Hi, Supernotes team. I saw on the Supernotes official website that Supernotes uses encrypted at rest and encrypted in transit. Besides that, I would like to know if encryption (using private key) is also applied when the data is storing into the database. In other words, when people open the database editor, do they see plain text (our notes) or encrypted text?
Reference: Security, Privacy & Backups
I believe what you are referring to is end-to-end encryption (E2EE)? Supernotes is not E2EE. You can read more about that (and our justifications for it) here.
Not end-to-end encryption, end-to-end encryption is when users store their own private key. I am referring to Supernotes Team using their own private key for encryption.
Hi @sona, we have many steps in place to make sure that the Supernotes database is private and secure.
Obfuscating the database further with a ‘private key’ would not offer any improved security. As Connor mentioned, we deep dive into the different forms of encryption in this article and explain what we do here at Supernotes.
This looks more like application-layer encryption. After doing this, even if the database is accidentally leaked, attackers will not be able to obtain user information. You can refer to this question for more information.
Yes, as noted in the answer, this would primarily be useful in a situation where you have database administrators who are different from application administrators. However in the case of Supernotes those are one and the same (me and @tobias).
Also noted in the StackExchange answer is that indexing of content becomes very difficult. We want user data to be accessible to them via API at all times, and that becomes an issue when using Application-level Encryption (again for no real security benefit).
As we grow the team at Supernotes, we will definitely re-think our existing security policies to ensure the right balance is struck.