Afrek
Back to Help

Security & Encryption

The short version

Afrek has two security modes:

  • Standard mode — Your data is stored securely using industry-standard practices. We can access it to provide support if needed.
  • End-to-end encryption — Your task content is encrypted in your browser before it reaches our servers. We cannot read your encrypted data, even if we wanted to.

Should I enable encryption?

Consider it if:

  • • You store sensitive personal or client info in tasks
  • • You're familiar with passkeys
  • • Privacy is a top priority for you

Maybe skip it if:

  • • You're new to passkeys
  • • You worry about losing access to devices
  • • Your tasks aren't particularly sensitive

How to enable encryption

  1. 1Click the lock icon in the top navigation bar of the app
  2. 2Follow the prompts to register a passkey
  3. 3Your existing tasks will be encrypted and new tasks will be encrypted automatically

⚠️ Important: If you lose access to your passkey, your encrypted data cannot be recovered—by you or by us. Make sure you have backup access to your passkey.

What gets encrypted

  • Task titles
  • Task notes
  • Tags

What stays unencrypted

Some fields remain unencrypted so the server can filter and sort your tasks:

  • Task status (backlog, scheduled, done)
  • Priority level
  • Scheduled date
  • Timestamps (created, updated, completed)

Benefits

  • True privacy: Your task content is unreadable on our servers
  • No password to remember: Your passkey handles authentication and key derivation
  • Protection against breaches: Even if our database were compromised, your encrypted data would be useless without your passkey

Trade-offs

  • Passkey required: You need your passkey to access tasks on any device
  • Local search only: Since the server can't read your content, search happens on your device after decryption, which may be slower
  • No recovery: If you lose access to your passkey, your encrypted data cannot be recovered

Technical details

Encryption uses standard browser APIs (Web Crypto API) with the following algorithms:

  • Cipher: AES-256-GCM (authenticated encryption)
  • Key derivation: WebAuthn PRF extension
  • IV: 96-bit random nonce per encryption operation

Each task's sensitive fields are JSON-serialized, encrypted, and stored as a base64-encoded blob. The encryption version is stored alongside the ciphertext to allow future algorithm upgrades.

The implementation is open source, so you can audit the code yourself on GitHub.