We form a hierarchy of keys to unlock the various data contexts in the system. At the lowest level, we store keys for payload data on the server, encrypted to the user's public RSA key (and in the case of shared data, the public keys of any other users who have access to read the payload).
Each user's private RSA key is stored on the server, encrypted to an outer-level key that only ever exists in memory. This outer-level key is derived from the user's password using PBKDF2. This arrangement means that when a user loses their computer, or simply wants to access data from another device, their password is all they need to know to decrypt the whole chain.
We also use a zero-knowledge proof to establish that the user knows their password before sending the ciphertext of their keychain to their client, or otherwise access the system.
Each user's private RSA key is stored on the server, encrypted to an outer-level key that only ever exists in memory. This outer-level key is derived from the user's password using PBKDF2. This arrangement means that when a user loses their computer, or simply wants to access data from another device, their password is all they need to know to decrypt the whole chain.
We also use a zero-knowledge proof to establish that the user knows their password before sending the ciphertext of their keychain to their client, or otherwise access the system.