How Enki Keeps Your Data Safe

Your Secure Digital Vault

Think of your Enki data as being stored in a highly secure digital vault. This vault is always locked, and the combination to open it is uniquely yours. While we manage the vault's infrastructure, we don't have the master combination to everyone's vault. Here’s how it works.

Creating Your Unique Access Key

The process begins when you sign up for Enki using your Apple or Google account. After Firebase authenticates your account, a secure, server-side process kicks in. A Firebase Function, generates a unique, strong encryption key specifically for you. This key is then securely embedded as a custom claim within your Firebase ID token.

Diagram 1: Generating and Distributing Your Secret Key

This diagram illustrates how your unique encryption key is generated on our server at signup and securely included in every subsequent Firebase ID token your app receives.

Crucially, this key is never stored separately on our servers. It resides solely within your Firebase ID token. Every time your Enki app requests access to your data, it presents this token, carrying your unique access key with it.

Secure Data Handling: From Your Device to Our Servers

When you save a note or a link in Enki, the following secure process takes place: Your Enki app sends the data to our servers over a secure HTTPS connection, ensuring that the data is encrypted during transmission. Along with your data, your app sends your Firebase ID token.

Diagram 2: How Your Data is Securely Handled

This diagram illustrates the secure flow of your data, emphasizing the server's use of the key from your ID token to access your encrypted database in memory.

Our backend servers, built with the robust Rust language and Axum framework, receive your request and immediately verify the authenticity of your Firebase ID token. Once verified, the server extracts your unique encryption key from the token. This key is then used to open your individual, encrypted database – but only in the server's memory. Your data is processed, and the database is closed immediately. The ID token, having served its purpose, is then discarded.

Your Private, Encrypted Database

To ensure maximum privacy, each Enki user has their own physically separate database. Think of it as your own personal vault within our secure storage. This database is always encrypted at rest using your unique encryption key. We utilize a forked version of SQLite called LibSQL, incorporating the advanced encryption capabilities of SQLite3 Multiple Ciphers (SMC).

Diagram 3: Isolated and Encrypted Databases

This diagram illustrates how each user's data is stored in its own isolated and persistently encrypted database.

This physical separation, combined with robust encryption, guarantees that your data remains entirely separate and inaccessible to other users.

We Can't See Your Data Either

It's crucial to understand that we, the developers of Enki, do not have a master key to unlock everyone's data. Your unique encryption key is the sole key to your vault, and it's never permanently stored on our servers. This means your data is private not just from external threats, but also from us. We've designed the system this way to ensure your complete trust and privacy.

Continuously Enhancing Security

Our commitment to your security is ongoing. We are actively working on implementing key rotation, a process that will periodically change your encryption key, further strengthening your data's defenses.

Built with Your Privacy in Mind

Enki's security architecture is designed with a clear principle: your data belongs to you. By generating unique encryption keys, isolating your data in encrypted databases, and ensuring that we don't have access to your decrypted information, we strive to provide a secure and private space for your digital notes.

Experience the peace of mind that comes with knowing your information is protected by robust and thoughtful security measures.