How the encryption works, technically
The actual cryptographic design behind Nudje's zero-knowledge sync: the keys, the algorithms, what our servers see, and what we can never do.
Last updated
Nudje+ sync is end-to-end encrypted with XChaCha20-Poly1305; your recovery code is the root of the only key that can decrypt your data, and it never leaves your device. This page is the claim written as engineering, so you (or someone technical you trust) can judge it instead of taking our word.
The threat model
We designed sync assuming the server is honest-but-curious at best and breached at worst. Concretely: if someone walked away with our entire database tomorrow, they would hold ciphertext they cannot decrypt, because the keys were never on the server to steal. That is what “zero-knowledge” means here — not a policy, a construction.
The key hierarchy
- Recovery code — 32 characters of Crockford base32 (8 groups of 4), generated on your device from the system’s secure random source. It is shown to you exactly once and stored nowhere else.
- Master key — derived from the recovery code on-device using Argon2id (libsodium’s MODERATE parameters), a memory-hard function built to make guessing expensive.
- Data encryption key (DEK) — a random symmetric key that actually encrypts your reminders. The DEK is wrapped (encrypted) by the master key, and only that wrapped form ever reaches the server.
- Per-device keypairs — each device holds an X25519 keypair; DEKs are granted to new devices and to caregivers with libsodium sealed boxes, so only the intended recipient’s private key can open the grant.
The data path
Every reminder is serialized on your phone, encrypted with XChaCha20-Poly1305 (authenticated encryption — tampering is detected, not just hidden) under the DEK with a fresh random nonce, and only then uploaded. The server stores the ciphertext, the nonce, and a version number for conflict resolution. Decryption happens exclusively on your devices.
What the server does see
Honesty requires the metadata list: your provider identity (an Apple/Google subject or a salted hash of your email — never the address itself), ciphertext sizes and timestamps, record counts, device count, and subscription status. It cannot see titles, phrases, schedules, notes, streaks, or anything else inside a reminder.
Sharing without giving us keys
Caregiver and family profiles work by wrapping the profile’s DEK for the other person’s public key — a grant only they can open. Both sides can compare safety numbers (short fingerprints of the keys involved) to detect an impostor in the middle. Consent is explicit, visible, and revocable on both ends.
What we can never do
No password reset that recovers your data (nothing to reset against), no “support unlock,” no reading your reminders for any reason — including a legal demand, because ciphertext is all there is to hand over. Lose the recovery code with no signed-in device and your synced data is unrecoverable by construction. We say this plainly because it is the honest cost of the design.
Verifying our claims
The identical backup format on iPhone and Android is documented in Backup and restore, and the privacy behavior (no ATT prompt, no advertising ID) is externally observable in the app. A third-party review of the cryptographic design is on our launch checklist; this page will link its findings when complete.
Found a hole in this design? security@nudje.app — we’d genuinely like to know.