Security Details
This page provides technical details about how Sidvy implements note encryption for users who want to understand the security model.
Encryption Overview
Section titled “Encryption Overview”Sidvy uses client-side encryption, meaning all cryptographic operations happen in your browser before data is transmitted.
Your Note → Browser Encrypts → Encrypted Data → Server Storage ↓Your Screen ← Browser Decrypts ← Encrypted Data ← Server FetchCryptographic Specifications
Section titled “Cryptographic Specifications”Encryption Algorithm
Section titled “Encryption Algorithm”- Algorithm: AES-256-GCM (Advanced Encryption Standard, Galois/Counter Mode)
- Key Size: 256 bits
- Mode: GCM provides both encryption and authentication
- IV/Nonce: Random 12 bytes generated per encryption
Key Derivation
Section titled “Key Derivation”- Algorithm: PBKDF2 (Password-Based Key Derivation Function 2)
- Hash: SHA-256
- Iterations: 600,000 (per OWASP 2024 recommendations)
- Salt: Random 32 bytes (256 bits), unique per note
What Gets Encrypted
Section titled “What Gets Encrypted”| Data | Encrypted | Reason |
|---|---|---|
| Note content | Yes | This is your sensitive data |
| Note title | No | Enables finding notes without decryption |
| Created/updated dates | No | Metadata for sorting |
| Note ID | No | Required for database operations |
Password Caching
Section titled “Password Caching”How It Works
Section titled “How It Works”When you enter a password:
- The derived key is stored in browser memory
- Associated with the note ID
- Cleared when you close the browser
Security Implications
Section titled “Security Implications”- Convenient: don’t re-enter password repeatedly
- Risk: Anyone with access to your open browser session can view decrypted notes
- Mitigation: Lock your computer, close browser when away
Cache Clearing
Section titled “Cache Clearing”The cache is cleared when:
- You close the browser tab/window
- You explicitly log out
- Session expires
Browser Security
Section titled “Browser Security”Encryption uses the Web Crypto API:
- Native browser implementation
- Hardware-accelerated where available
- More secure than JavaScript crypto libraries
- Not accessible to JavaScript after key derivation
Server Knowledge
Section titled “Server Knowledge”Sidvy servers:
- Never receive your password
- Never receive decryption keys
- Only receive encrypted ciphertext
- Cannot decrypt your notes
Even in case of a server breach, encrypted note contents remain protected.
Limitations
Section titled “Limitations”No Password Recovery
Section titled “No Password Recovery”By design, Sidvy cannot recover your password or decrypt notes without it. This is a feature, not a bug—it means we can’t access your data.
No Encrypted Search
Section titled “No Encrypted Search”Encrypted content cannot be searched. This is inherent to encryption—searching would require decryption.
Trust Model
Section titled “Trust Model”You must trust:
- Your browser’s Web Crypto implementation
- That the JavaScript code running is authentic
- Your device’s security
Best Practices
Section titled “Best Practices”Password Selection
Section titled “Password Selection”- Use a unique password (not used elsewhere)
- Minimum 12 characters
- Mix character types
- Consider a passphrase:
correct-horse-battery-staple
Operational Security
Section titled “Operational Security”- Lock your computer when away
- Use full-disk encryption on your device
- Be cautious on shared/public computers
- Keep your browser updated
Backup Considerations
Section titled “Backup Considerations”Encrypted notes are omitted from workspace exports. To back up encrypted notes, you must decrypt them first and then export them individually. If you export a decrypted note, the export contains unencrypted content—store exports securely.