Encryption, in plain language
When an app says "your data is encrypted", it can mean two very different things. One of them is useful to you. The other is useful to the company. They sound the same in marketing copy. They're not.
This post is the short, friendly walk-through of what's actually going on under those words, and which version Vita is doing.
Encryption, the basic idea
Encryption is what happens when you scramble data so thoroughly that the only way to unscramble it is with a specific number called a key.
Useful mental model: encryption is a vault. The key is what opens the vault. The vault is unbreakable; the only attack is to steal the key. The math underneath is solid — modern keys are big enough that guessing them is harder than counting every atom in the universe. So when encryption fails in real life, it almost always fails because the key got into the wrong hands, not because the math got cracked.
That distinction — who has the keys — is the whole story.
"Encrypted" the way most apps mean it
When a normal app says your data is encrypted, here's what's typically true:
- The data is encrypted while it's flying through the internet (between your phone and the company's server). That's just HTTPS — every reputable site does this.
- The data is encrypted on disk in the company's data center, so if someone broke into the building they couldn't read the hard drives directly.
- The company holds the keys for all of that, because if they didn't, they couldn't serve you the data when you log in.
That last bullet is the catch. Their server can read your data any time it likes. So can anyone the company gives access to: engineers debugging a problem, the analytics team, a future owner, a court order, a determined attacker who steals a key.
This isn't dishonest of the company. It's just what "encrypted" means when the server is the place that makes the app work.
"End-to-end" the way Vita means it
End-to-end encryption means the only devices that can read the data are the ones the data is for. Not the server in the middle.
Concretely:
- Your data is locked before it leaves your device, using a key that's on your device.
- The server in the middle (we call it the relay) sees only scrambled bytes. It has nothing to unlock them with — the keys never get uploaded.
- When the bytes arrive on your other device, that device has the same key and can unlock them.
This is what end-to-end means: the only things in the universe that can read your habits are the devices you've personally set up. We can't. The relay can't. Nobody we hand the relay to in the future can. It's not a policy — it's that we don't have the keys to give.
How two devices that have never met agree on a key
This is the part that sounds impossible the first time you hear it.
Picture this scenario: you've got Vita on your phone. You want to add it to your laptop. The two devices have never met. The only way they can talk to each other is through that relay we said can't read anything. How do they agree on a shared key without telling the relay what the key is?
A useful analogy is mixing paint.
Suppose you and a friend want to agree on a secret color. You both start with a public starting color — say, yellow. Each of you picks a private color in your head and tells nobody.
You mix your private color into yellow and shout the result across the room. Your friend does the same. Anyone listening hears both shouted mixtures and the original yellow.
Now you mix your private color into your friend's shouted mixture. Your friend mixes their private color into yours. By the magic of mixing being order-independent, you both end up with the same final shade.
The eavesdropper has the yellow and the two shouted mixtures, but can't run paint backwards to extract either private color. So they can't reach your shared shade.
Replace "paint" with "very big numbers" and "running paint backwards" with "a problem that would take longer than the age of the universe to solve" and that's roughly how it actually works.
Vita uses this to let your phone and your laptop arrive at a shared key the relay can't compute. From then on, every byte they send each other is locked with that shared key.
The catch: how do you know the device that scanned your QR is actually your laptop and not someone in the middle pretending to be? Vita shows a short verification number on both screens after pairing. You glance at both, confirm they match, and that's done. If the relay were trying to slip in between them, the two numbers would be different — and you'd see it.
Tamper-evident seals
There's one more idea worth knowing. Plain encryption keeps things secret — but it doesn't notice if someone changes the scrambled bytes in transit. A mischievous server could flip a bit and you'd just see garbled output without knowing why.
Modern encryption fixes this by also adding a tiny fingerprint to each sealed package. If anything in the package is altered — even one bit — the fingerprint stops matching and your device knows to reject it. Like a tamper-evident seal on a medicine bottle: the contents might still be unreachable, but at least you know if someone tried.
So the relay can drop your data on the floor (and we'd notice — the event count wouldn't add up) or delay it. But it can't change one of your records without your devices catching on.
Where Vita keeps the keys
The math is great. But ultimately, a key is just a number sitting in some computer's memory. Where you put that number matters.
Vita uses two of the browser's safer storage features:
- The keys live in a storage area scoped to the website — other websites in the same browser can't see them.
- One of the keys is generated in a way that means even Vita's own code can never read the raw bytes. The browser will use the key on your behalf (encrypt this, unlock that) but won't ever hand the actual number back to JavaScript. So a hostile script in a future bug, or a different tab pretending to be Vita, can't just pull the key out.
The keys never get sent over the network. They were generated on your device, they stay on your device.
What the relay actually sees
Here's the same information laid out as a list. It's the closest thing to a "see for yourself" you can get without reading code.
| What the relay can see | What the relay cannot see |
|---|---|
| Your account exists | Anything inside any of your records |
| Your devices exist (and their friendly labels — "Pixel 8") | The habits you track |
| When you opened the app and how much you typed | What you marked done, skipped, or wrote in a note |
| The shape and timing of sealed packages flowing through it | Your name, timezone, locale |
| Your IP address (because TCP) | Your encryption keys (it never had them) |
If someone broke into the relay tomorrow, they'd learn that your account exists and roughly when you've been active. They would not learn anything about what you actually tracked.
What this doesn't protect against
Honesty matters here. Some honest gaps:
- A compromised device or browser. If something malicious is already running on your phone — a hostile extension with broad permissions, malware at the OS level — no cryptography can save you. The bad code is on the same side of the vault as the key.
- Traffic patterns. Even though the relay can't read your data, it can see when you sent things and how big they were. A patient observer can probably tell when you opened Vita and how much you typed, even though they can't read what.
- Losing every paired device. The math that protects you also protects you from us being able to help you recover. If you lose every paired device, the relay's stored bytes are permanent gibberish to everyone — including you. The way out is to pair a second device so you've got two copies of the key locally.
- Clicking past the verification number. When you pair a new device, Vita shows a short number on both screens and asks you to confirm they match. If you click "match" reflexively without reading, you've handed the relay a way in. We label the buttons to make it feel like a check, not a continue. We can't take that last step for you.
Why all of this
A normal app is much simpler: log in with a password, the server holds your data, that's it. You trust the server.
The trade Vita makes is more code on your device for less trust in any company, including ours. The relay is replaceable. The encryption is verifiable from the source. The only place your data exists in readable form is on devices you control.
That property — the company can vanish and you still have your habits — is the actual point. The math just makes it true.