Security and privacy - Obsidian Help

## Encryption For your safety, [[Introduction to Obsidian Sync|Obsidian Sync]] encrypts your [[Local and remote vaults|remote vault]] and all communication with Obsidian's servers. When you create a new remote vault, you have two options: - **End-to-end encryption (default)** offers the strongest security but requires you to safely store your encryption password. This guarantees that no one — not even the Obsidian team — can access your notes. - **Standard encryption** uses an encryption key managed by Obsidian to protect your data in transit and on our server. We recommend end-to-end encryption for all users as it is the most private and secure option. However, be aware that if you forget or lose your encryption password, your data remains encrypted and unusable forever. We're not able to recover your password, or any encrypted data for you. Your choice only affects your remote vault. Obsidian doesn't encrypt your local vault. ### What does end-to-end encryption mean? End-to-end encryption means that the data is encrypted from the moment it leaves your device, and can only be decrypted using your encryption key once it's back on one of your devices. We can't read your data. Neither can any potential eavesdroppers, such as your internet service provider. In the rare case of a complete server breach, your data remains encrypted—no one can decrypt your files without knowing your password. ### What are the risks of using standard encryption? Standard encryption is fundamentally less secure than end-to-end encryption, but it can be a convenient option if you do not expect the data you are syncing to be completely private. For example, if your synced vault is [[Introduction to Obsidian Publish|published]] to a public website like this Help site, then end-to-end encryption is not necessary. Standard encryption is the same method of encryption used by cloud storage companies and software-as-a-service platforms, such as Google Docs, Dropbox, and iCloud (without Advanced Data Protection). Your encryption key is generated by the app and used to protect your data in transit and on the server. Because the encryption key is stored on company servers, it can be used to decrypt your data, e.g. in a case where the company is subject to a search warrant, or in a case where you want to access your data via a web browser. End-to-end encryption guarantees that Obsidian can never access your data and should always be used to sync data that you wish to remain completely private and secure. ### What encryption do you use? For data security, we implement industry-standard encryption protocols. Specifically, we use [AES-256](https://www.nist.gov/publications/advanced-encryption-standard-aes-0), the strongest encryption standard, widely employed in contexts such as online banking. The encryption process involves the following technical details: - **Key derivation function:** [scrypt](https://en.wikipedia.org/wiki/Scrypt) with salt - **Encryption algorithm:** AES-256 using [Galois/Counter Mode (GCM)](https://en.wikipedia.org/wiki/Galois/Counter_Mode) ### Can I verify that my data is end-to-end encrypted? Yes. See our guide, [how to verify Obsidian Sync's end-to-end encryption](https://obsidian.md/blog/verify-obsidian-sync-encryption/). This guide provide step-by-step instructions for you to trustlessly verify the end-to-end encryption of your data when it is sent and received via Sync servers. ### Has Obsidian completed a third-party security audit? Yes. Obsidian has been independently audited. Visit our [Security page](https://obsidian.md/security) to view audit reports. Regular audits by third-party security firms ensure that Obsidian code and procedures meet the highest security standards. ### What happens if I forget my encryption password? If you ever lose or forget the encryption password, you won't be able to connect additional vaults to your remote vault. Since the encryption password isn't saved anywhere, it's forever lost. Your data, however, is usually safely stored locally on each of your devices. To continue using Obsidian Sync, we suggest doing a full re-setup to be able to add new devices to your Sync system: 1. Make a full vault backup on your primary device, just in case something goes wrong. This can be as simple as making a copy of the vault folder, or creating a zip file from the vault. 2. Disconnect the remote vault in each of your devices. This can be done by going to **Settings → Sync → Pick remote vault → Disconnect**. 3. [[Set up Obsidian Sync#Create a new remote vault|Create a new remote vault]] on your primary device from the same Settings page. Optionally, you can delete the previous remote vault since you don't have the password for it anyway. (You may have to delete the previous remote vault if you are at the [[Sync limitations#How many remote vaults can I have?|vault limit]]) 4. Wait for your primary device to sync. Watch the sync indicator at the bottom right of the screen until it displays a green checkmark. 5. Connect each of your device to the same newly created remote vault. When connecting, you will be shown a warning about vault merging, this is expected and you can proceed. Wait for each device to fully sync before moving onto the next. This reduces the chances of issues. 6. Now all your devices should be connected to the new remote vault. ## Hosting ### Where do you host the servers for Obsidian Sync? Our data centers, powered by [DigitalOcean](https://www.digitalocean.com), provide geo-regional remote vault hosting options in the following locations: > [!abstract] Sync geo-regions > **Automatic**: Your data center is chosen based off your IP location. > > **Asia**: Singapore > **Europe**: Frankfurt, Germany > **North America**: San Francisco, USA > **Oceania**: Sydney, Australia ^sync-geo-regions ### Where can I find my current Sync server and where is it hosted? To locate your Obsidian Sync server, follow these steps: 1. Go to **Settings** → **Sync** → **Copy Debug Info**. 2. Paste the copied information into a note or file. 3. Look for a line similar to this: `Host server: wss://sync-xx.obsidian.md` This line indicates the server where your remote vault is hosted. For more details on the server's locations and uptime, visit our [status page](https://status.obsidian.md/). ## Network and access ### Managing access to Obsidian Sync on your network To regulate access to Obsidian Sync on your network, you need to manage the following domains: `sync-xx.obsidian.md` The `xx` in this case represents a number ranging from `1 - 100`. > [!tip] If your firewall system supports it, we recommend whitelisting `sync-*.obsidian.md` to account for the continuous growth in subdomain numbers.