They are storing both private and public keys on their servers... but the private key is encrypted with my password, which they don't know. Even though they have the private key, it's protected and they can't use it to decrypt my files. That's all good. Standard. The password of my password.
However, I still can't wrap my head around the password change issue. They claim that changing my password will "re-encrypt" my private key, leaving my files still locked by the same key.... How exactly does that make my files "unrecoverable" ?
Unless they are using my "encrypted private key" to lock my files in the first place... which by itself is stupid and defeats the purpose.
If they have my private key "re-encrypted" with a new password -- and assuming I know my new password -- I should still be able decrypt the private key and unlock the files.
If I understood this correctly, Lastpass.com uses the exact same approach and is managing fine allowing users to change their passwords.
Did anyone figure this out? I can't quite grasp what the issue is here.
Money can't buy love, but it improves your bargaining position. -- Christopher Marlowe