When a super admin resets a user's master password, it generates an encryption process, that protects the data from unauthorized users.

When an admin enables the "Permit super admins to reset master passwords" policy, an asymmetric key pair (public/private) is generated for the administrator. The super admin's Public Asymmetric Key is sent to the LastPass cloud and stored. The super admin’s Private Asymmetric Key is encrypted with the named super admin’s Symmetric Vault Encryption Key and sent to the LastPass cloud and stored.

Next, a Key exchange occurs when the selected user (for which the master password reset should occur) logs in via the LastPass web browser extension (not the website). LastPass then downloads each super admin’s Public Asymmetric Encryption Key from the LastPass cloud. Each super admin’s Public Asymmetric Encryption Key is used to encrypt the selected user’s Symmetric Vault Encryption Key. The encrypted Symmetric Vault Encryption Key is then sent back to the LastPass cloud and stored (one for each super admin listed on the policy).

When the super admin resets their selected user's master password, the following actions take place:

1. The target user’s encrypted vault and the user’s encrypted Symmetric Vault Encryption Key are downloaded to the super admin's local computer. The super admin also downloads their own encrypted Private Asymmetric Encryption Key from LastPass.
2. The super admin then decrypts their Private Asymmetric Encryption Key using their Symmetric Vault Encryption Key, and uses this Private Symmetric Encryption Key to decrypt the user’s encrypted Symmetric Vault Encryption Key. The super admin can then decrypt the target user’s encrypted Vault using the user’s Symmetric Vault Encryption Key.
3. Next, the super admin selects a new master password that is hashed (along with a salt of the target user’s username) to create a new Symmetric Vault Encryption Key for that user. The user’s new Symmetric Vault Encryption Key is encrypted with the super admin's Public Asymmetric Encryption Key and replaces the old data in the LastPass cloud. The target user’s newly encrypted vault is also sent to LastPass to replace the original vault.