Is there a complete description of the end-to-end encryption scheme used for Obsidian Sync? I’ve only found passing mentions to details, e.g., in update notes and on the security and privacy page. I have pieced together that it somehow entails a key derived from a sync-only password via scrypt and likely uses AES-GCM-SIV. If this is the case, accidental nonce reuse is likely safe, but it still depends on the specifics. Nonce reuse with the same key and different plaintexts in “raw” AES-GCM mode is catastrophic. The problem here is that the IV bit size is too small to give high confidence against collision if IVs are generated randomly.
Some specific questions I have that I haven’t been able to find answers to:
- What symmetric primitive is used to do the raw encryption?
- Is the encryption deterministic? Should I expect the same plaintext to result in the same ciphertext or can this only occur on (hopefully-incidental) nonce reuse?
- What exactly is the key derivation process? I see that it involves scrypt and hkdf (presumably both salted).
- Are the salts independent or shared?
- Are they randomly generated on each save or reused for the duration of the vault (or some other time span)?
- What data goes into the AD section? Are all relevant KDF and crytpo parameters authenticated?
Note that sufficiently large salts which are regenerated on every save from a high quality random source dramatically mitigate the risks of nonce reuse since this drives the risk of key reuse to near zero. I haven’t seen anything that suggests this is happening, but it would make me a lot more comfortable. I also realize that many risks are mitigated since all the crypto (in principle) happens client-side and the payload is essentially inert data, but best practices go a long way to establish trust and defense in depth.