Security
How SnipSync protects your data
Zero-knowledge encryption
When you enable end-to-end encryption in SnipSync, your clips are encrypted on your device before they ever leave it. The SnipSync server stores only encrypted blobs. We cannot read, access, or recover your encrypted clips. Only you hold the decryption key.
How it works
A separate password you choose — never sent to our servers.
A random 256-bit master key is created locally on your device.
Your vault password is run through PBKDF2 (600,000 iterations, SHA-256) to derive a wrapping key. The master key is then encrypted with this wrapping key.
Each clip gets its own random nonce. Content is encrypted with the master key using XSalsa20-Poly1305 (NaCl secretbox). Only the encrypted blob is sent to the server.
On another device, you enter your vault password. It derives the same wrapping key, decrypts the master key, and decrypts your clips — all locally.
Algorithms
| Symmetric encryption | XSalsa20-Poly1305 (NaCl secretbox via tweetnacl-js) |
| Key derivation | PBKDF2 with 600,000 iterations, SHA-256 |
| Master key | 256-bit random (nacl.randomBytes) |
| Per-clip nonce | 192-bit random (24 bytes) |
| Recovery phrase | 12 words from a 256-word list (96-bit entropy) |
| Transport | TLS 1.3 (Supabase enforced) |
What we can see
| Clip content | Encrypted blob only |
| Clip type (link, note, code) | Yes — needed for filtering |
| Timestamps | Yes — needed for sorting |
| Device name | Yes — needed for device badges |
| Your vault password | Never leaves your device |
| Your master key | Never leaves your device |
Infrastructure
- Data hosted on Supabase (Postgres) in the EU region
- All connections enforced over TLS 1.3
- Row Level Security (RLS) policies on every database table — users can only access their own data
- Edge functions authenticated via JWT — no unauthenticated access
- Rate limiting on all API endpoints
- Electron app runs with sandbox mode enabled, context isolation, and no node integration
- Content Security Policy restricts script execution and network connections
Responsible disclosure
If you find a security vulnerability in SnipSync, please email vincent@snipsync.xyz with details. We take all reports seriously and will respond within 48 hours.
Encryption library
SnipSync's encryption implementation uses tweetnacl-js, an audited, minimal NaCl implementation.