HomepageWhat's NewBlogRoadmapLog In
Get Started
Get acreom
Import
How to Use acreom
Create Vault
acreom Cloud
acreom Cloud
Encryption
Search & Navigation
Search & Navigation
Editor
Pages
Editor
Templates
Quick Capture
My Day
My Day
Google Calendar
Apple Calendar
ICS Calendar
Google Calendar permissions
Google Calendar .ics
Apple Calendar .ics
Outlook Calendar .ics
Projects
Projects
Views
Views
Integrations
Jira
Github
How does Jira integration work?
How does Github integration work?
How to connect Github enterprise account?
Linear
Assistant
Assistant
Quickadd
Mobile Apps
Acreom for mobile
Try mobile apps
Other
Adding Icon to AppImage

acreom Cloud

Encryption

Cloud Vault

All accounts created after version 1.14.0 with sync enabled use End-to-End encrypted sync. If you created your vault before this version, you can turn on End-to-End encryption in the account settings.

End-to-End encryption(e2ee) is designed to follow these principles:

  • No sensitive data can leave your device unencrypted.

  • Not we, nor anyone else can have any access to the password used for encryption.

  • acreom can’t access any of your data, even locally, before inputting the encryption password.

Since your password is not saved anywhere, there is no way to access encryption keys. acreom as a 3rd party does not store your password or even secrets derived from your password. This fulfils the concept of zero-knowledge encryption. 

When you first enable end-to-end encryption, you set your encryption password. The password is hashed using argon2id, and then hkdf is derived from the hash. Next, your private keypair is generated. This keypair is then encrypted using hkdf derived from your password. Encrypted keypair is stored on the user object. This is a necessary step to enable decryption of your data.

The only way to decrypt your encryption keypair is to input the correct password and use it to decrypt your private keypair. There is no communication between the acreom app, and our servers when we decrypt your private keypair, since the object is encrypted on the user object and is only retrieved after successful login. acreom creates hash, derives hkdf, and then tries to decrypt the private keypair object.

Encrypted Pages, Images & Folders

Each page, image, and folder is encrypted using aes256-gcm and a unique encryption key. Each encryption key is stored encrypted using the user's private keypair. We encrypt all properties containing sensitive data such as name of entity, content, icons etc. We do not encrypt metadata such as created and updated timestamp as these are used when fetching updates.

Sharing

When sharing a page, its content alongside the assets gets decrypted and stored as plain text. 

3rd Party Integrations

Currently, Github, Jira, and ICS Integrations are e2e encrypted. We intend to streamline all integrations to follow the process we created when working on github integration, where the only thing that gets stored or passes through our servers is the encrypted config.