Where your notes live
Your notes are plain Markdown files on your disk — readable by any tool, portable, yours forever. Jotura adds no encryption layer on top of your filesystem, so there's no proprietary format and no lock-in. For at-rest protection, use your operating system's full-disk encryption: FileVault on macOS, BitLocker on Windows, LUKS on Linux. That's the honest answer — disk encryption from the OS protects every file on the machine, including your notes, and it's stronger and better-audited than anything a notes app could bolt on.
Everything below this line is about sync. When you enable cloud sync, your notes are encrypted on your device before upload, and only ciphertext ever leaves it.
Threat model
Sync defends against: server compromise (someone steals the database), network adversaries (someone reads traffic between you and the server), and us — the server operator can't read your notes either.
We don't defend against: an attacker with access to your machine and your OS user account. They can read your notes the same way you can — that's what full-disk encryption and your OS login are for. No notes app can protect files from someone already inside the account that owns them.
What the server sees and doesn't see
Sees
- Your account email
- Opaque encrypted blobs
- HMAC'd path identifiers (so it can route updates without learning the filename)
- KDF salt and parameters
- A verifier blob proving you can derive the key
Doesn't see
- Plaintext content
- Plaintext paths or filenames
- Your sync password or any password-derived key
- Your master key or any per-file key
The sync crypto stack
All of this applies to data in transit and on the server. On your own disk, notes stay plain files.
- KDF
- Argon2id, m=64 MiB, t=3, p=4 over your sync password. Output is a key-encryption-key (KEK).
- Master key (MK)
- 32 random bytes generated when you enable sync. Wrapped under KEK. Never derived from your password directly — that means changing your sync password is cheap (re-wrap the MK, no re-encryption of your notes needed).
- Per-file
- Every upload gets its own data encryption key (DEK). DEKs are wrapped under MK. Content is encrypted with XChaCha20-Poly1305 AEAD on your device, at push time.
- Filename privacy
- The server-visible identifier for each entry is HMAC-SHA256(path_key, normalized_path). Deterministic for routing, opaque to the server. The plaintext filename is encrypted alongside the wrapped DEK.
Recovery phrase
12 BIP39 words generated when you enable sync, shown once, never stored on the server. The phrase encrypts a copy of the master key.
Forget your sync password, the phrase still works. Lose both — the copies on the server are unrecoverable. Your local files are unaffected either way; they're plain Markdown on your disk.
Cryptography summary
The sync crypto stack is documented above. We use widely-reviewed primitives (Argon2id, XChaCha20-Poly1305, BIP39) from well-maintained libraries — not hand-rolled crypto. If you'd like a third-party security review of Jotura's design, get in touch.