Encrypted Sync Service

A detailed configuration guide.

The Encrypted Sync Service (ESS) is the easiest way to sync your Everdo data across any number of devices. When using ESS, each device still owns its data and is capable of working offline for any period of time. But now the devices also connect to ESS, which keeps them updated with the latest changes.

A key feature of the ESS is that your data gets encrypted before leaving your device and the encryption key is never shared with the ESS. Here's more details on what gets encrypted and how.

Creating an ESS Account

While Everdo works without any kind of a sign up, connecting to ESS requires a user account to store the encrypted data. To create an account, go to sync.everdo.net/signup. You will need the username and password for this account when first connecting your devices to ESS.

Make sure to verify your email address by clicking a verification link in your email inbox. You should see the Active status in your ESS account before trying to configure your devices.

Configuring ESS Sync on The First Computer

Follow these steps to sign in to ESS on one of your computers.

  1. Open Everdo, go to Settings->Sync.
  2. In the Mode drop-down, select Encrypted Sync.
  3. Enter your ESS account credentials to sign in.
  4. Optional In the Device Name text field, enter a name for this computer that will make sense to you later on.
  5. Press the Sign In button.

Once you have signed in, the next step is to set up an encryption key for your data.

  1. Notice that some encryption key (passphrase) was already generated for you. You can see it in the Encryption Key text box. That key was chosen randomly, so it is safe to use. Or you can modify it.
  2. Optional Set your own encryption key. It's not recommended, unless you know what your are doing, but possible. You can use any 16-word passphrase using the Niceware word list. Using words not in the list, or a different number of words will not pass validation, because a 256-bit key is required.
  3. If this is the not the first computer you are connecting to the ESS, then you must replace the passphrase with the one used on other devices.

Once you have set up the encryption key correctly, press the Sync button. You should then see the Status label change to Synced. Finally, press Apply when you are done to apply and save the configuration.

Quick Pairing of Android/iOS Devices

Once your desktop computer is syncing successfully, you can use it to easily configure mobile devices.

  1. In the desktop app, go to Settings -> Sync -> Pair Mobile Device, press Begin.
  2. Follow the steps until you see a QR code.
  3. In the mobile app, go to Settings, change Sync Mode to Encrypted Service or ESS Integration, press Quick Pairing.
  4. Scan the QR code from the desktop app, confirm pairing and wait until you see a success message in the mobile app.

After the pairing is finalized, your device will begin syncing automatically.

Configuring ESS Sync on Other Computers

The setup process on other computers is almost exactly the same, except you need to bring the encryption key from your first computer, as opposed to generating a new one.

  1. Sign in to ESS, as described above on this page.
  2. Type in or paste the correct Encryption Key.
  3. Press Sync and make sure the Synced status appears.
  4. Press Apply to apply and save the configuration.

Configuring ESS Sync in The Android App (Manual)

The setup process on mobile devices is almost exactly the same, except you need to bring the encryption key from your first computer, as opposed to generating a new one.

  1. Go to Settings
  2. Tap Sync Type, select Encrypted Service
  3. Tap Encrypted Service: Manual Setup, then Sign in to sync
  4. Use your ESS username and password to sign in.
  5. Tap Encryption Key and enter the correct encryption key.
  6. Exit settings and try to trigger sync by swiping down the view.

Once you have have verified that sync is working, you can enable Auto Sync in settings.

Configuring ESS Sync in The iOS App (Manual)

The setup process on mobile devices is almost exactly the same, except you need to bring the encryption key from your first computer, as opposed to generating a new one.

  1. Go to Settings
  2. In Sync Mode, select ESS Integration
  3. Tap Manual Setup, Connect
  4. Use your ESS username and password to sign in.
  5. Tap Update Key and enter the correct encryption key.
  6. Tap Sync Once and observe the status.

Once you have have verified that sync is working, you can enable Auto Sync.

Manual Sync Actions

In some cases it may be necessary to manually trigger a sync action to fix a data discrepancy between devices, particularly when transitioning between the Local Network sync and the ESS, or switching to a different ESS account.

The manual actions described below are available in sync settings.

Push

Copy all items and tags from the device to the ESS, making the ESS data completely match the local data.

Force Push

Same as Push, but also forces the ESS to accept data encrypted with a new encryption key. This is necessary after you have changed the encryption key, otherwise the ESS will report a key mismatch error.

Pull

Copy all items and tags from the ESS to the device, overwriting any conflicts. A pull is no-destructive in the sense that it does not remove any items on the device, unless they have been explicitly marked as deleted. This means a pull does not necessarily bring the state of your device to match the ESS data.

Clean Pull

Re-create the local database by pulling data from ESS. This action is useful to make the state on the device exactly match to the ESS.

Proxy Server Settings

In order to specify an HTTP proxy for ESS communication, add the following line to config.json, which is located in the home directory. Replace user and password with correct values.

{
  ...,
  "proxy": "http://user:password@1.2.3.4:12345",
}

Troubleshooting

Problem: Getting The encryption key mismatch Error.

This means the device is not configured with the same encryption key that has been previously used to sync with the ESS account.

  1. Open Everdo on one of your computers that have complete data.
  2. Go to Settings->Sync, press Sync and notice the status.
  3. If the status indicates encryption key mismatch, then press Force Push to override the data in ESS.
  4. Press Show Key and transfer the passphrase you see now to all your devices.

Problem: SSL Errors When Trying to Sync

If you are behind an SSL proxy on a trusted network, you may need to use the Ignore SSL Errors switch in the sync settings dialog.

Problem: Tags Get Removed From Items

The ESS is missing some of the tags that you have on your device. This is probably because you have moved from the Local Network sync to the ESS sync. You need to perform a Push in order to fix this data discrepancy.

ESS Sync FAQ

Q: Once I start using the ESS, can I go back to the network sync?

Yes, it's just a matter of re-configuring your devices as explained in Local Network Sync guide

Q: How does the ESS know which encryption key is used?

The ESS never actually sees your key. Instead, your devices compute a fingerprint or cryptographic hash of your key, which is enough information for the ESS to make sure the device is configured correctly. At the same time, this hash does not reveal any information about the contents of the key itself.

Q: Which parts of the data get encrypted and how?

The title and description of all items and tags are encrypted with the AES256-CBC scheme. Each string gets encrypted with a new IV for every sync cycle. This is what an action’s title looks like when encrypted:

1.EoCd6AP5LeGP937S3Mi31g==.kFdPOGCP7e+Z8sAl4wcesADJY54TQULqmmUETq2QWHY=

The metadata properties such as modification timestamps and parent-child references are not encrypted. These are necessary for conflict resolution and optimizing the syncing algorithm.

A 16-word random passphrase from a 65536-word list is generated on your computer and is used to represent a 256-bit encryption key. The passphrase is stored on each synced device in order to work to for it to be able to work with the encrypted data. The passphrase is never sent to the ESS, but a cryptographic hash of the passphrase is tracked by the ESS to avoid data corruption caused by mismatched keys on devices.

Q: Is the data also stored in an encrypted form on my devices?

Using the ESS doesn't change the way Everdo stores data locally. That is, the data is only encrypted prior to being sent to the ESS. It does not make sense to store encrypted data on your own device since the encryption key is stored right besides anyway.

Q: What happens if I lose the encryption key?

In short, probably nothing. The encryption key is stored as encryption-key in the home directory. Even if you lose it somehow, it’s not a problem, as long as you still have the local database. You can then generate a new encryption key on your computer, update all devices to use it, then use the “Force Push” function to tell ESS to accept the new key.

Last modified January 1, 0001