-
Notifications
You must be signed in to change notification settings - Fork 20
Encrypted Sync
Submersion's Multi-Device Sync uses cloud storage you control — iCloud, or an S3-compatible bucket. By default your storage provider encrypts your files at rest, but the provider itself can still read your dive log: your sites and their GPS coordinates, buddy names, certification details, and personal notes.
End-to-end encryption closes that gap. Turn it on and Submersion encrypts every sync file — and every cloud backup — on your device before it is uploaded, using a key derived from a passphrase only you know. Your storage provider then sees nothing but opaque blobs. It is entirely optional and off by default.
With encryption on, everything Submersion writes to your cloud storage — sync changesets, the base snapshot, and cloud backups — is unreadable without your passphrase.
- Protected: the full contents of your dive log and cloud backups. Your storage provider, or anyone who obtains your storage credentials, sees only ciphertext.
- Not hidden: file names, file sizes, timestamps, and how many devices you sync. Encryption protects the contents of your files, not the fact that they exist. If that metadata matters to you, keep your bucket private and your access token tightly scoped as well.
- Your devices are unaffected. The dive log stored on each device is never encrypted by this feature — only what leaves the device for the cloud. You never enter a passphrase to open the app or read your own dives.
Encryption is set up on one device and then adopted by the others.
- Configure sync first. Encryption lives under Settings → Cloud Sync, in the End-to-end encryption section, and needs a storage backend already selected. Do this on the device that holds your library.
- Tap Enable encryption.
- Choose a passphrase (at least 8 characters) and confirm it. Pick something strong — it is the lock on your entire cloud library.
- Submersion shows you a recovery code: eight words. Write it down and keep it somewhere safe, then tick I have saved my recovery code to continue. (More on the recovery code below.)
- Leave Delete existing unencrypted cloud backups ticked (the default) so the plaintext copies already in your cloud are cleaned up.
- Finish. Submersion re-uploads your whole library in encrypted form and every sync from now on is encrypted.
Encryption is protected by two secrets, and either one unlocks your library:
| Secret | What it is | Where it comes from |
|---|---|---|
| Passphrase | The phrase you chose when enabling encryption | You pick it |
| Recovery code | Eight words, shown once at setup | Generated for you |
The recovery code is your safety net for a forgotten passphrase. Keep it somewhere separate from your devices — a password manager, or written down and stored safely. When you type it, spacing, capitalization, and hyphens don't matter.
When a device that already has your (encrypted) library on the cloud tries to sync, it needs the passphrase before it can read anything:
- Install and update Submersion on the new device and connect it to the same storage backend as your others.
- Run a sync. Because the library is encrypted and this device has no key yet, sync pauses and the Cloud Sync page shows an Enter passphrase banner.
- Tap it and enter your passphrase (or your recovery code). Submersion unlocks the library, downloads it, and syncs normally from then on.
You enter the passphrase once per device. Submersion stores the unlocked key in that device's secure keychain, so you are not asked again on that device.
Once encryption is on, the End-to-end encryption section of Settings → Cloud Sync offers:
| Action | What it does |
|---|---|
| Change passphrase | Set a new passphrase. Takes effect immediately and does not require re-uploading your library. Your recovery code keeps working. |
| Generate new recovery code | Replace your recovery code with a fresh one. The old code stops working the moment you do this. Use it if you think your recovery code was exposed, or simply misplaced it. |
| Turn off encryption | Go back to unencrypted sync (see below). |
Encryption also covers your cloud backups. While it is on, every backup uploaded to your cloud storage is encrypted with the same passphrase, and each encrypted backup is self-contained: you can restore it on a brand-new device by entering the passphrase (or recovery code), even before sync is configured there. Restoring works the same as any other backup — Submersion just asks for the passphrase if the backup it's opening is encrypted and the device doesn't already hold the key.
Backups saved to a local folder, a connected drive, or the share sheet stay unencrypted, on purpose: a backup is your safety net, and it should never be locked behind a passphrase you might forget. If you want those protected too, encrypt the destination yourself (for example, an encrypted disk image or an archive with its own password).
Turn off encryption in the same section returns you to ordinary, unencrypted sync. Submersion re-uploads your library in plaintext and your other devices re-download it on their next sync — the mirror image of enabling it. Backups you already made while encryption was on remain encrypted and stay restorable with the passphrase you used at the time.
Losing your passphrase (and recovery code) does not mean losing your dives. Your local library is never encrypted, so any device that already has your data still has all of it in the clear. To get back to a working, synced state:
- On a device that still has your dive log, turn off encryption (if it is still unlocked there), or enable encryption again with a new passphrase. Either one republishes the library from that device.
- Your other devices adopt the new library on their next sync — entering the new passphrase if you kept encryption on.
The only thing you lose is the old encrypted copy in the cloud, which was unreadable anyway. Your dives are safe.
For the technically curious: enabling encryption generates a random key for your library and wraps it with a key derived from your passphrase (and separately from your recovery code) using a slow, memory-hard key-derivation function. That wrapped key is stored in a small keyslot file in your sync folder; the passphrase and recovery code themselves are never stored anywhere. Every other file is sealed with AES-256-GCM, so tampering is detected as well as prevented. Changing your passphrase re-wraps the key without re-encrypting your whole library, which is why it's instant.
| Problem | What to try |
|---|---|
| A device shows an "Enter passphrase" banner and won't sync | Expected on a device that hasn't been unlocked yet. Tap the banner and enter your passphrase or recovery code. |
| "Incorrect passphrase or recovery code" | Re-check for typos. The recovery code ignores case, spaces, and hyphens, so those aren't the problem; a wrong or misremembered word is. |
| An older device stopped syncing after I enabled encryption | Update Submersion on that device to the latest version, then unlock it with your passphrase. |
| I forgot my passphrase and my recovery code | See Recovering from a Lost Passphrase above — your local dives are safe; re-publish from a device that still has them. |
| The Troubleshoot Sync screen shows "Locked" | Same as the banner: the library is encrypted and this device needs the passphrase. Tap the row to unlock. |
Getting Started
Logging Your Dives
Your Dive World
Diver & Gear
Insights & Planning
Setup & Data
Reference