# How Tempest Protects Your Privacy Tempest is built on **zero-knowledge end-to-end encryption (E2EE)**. Your SSH keys, passwords, snippets, and connection metadata are encrypted on your device *before* anything is uploaded for cloud sync — meaning we couldn't read them even if compelled to. This is the same security model that 1Password, Bitwarden, and Signal use. ## What that means in practice * **You** hold the only key that can decrypt your data — your **vault password**, which never leaves your device. * **Tempest's servers** see only ciphertext. We sync it between your devices but cannot read it. * If you forget your vault password, **your data is unrecoverable**. We don't have a backdoor and we can't make one. See [Reset Your Tempest Password](/account-and-privacy/resetting-password.md). ## The cryptography | Layer | Algorithm | Purpose | | ------------------------ | ------------------------------------------------- | ---------------------------------------------------------------------- | | Key derivation | **BLAKE2b** | Stretches your vault password into a symmetric key | | Symmetric encryption | **xsalsa20poly1305** (authenticated encryption) | Encrypts each record before sync | | Transport | **TLS 1.3** | Protects the wire between your device and Tempest sync servers | | Sync conflict resolution | **Multi-master replication** over encrypted blobs | Lets multiple devices stay in sync without the server seeing plaintext | The crypto layer will be open-sourced so anyone can audit it. ## What is *not* encrypted A small amount of operational metadata is necessarily plaintext on our servers: * Your sync account email (so we can sign you in) * Document IDs and revision counters (so the sync engine can replicate) * Approximate document sizes (limit enforcement) We never see hostnames, usernames, passwords, key contents, snippet text, or any other connection detail. ## What about [Tempest Monitoring](/productivity/tempest-monitoring.md)? Monitoring data is parsed locally inside your Tempest tab and is **never sent anywhere** — not even to your other devices via sync. It's a render-only feature. ## What about [Tempest AI Assistant](/productivity/tempest-ai-assistant.md)? AI requests are sent to the model provider you've configured (OpenAI, Anthropic, Google, or your self-hosted endpoint). Tempest acts as a transport — we don't proxy or log the requests. You can also point Tempest at a fully local model. ## See also * [Reset Your Tempest Password](/account-and-privacy/resetting-password.md) — sync vs. vault passwords explained * [SSH Cert Storage](/connect-to-servers/ssh-client-for-teleport-cloudflare-access-aws-ssm-gcp-iap-and-tailscale.md#how-tempests-ssh-cert-support-works) — short-lived certs are stored as paths, not contents, when possible --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.gotempest.app/account-and-privacy/how-tempest-protect-your-privacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.