Encryption Setup
Configure zero-knowledge or managed recovery encryption.
Zero-Knowledge Mode (Default)
Your encryption key is derived from your passphrase using Argon2id. BackupEngine never sees your passphrase or key. Only you can decrypt your data.
- •Choose a strong passphrase (minimum 8 characters)
- •The passphrase derives a 256-bit AES key via Argon2id
- •Each chunk is encrypted with AES-256-GCM with a unique IV
- •If you lose your passphrase, data CANNOT be recovered
⚠ Warning
Write down your passphrase and store it securely. There is no reset mechanism in zero-knowledge mode.
Managed Recovery Mode
Your key is wrapped with RSA-OAEP and stored in Supabase Vault. This allows passphrase reset but means BackupEngine could technically access your key.
- •Switch to managed recovery in Settings → Encryption
- •Enables passphrase reset via email verification
- •Slightly lower security — BackupEngine holds a wrapped recovery key
- •Recommended only if passphrase loss risk outweighs security concerns