Looks great - congratulations! Could you please add if / how you store a hash of the user password of authentication - it‘s not discussed on the architecture page. Thank you.
We don't store your password's hash. Since we use authenticated encryption, clients can identify when the decryption of your masterKey fails because you used a key generated from a wrong password.
Ok, that‘s cool! But the client get‘s to download the encrypted master key without authentication, right? Doesn’t that enable easy offline attacks or is the decryption too time-consuming?
No, the client has to first verify their email address and 2FA (if configured) to receive the encrypted keys. In addition to this the decryption is time-consuming.