Ameleva's optional client-side encryption derives a 256-bit key from your encryption password entirely on device, using PBKDF2-HMAC-SHA-256 with 100,000 iterations and a random salt. The key is stored only in iOS Keychain or Android Keystore and never reaches Ameleva servers. Journal entries, custom habit log values and notes, and feedback answers are sealed with AES-256-GCM before upload. The server stores opaque ciphertext only — Ameleva engineers cannot decrypt it, even with full database access.

  • 01 · Key derivation

    PBKDF2-HMAC-SHA-256

    100,000 iterations from your encryption password plus a 16-byte random salt per user. The derived 256-bit key never leaves your device.

  • 02 · Encryption

    AES-256-GCM

    Authenticated encryption per record with a fresh 12-byte random nonce. Tampering breaks decryption — no silent corruption.

  • 03 · Sync

    Ciphertext only

    Sealed records sync between your devices over TLS 1.2+. Ameleva servers store opaque ciphertext for the encrypted fields; we never see plaintext.

  • 04 · Recovery

    You hold the key

    The key is on your device, not ours. We cannot reset it — store your encryption password in a password manager before enabling encryption.

  • 05 · Threat model

    What we protect

    We protect encrypted fields against server breach, insider read, and lawful demand for plaintext. We do not protect against malware on your device or a stolen encryption password.

  • 06 · Open primitives

    No custom crypto

    Standard, audited libraries. Parameters are public; the iteration count is upgradeable as compute gets cheaper.

Encryption explainer

How encryption works in Ameleva.

Plain-English walk-through of the cryptography. PBKDF2, AES-256-GCM, the threat model, and the tradeoffs.

The cryptographic stack

Key derivation

PBKDF2-HMAC-SHA-256, 100,000 iterations, 16-byte random salt per user

Key length

256 bits (32 bytes)

Symmetric cipher

AES-256-GCM (authenticated encryption with associated data)

Nonce

12-byte random nonce per encrypted record

Key storage

iOS Keychain (kSecAttrAccessibleWhenUnlockedThisDeviceOnly); Android Keystore (StrongBox-backed when available)

Salt + parameters

Stored with your account; PBKDF2 iteration count is upgradeable

What's encrypted (when you opt in)

  • Journal entries
  • Custom habit log values and notes
  • Feedback answers

What's not encrypted

  • Email address (required for sign-in and recovery)
  • Full name
  • Subscription tier (required for entitlement, mapped via RevenueCat)
  • Habit and template titles
  • Streak counters and completion timestamps
  • Action notes and reflection text (the body of action notes is not in the encrypted set by default)
  • Aggregate, non-identifying analytics

Threat model

We protect against: server-side data breach (attacker dumps the database), insider read (engineer tries to read encrypted fields), and lawful demand for the plaintext of encrypted fields. We do NOT protect against: device compromise (malware on your phone reading from RAM), encryption-password theft (user reuses a known password), or endpoint manipulation (a modified Ameleva client uploads cleartext).

What happens if you forget your encryption password

We cannot recover it. The key isn't on our servers. You can reset encryption with a new password, but previously encrypted data remains unreadable. Store your encryption password in a password manager before enabling encryption — this is the most common operator error and we'd rather you not hit it.

Report a vulnerability.

Disclosure process + contact.

DisclosureSecurity overview