A SolMask commitment is a single Poseidon hash of four inputs: the nullifier_secret, the deposit amount, the asset mint, and the unlock_slot. The output is the on-chain artefact the deposit instruction inserts into the Merkle tree. Everything else stays in your browser, derived deterministically from your wallet — there is no passphrase, and the encrypted recovery blob the deposit publishes on-chain lets the same wallet rediscover the note on any device.
Commitments are both hiding and binding. Hiding: anyone reading the chain learns nothing about the secret, the amount, or the unlock time — Poseidon's preimage resistance hides all of them behind a uniform 32-byte digest. Binding: once published, the depositor cannot later claim a different amount or a different unlock slot, because no other set of inputs hashes to the same commitment.
The cryptographic separation between the commitment (visible to everyone, written at deposit) and the nullifier (revealed at withdraw, derived from the same secret) is what lets SolMask prevent double-spends while keeping deposits and withdrawals mutually unlinkable.