When signing up for Insomnia Sync, you gain access to end-to-end encrypted data sync. Simply sign into your account and your data will be there, seamlessly synced across all of your (and optionally your teams’) devices.
Insomnia believes that it is your right to know how your sensitive data is transported and handled, so this document is an effort to explain exactly how it works.
If you find that any part of this document is incorrect, missing, or wrong, please don’t hesitate to reach out.
This section gives a high level overview of Insomnia paid plans security. If you read anything in this document, it should be this section.
E2EE means that all encryption keys are generated locally, all encryption is performed before sending any data over the network, and all decryption is performed after receiving data from the network. At no point in the sync process can the Insomnia servers, or an intruder read or access sensitive application data.
Insomnia never sends unencrypted data or keys that can be used to decrypt data to the server. This means that neither Insomnia, network spies, or server hackers can gain access to your sensitive data. You can rest assured that your data is safe on your machine.
All data is encrypted using randomly generated 256 bit symmetric keys for use with AES-GCM-256 (Galois Counter Mode).
Losing your password means losing the ability to decrypt your account keys. If you lose your password there is no way to access your data, and there is nothing Insomnia can do to help apart from resetting your account. You can change your password but you need a copy of your old one to do so.
By default, resources within the application are fully encrypted before being sent to the server. However, both id and name of each resource are attached in plaintext before uploading.
Insomnia currently stores application data on disk in raw form. E2EE only applies to data that is transmitted over the network. It is still possible for malicious software to access the application data stored on your machine. Please take the usual precautions to keep your local data safe.
Here are definitions for the common things that will be talked about.
The following are data models we use.
||A user that can log in|
||An entity that can be synced (eg. Request, Workspace, etc.)|
||A group of M_Resource that can be shared as one|
||A relationship linking a M_Account to M_ResourceGroup|
The following are keys and salts we use.
||Public key for M_Account||Yes|
||Private key for M_Account||Yes 🔒|
||Symmetric key for M_Account||Yes 🔒|
||Symmetric Key for data encryption||No|
||Encrypted form of SYM_ResourceGroup||Yes 🔒|
||Salt for PBKDF2 of password for auth||Yes|
||Salt for SRP authentication process||Yes|
||Salt for PBKDF2 of password for encryption||Yes|
||Secret derived from password using SLT_Auth_1||No|
||Secret derived from password using SLT_Enc||No|
||Verification string used for SRP||Yes|
SYM_ResourceGroup are essentially the same thing, but are defined separately for the purpose of discussion. This will become clear later on.