Updated 2026-07-11
The first time you open your vault, TimeLock walks you through creating a master password. This is the root of all your encryption keys.
What makes it different
- It never leaves your browser. Key derivation (Argon2id) runs locally; the server receives only a one-way verification hash and encrypted key material it cannot use.
- Everything you store is ultimately encrypted under keys derived from it.
- We cannot reset it. There is no "forgot password" email for your master password, because we never have it in any form.
Choosing a good one
Use a long passphrase you don't use anywhere else. TimeLock shows a strength meter and can optionally check the password against known breach corpuses without revealing it. A weak master password is the one link no amount of server-side security can fix.
The Recovery Kit
At setup, TimeLock generates a Recovery Key and renders it once as a printable, downloadable sheet — the Recovery Kit. Saving it is mandatory.
- If you forget your master password, the Recovery Key is the only way to regain access and set a new one.
- If you lose both the master password and the Recovery Key, your data is permanently unrecoverable, by design.
- Store the Kit somewhere offline and safe: a printed copy in a drawer beats a file on the same laptop that could be lost with it.
Team organizations can optionally enable escrow recovery — an opt-in exception that is always disclosed to members.