Getting started

Your master password and Recovery Kit

The one password that unlocks everything, why we can never reset it, and the Recovery Kit that is your only way back.

Updated 2026-07-11

The first time you open your vault, TimeLock walks you through creating a master password. This is the root of all your encryption keys.

What makes it different

  • It never leaves your browser. Key derivation (Argon2id) runs locally; the server receives only a one-way verification hash and encrypted key material it cannot use.
  • Everything you store is ultimately encrypted under keys derived from it.
  • We cannot reset it. There is no "forgot password" email for your master password, because we never have it in any form.

Choosing a good one

Use a long passphrase you don't use anywhere else. TimeLock shows a strength meter and can optionally check the password against known breach corpuses without revealing it. A weak master password is the one link no amount of server-side security can fix.

The Recovery Kit

At setup, TimeLock generates a Recovery Key and renders it once as a printable, downloadable sheet — the Recovery Kit. Saving it is mandatory.

  • If you forget your master password, the Recovery Key is the only way to regain access and set a new one.
  • If you lose both the master password and the Recovery Key, your data is permanently unrecoverable, by design.
  • Store the Kit somewhere offline and safe: a printed copy in a drawer beats a file on the same laptop that could be lost with it.

Team organizations can optionally enable escrow recovery — an opt-in exception that is always disclosed to members.

Ready for a vault that can't be read — even by us?

Start a free trial today. Your master password never leaves your browser, and any secret can be locked to a schedule.