Skip to content
Lithium Docs

Encryption

Your data stays locked on your device

When you use Lithium, everything you write is encrypted on YOUR device before it leaves. Your password is the key, and it never leaves your device. The server only sees encrypted blobs - unreadable gibberish without your key.

Think of it like this: you have a locked safe. You write your notes, lock them in the safe, and then send the safe to a storage facility. The storage facility can see you have a safe, but they don’t have the key. They can’t open it. They don’t even have a copy of the key.

Even Lithium staff can’t read your notes. We built it this way on purpose.

What happens when you sign in

When you create your account:

  1. Your password generates a master encryption key on your device (this takes about half a second)
  2. That key encrypts all your data locally
  3. The encrypted data gets synced to the server
  4. Your password and encryption keys never leave your device

When you sign in on a new device:

  1. You enter your password
  2. The same encryption key is generated on that device
  3. The encrypted data downloads from the server
  4. Your local key decrypts it

The server’s job is just to store and sync the encrypted data. It can’t decrypt anything.

What this means for you

The good: Your data is genuinely private. No one - including us - can access it without your password.

The tradeoff: If you lose your password, we can’t help you recover it. There’s no “forgot password” link that resets things. The encryption is real, and that means it’s permanent.

What you should do: Set up a recovery password as a backup. Store it somewhere safe and separate from your main password.

Technical details (if you’re curious)

We use XChaCha20-Poly1305 for encryption and Argon2id for key derivation — both are modern, well-studied algorithms trusted across the security industry. Argon2id is deliberately slow, which makes it computationally infeasible to brute-force your password, even if someone has the encrypted data.

All cryptography is handled by libsodium, a well-audited, battle-tested library used by major companies and security tools.