Explainer

How Encryption Works

Last updated: 2026-07-10.

A plain-language explanation of how writema protects your writing. Your words are encrypted in your browser before they leave your device. We can't read them. Here's how.

The short version

Your writing is encrypted on your device using a key derived from your password. Only the encrypted ciphertext ever reaches our servers. We never see your password, and we never see the key. If you lose both your password and recovery key, your content is unrecoverable — even to us. That's the trade-off of true zero-knowledge.

When you sign up

  1. You choose a password. It stays on your device — it is never sent to our servers.
  2. Your browser derives a strong key from your password using Argon2id, a slow, memory-hard function designed to resist brute-force attacks.
  3. A random master key is generated in your browser. This is the key that actually encrypts your content.
  4. The master key is encrypted with your password-derived key, and only the encrypted copy is stored on our servers.
  5. A one-time recovery key is generated so you can regain access if you forget your password. Store it somewhere safe — we don't keep a copy.

When you sign in

  1. You enter your email and password.
  2. Your browser derives your password key using Argon2id — same as sign-up.
  3. Your browser downloads the encrypted master key and decrypts it locally using the password key.
  4. The master key stays in your browser's memory for the session. It is never sent to us.
  5. Every draft, journal entry, and note you open is decrypted in your browser on the fly.

What we can see

  • Your email address
  • The encrypted (unreadable) ciphertext of your content
  • Approximate sizes and timestamps needed to serve the app
  • Minimal operational logs for security and reliability

What we cannot see

  • Your password
  • Your master key
  • The plaintext of anything you write — titles, bodies, mood, weather, notes
  • Your recovery key

This is not a promise; it is a technical property of the system. We cannot hand over what we do not have.

If you forget your password

Use your recovery key to reset your password and recover access to your content. If you lose both, your encrypted content is permanently inaccessible — including to us. There is no back door.

The technology

PurposeTechnology
Password key derivationArgon2id
Key derivation from master keyHKDF-SHA256
Content encryptionAES-256-GCM
Cryptographic primitivesWeb Crypto API (browser-native)

Sharing, in the future

When collaboration lands, it will use per-document key exchange so that only invited readers can decrypt a shared piece. The zero-knowledge property is not going anywhere.

Questions

See our Privacy Policy for legal specifics, or write to privacy@writema.com.