The encryption model will take inspiration from how Turtl encrypts note data.

The most important thing worth mentioning is that all encryption will happen on your device and if you sync to the cloud, none of your note data will sync un-encrypted.

Let’s go over two different hacking scenarios and what would happen.

The database is compromised:

The hacker would not be able to access any information as everything is encrypted.

The database and back-end web API is compromised:

The hacker would have access to your basic account information (Name and email.) No payment information is leaked as that is processed by Stripe. Your note data is safe as well as it was encrypted on the client-side, not server-side and the hacker has no way to decrypt it – unless he managed to get access to your computer as well and steal your keys.

How Vibrato’s Encryption Works:

When you create an account, you are provided with a “recovery seed”. This recovery seed will look very similar to the one given by various cryptocurrency wallets.

A key will be generated using a combination of your email and password. This key will encrypt the recovery seed and save it to the database.

So, now you create a note. The first thing that will happen is the recovery seed will be decrypted by using that key created using your email and password.

With the recovery seed, a new key will be generated that will encrypt your note data.

Uh oh, you just forgot your password! No worries because you have written down that recovery seed and kept it in a safe location. You go to the “Forgot password” form, enter your email address, the recovery seed, and a new password.

What happens next is that the notes/notebooks/tags are decrypted (On the client-side, not server-side!), a new recovery seed is generated, the new recovery seed encrypts the notes/notebooks/tags and finally the new recovery seed is encrypted using a key created from your email & new password.

Now, you’re back in business!