Understanding End-to-End Encryption in PopaDex | PopaDex

Understanding End-to-End Encryption in PopaDex

Learn how PopaDex uses end-to-end encryption to protect your financial data and what it means for you.

End-to-End Encryption (E2EE) - User Guide

Your financial data is the most sensitive information you have. PopaDex uses end-to-end encryption (E2EE) to ensure that your account balances, transactions, and financial goals remain private - even from us.

What is E2EE?

End-to-end encryption means your data is encrypted on your device before it’s sent to our servers, and only you have the key to decrypt it.

How It Works (Simple Explanation)

Think of E2EE like a locked safe:

  1. You lock it: Your device encrypts your financial data using a key derived from your password
  2. We store it: PopaDex servers store the locked safe (encrypted data)
  3. Only you can unlock it: When you log in, your device uses your password to unlock the safe
  4. We never have the key: PopaDex cannot decrypt your data - we don’t have your password or encryption keys

This is fundamentally different from traditional apps like Mint, Emma, or Personal Capital, which can store your data in plain text on their servers.

Why It Matters

Traditional finance apps:

  • Store your data in readable format on their servers
  • Employees can potentially access your information
  • Data can be sold to advertisers or data brokers
  • If hacked, attackers get everything

PopaDex with E2EE:

  • Data is encrypted gibberish without your password
  • Nobody at PopaDex can see your balances or transactions
  • Cannot be sold (we can’t read it)
  • If hacked, attackers get useless encrypted data

The analogy: It’s like the difference between giving someone a sealed letter vs. a postcard. We only see the sealed envelope, never the contents.

What’s Encrypted vs Unencrypted

PopaDex uses E2EE selectively to balance privacy and functionality.

Encrypted (E2EE Protected)

These are encrypted on your device before being sent to PopaDex:

Financial Data:

  • ✅ Account balances and net worth
  • ✅ Account type (checking, savings, investment)
  • ✅ Transaction amounts
  • ✅ Transaction descriptions and notes
  • ✅ Account names and nicknames
  • ✅ Custom categories and tags

Goals & Planning:

  • ✅ FIRE targets and retirement age
  • ✅ Savings goals and progress
  • ✅ Budget allocations
  • ✅ All calculations and projections

Personal Notes:

  • ✅ Secure notes attached to accounts
  • ✅ Transaction memos
  • ✅ Custom reminders

Why these are encrypted: This is sensitive information that could reveal your financial situation, spending habits, and personal goals.

Not Encrypted (Plain Text)

These are stored unencrypted for functionality reasons:

Account Information:

  • ❌ Your email address (needed for login and communication)
  • ❌ Account creation date (system metadata)
  • ❌ Last login timestamp (security monitoring)

Transaction Metadata:

  • ❌ Transaction dates (not amounts or descriptions)
  • ❌ Currency codes (USD, EUR, GBP, etc.)

Connection Status:

  • ❌ Bank connection status (connected/disconnected)
  • ❌ Last sync timestamp
  • ❌ Connection errors (not account details)

Why these aren’t encrypted: We need access to this metadata to provide core functionality like login, error handling, and system maintenance. This data reveals very little about your financial situation.

Example of what we see:

User: [email protected]
Account 1: Connected, Last sync: 2025-10-06 14:32
Account 2: Connected, Last sync: 2025-10-06 09:15
Account 3: Manual, Currency: BTC
Financial Record count: 24 (dates and currency codes only)

What we DON’T see:

  • Which banks you use
  • Account balances
  • Transaction amounts or descriptions
  • Your net worth
  • Your spending patterns

How to Enable E2EE

E2EE is optional but strongly recommended. Here’s how to enable it:

Step-by-Step Setup

  1. Log into PopaDex
  2. Navigate to SettingsSecurity
  3. Find “End-to-End Encryption” section
  4. Click “Enable E2EE”

You’ll see a setup wizard:

Step 1: Confirm Your Password

  • Enter your current PopaDex password
  • This password will be used to derive your encryption key
  • Make sure it’s strong (12+ characters, mix of letters, numbers, symbols)

Step 2: Download Recovery Key ⚠️ CRITICAL STEP

  • A recovery key file downloads automatically (recovery-key-[timestamp].txt)
  • This is your ONLY backup if you forget your password
  • Without it, forgotten password = permanent data loss
  • See “Critical Recovery Key Warning” section below

Step 3: Store Recovery Key Securely

  • Follow the checklist to store your key in safe location(s)
  • Recommended: Password manager + physical backup
  • DO NOT SKIP THIS STEP

Step 4: Confirm Understanding

  • Check box: “I understand that PopaDex cannot recover my data if I lose both password and recovery key”
  • Re-enter password to confirm
  • Click “Enable Encryption”

Step 5: Encryption Process

  • PopaDex encrypts all your existing data (takes 10-60 seconds)
  • Progress bar shows encryption status
  • Don’t close browser window during this process

Step 6: Verification

  • Log out and log back in
  • Your data should appear normally
  • E2EE indicator shows “Encrypted” in dashboard

Done! Your data is now protected with end-to-end encryption.

What Happens After Enabling

Once E2EE is enabled:

Immediate changes:

  • All sensitive data encrypted on your device
  • Encryption indicator appears in dashboard
  • Recovery key required for password reset

Performance:

  • Encryption/decryption happens instantly (< 100ms)
  • No noticeable slowdown in app usage
  • Works on mobile and desktop

Session management:

  • E2EE session timeout: 15 minutes of inactivity
  • Full logout: 30 minutes of inactivity
  • See Session Locking Guide for details

⚠️ Critical Recovery Key Warning

This is the most important section. Read carefully.

The Fundamental Truth

If you forget your password AND lose your recovery key, your data is PERMANENTLY LOST. Forever. No exceptions.

This is not a limitation - it’s proof that our encryption is real. PopaDex employees, support staff, and engineers cannot help you. Your data is mathematically unrecoverable without your password or recovery key.

Why We Can’t Help You

Traditional apps can reset your password because they have access to your data. They decrypt it with their keys and re-encrypt it with your new password.

PopaDex with E2EE:

  • Your password → your encryption key
  • Your encryption key → decrypts your data
  • We never have your password or key
  • We physically cannot decrypt your data
  • We cannot “reset” anything without destroying your data

This is the price of true privacy. You get complete control and complete responsibility.

Where to Store Your Recovery Key

You need multiple secure storage locations. If one fails, you have backups.

Option 1: Password Manager (BEST)

Store in a password manager like:

  • 1Password
  • Bitwarden (open source)
  • LastPass
  • Dashlane
  • ProtonPass

Why this is best:

  • Encrypted storage
  • Synced across devices
  • Easy to find when needed
  • Can share with trusted family (optional)

How to store:

  1. Open password manager
  2. Create new secure note or document
  3. Paste recovery key
  4. Tag as “Critical - PopaDex Recovery”
  5. Add note: “Required to recover PopaDex account if password forgotten”

Option 2: Encrypted USB Drive

Physical backup stored securely:

Requirements:

  • USB drive encrypted with VeraCrypt, BitLocker, or similar
  • Stored in home safe or safe deposit box
  • Labeled clearly (but not what’s on it)

Setup:

  1. Encrypt USB drive
  2. Save recovery key file to drive
  3. Store drive in physical safe
  4. Test access periodically (annually)

Option 3: Printed Copy

Old-school but effective:

Steps:

  1. Print recovery key file
  2. Laminate to prevent water damage
  3. Store in multiple locations:
    • Home safe
    • Safe deposit box at bank
    • Trusted family member’s safe (optional)

Label: “PopaDex Recovery Key - DO NOT DISCARD”

Option 4: Split Storage

Most secure option - store different parts in different places:

  1. Save digital copy in password manager
  2. Print second copy, store in home safe
  3. Print third copy, store in safe deposit box

If any one location is compromised or lost, you have backups.

❌ NEVER Store Recovery Key In:

Dangerous locations:

  • ❌ Plain text file on desktop
  • ❌ Email (even encrypted email services like ProtonMail)
  • ❌ Cloud notes (Google Keep, Apple Notes, Notion)
  • ❌ Screenshots or photos (cloud-synced to Google Photos, iCloud)
  • ❌ Browser bookmarks
  • ❌ Unencrypted Google Drive, Dropbox, OneDrive
  • ❌ Physical note in wallet (can be lost/stolen)
  • ❌ Memorization only (humans forget)

Why these are dangerous:

  • Cloud services can be hacked
  • Email accounts compromised
  • Devices lost or stolen
  • Files accidentally deleted
  • Human memory fails

Testing Your Recovery Key

Don’t wait until you need it to find out your recovery key doesn’t work.

Test procedure (every 6-12 months):

  1. Verify you can locate recovery key in < 5 minutes
  2. Open file and confirm it’s readable
  3. (Optional) Go to PopaDex password reset page and verify format (don’t submit)

If you can’t find it or file is corrupted:

  1. Regenerate recovery key immediately (see below)
  2. Update all storage locations
  3. Test again

Emergency Access for Family

If you want trusted family to access your finances in an emergency:

Option 1: Shared recovery key

  • Store recovery key in password manager
  • Share specific item with spouse/partner
  • They can recover your account if something happens to you

Option 2: Dead man’s switch

  • Some password managers (1Password) support emergency access
  • Designated person requests access
  • After waiting period (e.g., 14 days), they get access
  • You can deny if you’re actually alive

Option 3: Traditional will

  • Include recovery key location in will
  • “My PopaDex recovery key is stored in home safe, combination XYZ”

Common Questions (FAQ Format)

Q: What happens if I forget my password?

A: If you have your recovery key, you can reset your password and maintain access to all your data.

Process:

  1. Go to login page → “Forgot Password”
  2. Click “I have my recovery key”
  3. Enter recovery key
  4. Create new password
  5. All data decrypted successfully ✅

Without recovery key: Data is permanently lost.

Q: Can PopaDex recover my data if I forget both password and recovery key?

A: No. Absolutely not. This is impossible by design.

We don’t have your password or encryption keys. Your data is encrypted with keys derived from your password. Without the password or recovery key, the data cannot be decrypted - not by us, not by anyone.

This isn’t a bug or limitation - it’s proof that our E2EE is real.

Q: Is E2EE slower than regular mode?

A: No. Encryption and decryption happen instantly (< 100ms) in your browser using WebCrypto API.

You won’t notice any performance difference during normal usage. The only time you’ll see a brief delay is during initial encryption setup (10-60 seconds to encrypt existing data).

Q: Can I disable E2EE?

A: Yes, but you’ll lose data privacy.

Disabling E2EE:

  1. Settings → Security → “Disable E2EE”
  2. Enter password to confirm
  3. Data decrypted and stored in plain text on servers

Warning: After disabling, PopaDex employees could theoretically access your data. We have policies against this, but the technical capability exists. Re-enabling E2EE restores privacy.

Q: What if PopaDex gets hacked?

A: Attackers only see encrypted data, which is useless without your password.

Scenario: Hacker gains full access to PopaDex servers.

What they get:

  • Encrypted blobs of data (meaningless without keys)
  • Email addresses
  • Connection status metadata
  • Transaction dates (not amounts)

What they DON’T get:

  • Account balances
  • Transaction amounts or descriptions
  • Your net worth or spending patterns
  • Anything actionable for identity theft

Your data remains safe because it’s encrypted with keys only you control.

Q: What encryption algorithms does PopaDex use?

A: Industry-standard, battle-tested cryptographic algorithms approved by security researchers and standards bodies:

Current Implementation:

  • Symmetric encryption: AES-256-GCM (NIST FIPS 197)
  • Key derivation (Primary): Argon2id (RFC 9106)
  • Key derivation (Fallback): PBKDF2-SHA256 (600,000 iterations, NIST SP 800-132)
  • Key wrapping: AES-KW (RFC 3394)
  • Random numbers: WebCrypto API CSPRNG
  • Hashing: SHA-256 (NIST FIPS 180-4)

Why Argon2id (Primary KDF)?

  • Winner of Password Hashing Competition (2015): Selected from dozens of candidates as the best password hashing algorithm
  • Memory-hard: Requires significant RAM (16-64 MB), making GPU/ASIC attacks extremely expensive and impractical
  • Side-channel resistant: Hybrid design protects against timing attacks
  • Modern standard: Recommended by OWASP, RFC 9106 standardized by IETF
  • Industry adoption: Used by 1Password, Bitwarden, Signal, and other security-focused applications

Server-Authoritative KDF Selection:

PopaDex automatically selects the best KDF for your device:

KDF When Used Security Profile
Argon2id Modern browsers (Chrome 90+, Firefox 88+, Safari 14+) Desktop: 64 MB, 3 iterations
Balanced: 32 MB, 2 iterations
Mobile: 16 MB, 2 iterations
PBKDF2-SHA256 Older browsers or when Argon2 unavailable 600,000 iterations

The Selection Process:

  1. Client self-test verifies Argon2 support
  2. Browser version and device type detected
  3. Server authoritatively selects appropriate KDF and profile
  4. Encryption proceeds with best available security

Why Keep PBKDF2 as Fallback?

  • Universal compatibility: Works on all browsers via WebCrypto API
  • Zero dependencies: No WASM or external libraries required
  • Proven security: NIST-approved, extensively audited
  • Backward compatibility: Supports legacy accounts and older devices

Migration Status:

  • ✅ New accounts (2025): Argon2id by default
  • ✅ Modern browsers: Argon2id automatically selected
  • ⏳ Legacy accounts: Gradual migration on next password change
  • ✅ Older devices: Automatic PBKDF2 fallback ensures compatibility

Full technical details: Security Whitepaper

Q: Can I use E2EE on mobile?

A: Yes. E2EE works identically on mobile browsers and will be supported in native apps (coming soon).

The encryption happens in JavaScript running in your browser, so it works on any device.

Q: How often do I need to re-enter my password?

A: Depends on your activity:

  • E2EE session timeout: 15 minutes of inactivity (just re-enter password, don’t lose data)
  • Full logout: 30 minutes of inactivity (must log in again)

Any interaction (clicking, scrolling, viewing pages) resets the timer.

See Session Locking Guide for details.

Q: What if I change my password?

A: No problem. PopaDex automatically re-encrypts your data with the new password.

Process:

  1. Settings → Security → “Change Password”
  2. Enter current password
  3. Enter new password
  4. System automatically:
    • Derives new encryption key from new password
    • Decrypts data with old key
    • Re-encrypts data with new key
    • Updates stored encrypted data

Your data remains accessible. However, your old recovery key may no longer work - generate a new one after changing passwords.

Next Steps

Now that you understand E2EE, explore related security topics:

Questions? Email [email protected] or visit FAQs.

Your data. Your keys. Your control.

Was this article helpful?

Last updated: October 06, 2025

Questions? Contact Support