Apps to Fully Encrypt Your Digital Life

Leverage end-to-end encryption and zero-trust software to protect your privacy and security.

Photo by Kaffeebart on Unsplash

Last updated: 3/17/22

Cloud-hosted applications and services advertising easy, reliable end-to-end encryption (E2EE) to everyday users used to be a rarity. A few years ago we might have been forced to make a hard choice between convenience and data privacy, but today there is a growing list of commercial offerings to choose from that offer both.

If this is your first time hearing of E2EE as a software feature, read on to discover a full list of secure alternatives to Dropbox, Evernote, Google Docs, Facebook Messenger, TickTick, and more of your favorites. If you’re already aware of E2EE, you might still discover a few services on this list that are new to you.

Here is a quick outline of the categories and apps we’ll cover:

1. Files and photos (Tresorit, MEGA)
2. Documents and spreadsheets (Skiff, CryptPad)
3. Notes and web clippings (Notesnook, Joplin, Standard Notes)
4. Tools for thought (Roam Research, Reflect, Obsidian)
5. Planners and journals (Lunatask, Organizedly, acreom)
6. Email and instant messaging (ProtonMail, Signal)
7. Passwords and secrets (1Password, Bitwarden, LastPass)

What “end-to-end” encryption means

Nearly every consumer software service offers a base level of security and privacy through one or both of the following standard encryption techniques:

• Encryption during transit or “over the wire” from your web browser to the application server (via TLS/SSL).
• Encryption “at rest” in the database of the application server (via AES or another symmetric encryption algorithm).

While #1 is ubiquitous, #2 is less common. Even when user data is encrypted “at rest,” it still needs to be decrypted in main memory in order for the server to perform basic processing on that data in response to user operations (for example, searches).

Much rarer is the third form of encryption:

• Encryption throughout the entire “round trip” from client to server, at rest in the database, and back to client again (via private/public asymmetric cryptography, RSA, and key derivation).

Only #3 is considered true “end-to-end” encryption. It’s referred to as an example of “zero trust” policy, because under no circumstances — minus a few malicious actor scenarios — can the service provider read your data, or anyone else for that matter.

All the encryption and decryption takes place on your own device, with your password never leaving the local machine. Each time synchronization happens, it’s as if you dropped a letter written in a very secure, unbreakable code into the mailbox and addressed the envelope to yourself. No one at the postal service would have a clue as to the contents of the letter, much like the service providers explored in the rest of this article aren’t able to read your data, even if they wanted to.

Files and photos

When it comes to synchronizing your files and photo albums between devices, there are two alternative options to choose from that can replace your regular Dropbox, Google Drive, Microsoft OneDrive, iCloud, etc. variety of cloud hosting services.

Those two alternatives worth knowing about are: Tresorit and MEGA.

Tresorit landing page.

Tresorit for individuals offers end-to-end encrypted storage, up to 2 devices on the free plan, a 3GB upload ceiling, and limited file sharing. The paid plans (“Premium” or “Solo”) offer more devices and higher storage capacity than the unpaid plan, and they unlock a count-limited file version history. Mobile apps to access your files on the go are available on all platforms, plus there are dedicated plug-ins for Outlook and Gmail.

Tresorit uses Microsoft Azure on the backend for cloud storage and synchronization, but as explained in the introduction above, the servers are physically incapable of decrypting user data because they don’t have access to the user’s encryption keys.

MEGA landing page.

MEGA offers more individual plans than Tresorit does, with four levels of “professional” upgrades: Pro Lite, Pro I, Pro II, and Pro III starting at $5.63/month for a Lite subscription that buys you 400GB of storage. The free version starts with 20GB capacity.

The secure cloud storage service also offers a suite of tools beyond just file hosting and synchronization, including: secure file transfer, secure chat, and mobile photo backup, all of which utilize end-to-end encryption.

Documents and spreadsheets

Skiff is a polished, fully-encrypted alternative to the likes of Google Docs, Quip, and Microsoft Office. It goes above and beyond E2EE in being one of the few apps on this list to offer the advanced option of using IPFS for data storage, which is a decentralized network of servers that don’t rely on any single cloud provider (including Skiff’s).

Skiff is free to sign up for and use with up to 1GB of personal storage, permitting a max attachment size of 30MB per file.

CryptPad is an open-source, collaborative web document editor that’s hosted and maintained by the French company XWiki. The product has been around quite a bit longer than Skiff has, and has even been the recipient of public funding grants.

I find CryptPad’s application interface a bit slow to load (everything has to be decrypted, after all), and the app’s design feels dated and underwhelming — reminiscent of earlier iterations of Microsoft Office Online’s blocky, geometric UI.

Nonetheless I’m still impressed at the level of functionality that’s available beyond basic documents and spreadsheets here, including Kanban, Whiteboards, and Forms — all built in a privacy- and security-first manner.

The paid version of CryptPad is 5£ per month, but the “registered” version is free and gives you 1GB of storage with a 25MB cap on the attachment size.

Notes and web clippings

Notesnook is a newer, high-quality application for taking notes in a familiar interface that’s built from the ground up with end-to-end encryption.

The Notesnook landing page.

Notesnook has a traditional look-and-feel, which isn’t to say that it’s not polished — it is. The pace of development is quite rapid, with the developer pushing out significant updates every few weeks.

While your notes are private by default, you have the option with Notesnook to publish single notes to the world as “monographs.” There is an interesting organizational affordance called “topics” which feel a bit like sections or groupings within notebooks, but otherwise notebooks and tags are the norm.

The Joplin homepage.

Rounding out the category are Joplin and Standard Notes, both of which note-taking fans will likely be aware of. Joplin is known better for being an open-source alternative to Evernote with optional support for E2EE.

Standard Notes is somewhat of a classic in the “encrypted notes” niche, with privacy having been its leading feature from day one. Standard Notes also features high degree of customizability, which while great for a power user, will be less approachable for others.

Tools for thought

Among the “new breed” of interconnected, outliner-style note-taking apps, both Roam Research and one of its lookalikes, Reflect, both support end-to-end encrypted note “graphs.”

Screenshot of Reflect.app (from reflectchangelog.substack.com).

Alternative contemporary note-taking app Obsidian is also very popular in the Personal Knowledge Management (PKM) space. It provides encrypted sync between desktop and mobile, albeit with a price tag of $10 per month.

Planners and journals

This category focuses on hybrid class of applications that combines note-taking with a host of integrated activity features: projects, tasks, todos, reminders, and more.

Lunatask is an alternative on-par with personal task managers like TickTick and Todoist, yet offering end-to-end encryption as a core feature.

The Lunatask landing page.

Available on Mac, Windows, and Linux desktop, iOS and Android apps for Lunatask haven’t been released yet but are in early closed beta. In the meanwhile the developer provides a lightweight “Quick Add” feature useable from a mobile browser to add tasks and notes on the go.

Besides tasks and projects, Lunatask also supports habit tracking, notebooks, and journal entries. There is a built-in Pomodoro timer. The free plan is enough to get started, while for $6/month, you can upgrade to Pro to unlock more features like built-in workflows and calendar integrations.

Organizedly offers a similar feature set to Lunatask, but with more emphasis on “connected” note-taking features.

Organizedly is similar to Lunatask, but with more “connected” note-taking features.

Made in Amsterdam, Organizedly sports external calendar integration with Google or Microsoft accounts, drag-and-drop task scheduling, and a neat visualization of related notes to the current note. It reminds me of competitors Amplenote and Mem.ai, but with end-to-end encryption as a paid feature. A pro license of Organizedly costs 9£ per month.

acreom is similar to Organizedly, but its emphasis is on compatibility with local Markdown files. Only Google Calendar integration is supported at the time of this writing, and E2EE will cost you $6.25/month.

The acreom landing page.

Last but not least, Apple fans will be aware of Day One, which is an end-to-end encrypted journaling application for native macOS, iPadOS, iOS, and watchOS. The developers have stated that a web application is in the works, though the delivery is likely a year or more into the future.

Email and instant messaging

ProtonMail is an email provider which is capable of sending end-to-end encrypted communications using the GPG standard. Most email clients can be configured to use GPG, but the client usually needs to be configured manually by the end user. ProtonMail makes the configuration process unnecessary.

The ProtonMail landing page.

The de-facto standard in secure instant messaging is Signal. It’s purportedly used by whistleblowers like Edward Snowden and by journalists interviewing sensitive sources, which lends a degree of credibility to its trustworthiness.

The Signal landing page.

Signal is free to download for mobile and desktop and appears to be supported by donations.

Passwords and secrets

It may seem obvious to include password managers in this article, but it’s easy to overlook them by taking for granted the fact that they must implement E2EE in order to adequately protect your valuables: things like saved passwords, software licenses, personal documents, and sensitive notes.

1Password is an excellent cross-platform option for password management. If you prefer another alternative, Bitwarden and Lastpass are worth a look.

The 1Password landing page.

Things to consider

Before you decide to go all-in on E2EE services, please take a moment to consider these points:

1. End-to-end encryption is not 100% foolproof. It is still possible for malicious actors to compromise your data if they have access to your physical machine (and thus your encryption keys), or if your machine has been compromised by malware.
2. There is no “forgot my password.” If you forget your password, then you will lose your data permanently, with no chance to recover it.
3. Beware of unencrypted backups. If you diligently use E2EE software but then make unencrypted backups which are then synchronized to another storage device or uploaded to the cloud, then your data is only as secure as the weakest link.
4. Encryption can lead to a poor user experience. While hardware performance continues to get better, E2EE apps by definition have to do a significant extra amount of processing, and use extra memory/RAM to hold the unencrypted contents. By using encryption, the apps are limited in the kinds of optimizations that they can make. Be prepared to sacrifice some degree of smoothness for the sake of privacy.
5. There is still a non-zero amount of trust required. You must trust that the developers of the software have implemented encryption properly by avoiding insecure algorithms and key lengths, by not leaking data accidentally, by keeping encryption libraries up-to-date with vulnerability patches, and so forth. Encryption can further be weakened by the use of insecure pseudo random-number generators (PRNGs). The PRNG used depends on the underlying platform, and so it may not be immediately obvious to a developer that isn’t paying close attention.
6. Main content and attachments may be handled differently. If you use an application that advertises E2EE and also supports uploading attachments (e.g. images, files, and other binary data), check whether the attachments themselves are also encrypted vs. only the main content.
7. Encryption is not legal to use everywhere. Taking encryption across the border, depending on where you’re traveling to, can get you in trouble with the authorities. Some border enforcement agencies will force you to unlock your phone at the border and guards may search your device for various reasons. Make sure to be familiar with encryption law before leaving the country, and consider just leaving your personal devices at home if you can.

Conclusion

Adopt encryption into your digital system judiciously, gradually, and only when needed. Consider layering on filesystem encryption to a standard cloud file hosting provider (like Dropbox, etc.) with a solution like Boxcryptor, encrypting only the subset of files that are most sensitive, rather than switching wholesale to an E2EE cloud provider.

When you do adopt encryption, recognize its limitations. E2EE is a valuable tool for maintaining privacy and security, but it is not infallible. With these caveats in mind, you’re better equipped to leverage the tools with confidence if and when you need them.