I’m loving Supernotes, and would be very keen to use it as my daily driver for notes and knowledge management. This would mean that a lot of my cards’ content would be quite personal, which makes privacy and encryption very important to me.
In another post, Tobias confirmed Supernotes’ focus on privacy and security, and that backups are automatically encrypted on Supernotes’ servers. This is great news, and I would be very keen to know:
Are our cards’ content also encrypted at rest on Supernotes’ servers?
If so, who holds the encryption keys, and where are those keys stored?
I understand that encrypted user content could present hurdles to the sharing/collaborative focus of Supernotes, but this is a feature that I for one would happily pay extra for.
Thank you for all your efforts and engagement with us!
Thanks for this, it’s an important question! Currently Supernotes content is not encrypted in the database at rest, as we did not feel that it provided any real security benefit over what we’ve gone with instead, which is a very strict access control policy to our databases (given the most likely vectors of attack).
From there, I can tell you that we have plans to allow for E2E encryption on Supernotes, as that is the only way to truly provide security and peace of mind to our users. However, due to the nature of E2EE and the necessity for users (or users’ systems) to control their own private keys, we are waiting to work on E2EE until we have both desktop apps and mobile apps, as we think that is the best way to ensure persistence of such keys without placing any onerous key management demands on our users.
Currently, our thinking on this is also that such an E2EE feature will be opt-in (on a card / top-down hierarchy basis), because as you say, E2EE does have some caveats / UX issues when it comes to sharing and collaboration, and we think the best route is to not have it by default, but allow users to enable it for cards/trees that are sensitive in some way or another.
Hope that clarified everything! I will add your +1 to our roadmap with regards to the E2EE feature.
Thank you so much for your answer and explanation! I’m really glad that encryption is on the roadmap, and the timing and implementation both make a ton of sense.
I also really appreciate your openness in discussing your and Tobias’ thinking - it’s one more reason why I’m glad to be an Unlimited member!
Yep, with 2FA we think the best time to do that is the same as E2EE once we have desktop/mobile apps, as 2FA that relies solely on SMS suffers from various issues.
Are there any updates on this? I always prefer to use E2EE services by now, just to keep my data save and secure.
I recently came across Notesnook, it offers E2EE and I like the features they provide. I don’t want to leave Supernotes but also don’t want to use two Notetaking apps at a time.
Since the last reply on this forum post, we’ve continued to up our security and privacy measures.
We have a Security Policy, that goes into depth about how your data is stored, backed up and explains how it is encrypted in transit (forced SSL) and encrypted at rest (AES-256).
I’m really glad that encryption is on the roadmap, and the timing and implementation both make a ton of sense.
