# Noterich Local-First AES-GCM Encryption Explained: Your Data, Your Keys In a digital world where data breaches are increasingly common, your personal notes, ideas, and journals deserve the highest level of protection. At **NoteRich**, we believe that privacy is not just a feature—it is a fundamental right. As a **Local-First** note-taking application, NoteRich ensures that your data resides entirely on your device. But what happens when you need to back up your database or share notes across devices? This is where our implementation of **AES-GCM Encryption** steps in, providing military-grade security for your data in transit and at rest. --- ## 🛡️ The Local-First Philosophy Meets Real-World Security NoteRich stores your notes locally using advanced browser databases. This means you can access, edit, and search your notes even without an internet connection. However, when you decide to export your entire workspace to a `.nrs` file or sync your database to another device via **P2P (Peer-to-Peer)**, your data leaves the safety of your local storage. To ensure your data remains completely private during these operations, NoteRich employs **End-to-End Encryption (E2EE)**. Even if an exported file is uploaded to a public cloud drive or intercepted during a P2P transfer, it remains mathematically impossible to read without your password. --- ## 🔐 How NoteRich Protects Your Data When you choose to encrypt a database export or a P2P share, NoteRich uses a two-step security process designed to balance maximum security with a seamless user experience. ### 1. PBKDF2 Key Derivation Passwords typed by users are vulnerable to brute-force attacks if not properly prepared. NoteRich uses **PBKDF2 (Password-Based Key Derivation Function 2)** to transform your simple password into a robust, 256-bit cryptographic key. This process adds a unique "salt" and thousands of iterations, making it incredibly slow and computationally expensive for hackers to guess your password. ### 2. AES-GCM Encryption Once the key is derived, NoteRich encrypts your data using **AES-GCM (Advanced Encryption Standard - Galois/Counter Mode)**. * **AES** is the global standard for securing top-secret government and financial data. * **GCM** not only encrypts the data but also provides *authentication*. This means if even a single bit of the encrypted file is tampered with or corrupted, NoteRich will instantly detect it and prevent the import, protecting you from malicious modifications. --- ## 🔄 The Encryption Flow: A Visual Guide Let's take a look at how your data flows securely within the NoteRich ecosystem. ```mermaid graph TD A[Your Device / Local IndexedDB] -->|Unencrypted Local Access| B(NoteRich Editor) subgraph Secure Export & Sync B -->|Export to .nrs| C{Set Password?} C -->|Yes| D[PBKDF2 + AES-GCM] D --> E[Encrypted Backup File] B -->|P2P Database Sync| F{Enable Password?} F -->|Yes| G[PBKDF2 + AES-GCM] G --> H[Encrypted P2P Stream] end E --> I[Secure Cloud / External Drive] H --> J[Target Device] style D fill:#e0f2fe,stroke:#0284c7,stroke-width:2px style G fill:#e0f2fe,stroke:#0284c7,stroke-width:2px ``` --- ## 🌐 Use Cases: When Does Encryption Happen? NoteRich gives you full control over when to apply encryption. Here are the primary scenarios where AES-GCM protects your knowledge base: ### 📦 Encrypted Database Export (.nrs) Whether you are backing up your notes to an external hard drive or uploading them to a personal cloud storage, you can toggle the **"Set Password"** option during export. The resulting `.nrs` file is completely scrambled. Only someone with the correct password can unlock and restore the workspace. ### 📡 Secure P2P Sharing NoteRich supports direct device-to-device synchronization using P2P technology. While P2P already avoids central servers, adding a password layer ensures **Zero-Trust security**. * You generate a secure link or QR code containing the encrypted stream. * The receiving device must input the exact password to decrypt the incoming data blocks. * This is perfect for sharing sensitive journals or proprietary project notes across your own devices without worrying about network sniffing. --- ## 🛑 The "Zero-Knowledge" Guarantee One of the most important aspects of NoteRich's encryption is that **we know nothing about your data**. ```mermaid sequenceDiagram participant U as User participant N as NoteRich App participant F as Encrypted File / P2P U->>N: 1. Enter Password N->>N: 2. Derive Key (PBKDF2) N->>N: 3. Encrypt Data (AES-GCM) N->>F: 4. Save / Transmit Note over F: 🔒 Data is unreadable gibberish U->>N: 5. Import / Receive Data U->>N: 6. Enter Password N->>N: 7. Derive Key & Verify Integrity N->>U: 8. Access Restored Notes ``` Because the encryption and decryption happen entirely within your browser's secure environment, NoteRich servers never see your password, nor do they have the ability to decrypt your files. **You are the sole owner of your keys.** --- ## 💡 Best Practices for NoteRich Users To get the most out of NoteRich's security features, keep these tips in mind: 1. **Use Strong Passwords**: Since NoteRich doesn't store your password, losing it means losing access to the encrypted file. Use a password manager to generate and store complex passwords. 2. **Verify Integrity**: If an encrypted import fails with a "Password Incorrect" or "Corrupted Data" error, it’s the AES-GCM authentication working exactly as intended to protect you from tampered files. 3. **Leverage Workspaces**: Combine NoteRich's Workspace Isolation with encrypted exports to maintain separate, highly secure environments for personal and professional notes. --- ## 🎯 Conclusion Privacy shouldn't be a compromise. With **NoteRich's Local-First architecture** and **AES-GCM Encryption**, you get the best of both worlds: the lightning-fast performance of local storage and the unbreakable security of modern cryptography. Whether you are archiving your life's work or syncing notes across your devices, NoteRich ensures that your thoughts remain yours—and yours alone. --- <div class="flex flex-wrap gap-2 mt-8 mb-12"> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">Local-First</span> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">AES-GCM</span> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">Privacy</span> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">End-to-End Encryption</span> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">P2P Sync</span> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">Data Security</span> <span class="px-3 py-1 bg-[#f4f4f5] border border-[#eaeaea] rounded-full text-xs font-medium text-[#666]">NoteRich</span> </div>