ContextQMD
Back to Screenpipe

cloud sync - zero-knowledge encryption

docs/mintlify/docs-mintlify-mig-tmp/cloud-sync.mdx

2.3.272.7 KB
Original Source

cloud sync lets you access your screenpipe data across all your devices with end-to-end encryption. we use zero-knowledge encryption, meaning we physically cannot read your data.

zero-knowledge encryption

your data is encrypted on your device before it ever leaves. we use your password to derive an encryption key locally - this key never leaves your device and we never see it.

this means we physically cannot read your data, even if we wanted to. only you (and anyone you share your password with) can decrypt your data.

how it works

<Steps> <Step title="you set a password"> this password is used to derive your encryption key using argon2id (a secure key derivation function). </Step> <Step title="data is encrypted locally"> before any data leaves your device, it's encrypted using chacha20-poly1305 (a fast, secure cipher). </Step> <Step title="encrypted data is uploaded"> only encrypted blobs are sent to our servers. we store them but cannot read them. </Step> <Step title="other devices decrypt locally"> when you access data from another device, it's downloaded and decrypted on that device using your password. </Step> </Steps>

what we store

  • encrypted blobs (we cannot read these)
  • your account email
  • encrypted master key (encrypted with your password - we cannot decrypt it)
  • salt for key derivation (not secret, needed to derive the same key)
  • device metadata (device name, os, last sync time)

what we cannot see

<CardGroup cols={2}> <Card title="your screen recordings" icon="display"> all visual data is encrypted </Card> <Card title="your audio transcriptions" icon="microphone"> all audio data is encrypted </Card> <Card title="your ocr text" icon="text"> all extracted text is encrypted </Card> <Card title="your encryption password" icon="key"> never leaves your device </Card> <Card title="your encryption key" icon="lock"> derived locally, never transmitted </Card> <Card title="any of your actual data" icon="shield"> we only see encrypted blobs </Card> </CardGroup>

verify it yourself

screenpipe is open source. you can audit the encryption code yourself:

<Card title="view encryption source code" icon="github" href="https://github.com/screenpipe/screenpipe/tree/main/crates/screenpipe-core/src/sync"> review the rust implementation of our zero-knowledge encryption </Card>

important notes

<Warning> if you forget your encryption password, your cloud data cannot be recovered. we recommend using a password manager. </Warning> <Info> cloud sync requires a screenpipe pro subscription. sync happens automatically in the background and uses approximately 0.8 gb per monitor per day. </Info>

questions? join our discord.