Key is generated using PBKDF2 from the supplied password and stored in the browser AppData. The salt used can be found under _defaultSalt in crypto.js. With the same salt the same password will always produce the same key. Persistence is not guaranteed however with semi-regular use it should only be deleted if the user wipes the browser AppData. After generation key is not extractable (underlying key details cannot be accessed by the JavaScript / WebApp).

Data is encrypted with AES-CBC using a 256 bit key and random IV. The IV should be stored along with the encrypted data.