Encryption of cards / user content

Hi @tobias and @connor,

I’m loving Supernotes, and would be very keen to use it as my daily driver for notes and knowledge management. This would mean that a lot of my cards’ content would be quite personal, which makes privacy and encryption very important to me.

In another post, Tobias confirmed Supernotes’ focus on privacy and security, and that backups are automatically encrypted on Supernotes’ servers. This is great news, and I would be very keen to know:

  • Are our cards’ content also encrypted at rest on Supernotes’ servers?
  • If so, who holds the encryption keys, and where are those keys stored?

I understand that encrypted user content could present hurdles to the sharing/collaborative focus of Supernotes, but this is a feature that I for one would happily pay extra for. :+1:

Thank you for all your efforts and engagement with us! :smiley:

Cheers,
Brendan

Hey Brendan,

Thanks for this, it’s an important question! Currently Supernotes content is not encrypted in the database at rest, as we did not feel that it provided any real security benefit over what we’ve gone with instead, which is a very strict access control policy to our databases (given the most likely vectors of attack).

From there, I can tell you that we have plans to allow for E2E encryption on Supernotes, as that is the only way to truly provide security and peace of mind to our users. However, due to the nature of E2EE and the necessity for users (or users’ systems) to control their own private keys, we are waiting to work on E2EE until we have both desktop apps and mobile apps, as we think that is the best way to ensure persistence of such keys without placing any onerous key management demands on our users.

Currently, our thinking on this is also that such an E2EE feature will be opt-in (on a card / top-down hierarchy basis), because as you say, E2EE does have some caveats / UX issues when it comes to sharing and collaboration, and we think the best route is to not have it by default, but allow users to enable it for cards/trees that are sensitive in some way or another.

Hope that clarified everything! I will add your +1 to our roadmap with regards to the E2EE feature.

Best,
Connor

1 Like

Hi @connor,

Thank you so much for your answer and explanation! :smile: I’m really glad that encryption is on the roadmap, and the timing and implementation both make a ton of sense.

I also really appreciate your openness in discussing your and Tobias’ thinking - it’s one more reason why I’m glad to be an Unlimited member! :+1:

Cheers,
Brendan

1 Like

Any plans for 2FA?

1 Like

Yep, with 2FA we think the best time to do that is the same as E2EE once we have desktop/mobile apps, as 2FA that relies solely on SMS suffers from various issues.

I totally agree. This is a major asset, and makes this community special. Keep it up :slight_smile:

1 Like