This document explains the technical measures DulyNote uses to protect your data.
File-Level Encryption
DulyNote encrypts exported and backed-up files using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode).
- AES-256 is a widely adopted encryption standard used in regulated and security-critical environments.
- GCM provides authenticated encryption, ensuring both confidentiality and integrity by detecting unauthorized modifications.
Key Derivation
The Recovery Key you generate is used to derive the encryption key rather than being applied directly. DulyNote uses PBKDF2 with HMAC-SHA256 and a high iteration count to produce the final key.
This approach increases resistance to brute-force attacks by making each guess computationally expensive.
Transparent Archive, Encrypted Content
DulyNote uses file-level encryption instead of archive-level passwords to support reliable import and validation.
- Visible Structure: The .dnote archive can be inspected to reveal file names and structure. This allows the application to verify versioning and signer information before requesting a Recovery Key.
- Encrypted Payload: All files, including the manifest, notes, and media, are fully encrypted and unreadable without the correct Recovery Key.
- Minimal Metadata Exposure: Only non-sensitive information (such as application version and encryption status) is accessible. All user data remains encrypted during storage and transfer.
Zero-Knowledge Architecture
DulyNote follows a Zero-Knowledge security model.
- No Server Access: Encryption keys and unencrypted data are never transmitted to or stored on DulyNote servers.
- Local Key Storage: Recovery Keys are stored only in secure device storage (such as iOS Keychain or Android Keystore).
- User-Controlled Access: Only the user can decrypt their data; DulyNote cannot access it under any circumstances.
⚠️ Important
Because DulyNote uses a Zero-Knowledge architecture, Recovery Keys cannot be reset or recovered if lost.