window with the Done button.

Reset Password

If you forgot the password for a vault, but saved the recovery key somewhere external, you are able to define a new password and gain access to the vault again.

Navigate to the Password tab in the vault options and click the Recover Password button. A new prompt is opened, asking to insert your recovery key into the shown text box. Enter it there by copying it from a file or typing.


If you printed your recovery key on paper or stored it somewhere where you cannot copy it, Cryptomator offers you an auto completion feature for insertion. Type a letter and see if the shown word matches your key part. If so, you can press tab or right arrow key to auto complete the word. Otherwise enter more letters, the suggestion will change accordingly.

Autocompletion during recovery key entry

If the recovery key is valid, Cryptomator indicates this by a small message and activates the Next button

A valid recovery key has been entered


By design of the recovery mechanism, any valid recovery key is accepted. But only the one derived from the vault resets the vault password in a way such that the your data is accessible afterwards. If you use a different recovery key, the data already stored in the vault will be inaccessible. It can be made accessible again by re-running the recovery mechanism with the original and correct recovery key.

In the last step you need to assign a new password to your vault. It is the same as during vault creation except that no new recovery key is generated. As already noted there, read the suggestion for choosing a good password.

Finish the dialog by entering the same password again and clicking the Done button. You can unlock your vault now with the new password.


Since the recovery key stays the same, don’t discard it and put it to a safe location again.