arrow_back Pulse's End-to-End Encryption
Pulse > Encryption

Technical Encryption Overview

TLDR; In technical terms, we use PBKDF2 to encrypt your password and use it as a key to encrypt messages and conversations. The only way to decrypt those messages is to then use your password again as the key, along with a few other randomly generated numbers, called salts.

When an account is created, we generate two salts. One to use with authentication and one for end-to-end encryption.

The one that we use with login is straight-forward and normal, it is how all apps do authenication. We store a version of your password, hashed against the first salt, and authenticate you against this hash. Your password is obviously never stored on the server, that would defeat the point of end-to-end encryption as well as compromise your accounts security. No modern web services would ever store your password in their database.

For the encryption, on the client-side, we hash your password against salt #2 and store it locally on the device (computer/tablet/phone). When encrypting and decrypting, we use this password + salt 2 hash, combine it with your account id, then hash it again against the first salt to create the secret key. Having this key is the only way that you can decrypt messages (or any information at all that is stored on our server). Since no one else has the password that was hashed against the second salt, no one else will be able to decrypt anything.

So, your password is never stored anywhere - only hashed versions of it - and without that password, there is no way to create the secret key used for encrypting and decrypting the content stored in the backend.

Want to verify yourself?

I don't blame you. If you are here, worried, and understand the technical details of the encryption, then you probably shouldn't just take my word for how it works. If you are worried about something like this, you should verify it for yourself rather than just "trust me".

From the web app, you can also just pop open a "network" tab in the JavaScript inspector to take a look at the raw data that is returned from API requests and what is encrypted.