Encryption Story?

Hi,

I’m looking for a privacy-friendly replacement of Notion, and so far Anytype is the closest candidate. I find it hard to understand the encryption story, however.

  • On one hand, on the front-page of Anytype, one of the first things you see is, “local, on-device encryption”.
  • On the other hand, the docs say the opposite: “The local Anytype data folder itself is not encrypted. We have a prerequisite that the user’s machine is non-compromised and trusted”.
  • There is a thread from the last year here on the forums, where people try to understand whether the data is encrypted or not. There is a comment in that thread from one of the developers which says, “data is encrypted, search queries aren’t”. So, in other words, “there are situations when the data is not encrypted locally”. I would like to understand better when such situations may arise.
  • And finally, this thread says basically, “encryption is not an issue for full-text search because the data is stored locally” - perhaps implying it’s not encrypted?

Overall I think Anytype is a great solution but I would like to understand better what I can and cannot expect from it.

Another question: if it’s indices that are the problem, can I disable their creation? Or manually remove them regularly, in which case, where are they stored?

The basic idea is:

All of your data is encrypted

That means, all of your notes, files, and all of your objects in Anytype. That’s why you have your seed phrase, which encrypts the data, which is then decrypted in the app every time you log in. So, unless someone has access to your seed phrase (or can access your local device when you are logged into the app - there is the passcode option for that reason, which you are required to enter every time you open up the app), no one can access any of your data. It’s encrypted locally, and thus is encrypted when backed up to the Anytype server, or if you self-host, your server.

About indices/searches

Whenever you search your space, Anytype stores these searches/indexes temporarily. They’re not encrypted, because as the head devs said, it would make searching your space a lot slower. You can delete them somewhere (as I do remember when using the app on Windows, I did notice the directory where they are stored), but it’s honestly not too much to be concerned about. You could probably ask around (the devs would probably know) or just look through the app folder and find it.

Hope this helps,
-James @23jjl

2 Likes

Thank you, this indeed is more clear.

So in other words, unless I use the “Search” feature, no unencrypted indices are created?

1 Like

Hi @stifle300, welcome to our Community!

Thank you for bringing the inconsistency in our documentation to our attention; it was an oversight, and we have rectified it.

Our encryption methods have stayed the same since the comments you referred to were made.

@23jjl is correct in his summary, the reason for the on-the-fly search string decryption is for performance reasons. So, only the query you type gets saved in a decrypted state, nothing else about the object.

Looking forward, sometime this year we’re going to roll out encrypted indexing, which will have no notable impact on performance.

1 Like

@Angelo thank you for the fast reaction regarding the docs! Definitely helps. And great to hear encrypting also the indices is something on your roadmap!

The docs say though: “To be able to search through the documents efficiently, we create indexes of your data locally on the basis of the encrypted objects. Think of that as two different storages: one for data, the other for indexes.”

So is it what you type in the search bar that gets stored in an unencrypted way, or does the app build these data structures ahead-of-time to speed up search? E.g. ordinary databases build indices precisely ahead-of-time, and not at the time of search.

If it is ahead of time, then what could leak there?

What I am really trying to understand is the threat model of the app. If an attacker obtains a copy of my data folder at rest (that is, when I do not have the app open) from my local machine, what can they learn, under assumption that the ciphers cannot be broken and the secret key doesn’t leak?

1 Like

If somebody copies your folder, they might only obtain indexes stored unencrypted, as previously mentioned, necessary for full-text search. Therefore, some of your indexed data could potentially be read. We assume this is a rare occurrence. If an attacker gains access to your machine, they could potentially access not only your file system but also your computer’s memory. In such a case, even if your index was encrypted, the attacker could decrypt everything if they obtain the keys from the memory

1 Like