End-to-End Encryption (E2EE) Implementation

[devin-ai-integration]

Overview

This issue tracks the implementation of client-side end-to-end encryption for Hyprnote, ensuring user data is encrypted before leaving the device.

Data Requiring Encryption

Based on codebase analysis, the following data needs E2EE protection:

1. Session content - Notes, transcripts, words stored in transcripts table
2. Audio recordings - Before upload to S3 (via crates/s3)
3. Chat messages - User conversations
4. Human/Organization data - Contact information

Current Architecture

Local Storage (on-device)

• SQLite Database (db.sqlite via db2 plugin) - Primary local storage using TinyBase with custom SQLite persister
• File System Persisters - JSON files and Markdown directories for various data
• Audio Recordings - WAV/OGG files stored locally via listener plugin

Cloud/Remote Storage

• Supabase - Authentication only (JWT tokens)
• Turso - Distributed SQLite for cloud sync
• S3 (Tigris) - Audio file storage with presigned URLs
• PostgreSQL - Cloud database option via execute_cloud command

Implementation Plan

1. Key Management (new plugins/crypto plugin)

// Recommended crates
ring = "0.17"           // or aes-gcm for encryption
keyring = "3"           // OS keyring integration  
argon2 = "0.5"          // Key derivation from passphrase

Key features:

• Generate symmetric keys (AES-256-GCM) on device
• Store master key in OS keyring (macOS Keychain, Windows Credential Manager, Linux Secret Service)
• Derive per-session keys using HKDF from master key
• Key backup/recovery via user passphrase (Argon2 → wrap master key)

2. Encryption Points

Location	File	Action
Cloud DB sync	plugins/db2/src/ext.rs → execute_cloud()	Encrypt data before sync
S3 upload	crates/s3/src/lib.rs → put() and multipart upload	Encrypt audio before upload
Local persister	createLocalPersister in TinyBase	Optional filesystem encryption

3. Plugin Architecture

// plugins/crypto/src/lib.rs
pub fn init<R: Runtime>() -> TauriPlugin<R> {
    // Commands:
    // - init_keys() - Generate/load master key from keyring
    // - encrypt(data, context) - Encrypt with derived key
    // - decrypt(ciphertext, context) - Decrypt
    // - export_key(passphrase) - Backup key
    // - import_key(passphrase, encrypted_key) - Restore key
}

4. Multi-Device Considerations

For future multi-device sync:

• Asymmetric encryption for key exchange between devices
• Device registration and key sharing protocol
• Key rotation mechanism

Security Considerations

• Use authenticated encryption (AES-256-GCM) to prevent tampering
• Never store unencrypted keys outside OS keyring
• Implement secure key derivation with high iteration counts
• Consider memory protection for keys in use

Related Issues

• sync files to hyper cloud #3421 - sync files to hyper cloud
• Hyprnote Cloud Reliability Overhaul #3132 - Hyprnote Cloud Reliability Overhaul