Devices that can skip the one-time code on this access password.
Sealed copies of this server's database, encrypted under your X25519 public key. Local files land in /data/backups; if S3 is configured, they're also uploaded automatically.
Configuration
DEK escrow uploads each notebook's encryption key, sealed under your X25519 public key. Once enabled, anyone holding the matching private key can decrypt every note in a backup — same level of access as your master password. Store the private key as carefully as the password (or more).
Your browser doesn't expose WebCrypto X25519 (needed for DEK escrow). Use a recent Chrome 124+, Firefox 130+, or Safari 17.4+. Without escrow, restore won't be able to recover notes — encrypted backups are still produced and uploaded normally.
Remote upload (S3-compatible)
Push-only credentials only: a service-account HMAC key with object-create and nothing else. The secret is stored in app.sqlite; if it leaks, the holder can only push more backups.