| From the Evernote support pages: What type of encryption does Evernote Use? If you encrypt text within a note, we derive a 64-bit RC2 key from your passphrase and use this to encrypt the text. This is the longest symmetric key length permitted by US Export restrictions without going through a complex process to gain export approval. We do not receive any copy of the key or your passphrase, or any escrow mechanism to recover your encrypted data. I.e., if you forget your passphrase, we can't recover your data. User authentication (i.e. username + password) is always performed over SSL when you communicate with Evernote. This uses 1024-2048 bit RSA keys and a symmetric session key that's negotiated between your client/browser and our server. The data in user notes is also transferred via SSL. Several of the company's founders come from a strong encryption background (founders of CoreStreet, recently acquired by ActiveIdentity). For Evernote's consumer product, the current encryption algorithms are chosen more for exportability under the Commerce Department rather than strength, since our software permits the encryption of arbitrary user data with no escrow. We'd be interested in offering something stronger in the future when we have the staffing to fight the lengthy export battle, but Premium users can currently use an external encryption solution to encrypt important files and then add these encrypted into Evernote. |