ZERO-KNOWLEDGE ENCRYPTION
Your prayers are encrypted with AES-256-GCM on your device using a key derived from your password via PBKDF2-SHA256 with 600,000 iterations. The key never leaves your device. Our servers only store ciphertext.
Your login password doubles as your encryption passphrase. One password to remember, zero extra steps. Change your password and your encryption keys are automatically re-wrapped.
Your password goes through PBKDF2-SHA256 with 600,000 iterations to produce a Master Encryption Key. This happens in your browser. The key never leaves your device.
Every journal entry is encrypted with a unique initialization vector (IV) using AES-256-GCM — the same standard used by banks and governments.
Our database contains encrypted blobs + initialization vectors. No keys, no decryption capability. Even if we're hacked, your prayers are safe.
Shared content like feeds and groups uses a different approach — container keys wrapped with RSA-OAEP.
Each user has an RSA keypair. The private key is encrypted with your MEK and stored on our server. Only you can unwrap it.
Each feed or group has its own AES key (the "container key"). Posts are encrypted with this key. The container key is wrapped with each member's RSA public key.
If a member loses access to old container keys, any member who still has them automatically re-wraps for the missing member. Self-healing, zero admin intervention.
All content listed above is end-to-end encrypted. We store ciphertext only.
Your private prayers and shared community content use different encryption schemes — both are end-to-end encrypted.
Encrypted with your personal Master Encryption Key (AES-256-GCM). Derived from your password via PBKDF2-SHA256 with 600,000 iterations. Nobody can read this — not us, not your pastor, not anyone.
Includes: journal entries, answered prayer notes, reminder titles, tags, Bible Chat history
Encrypted with a per-feed or per-group container key (AES-256-GCM). The container key is wrapped with each member's RSA-OAEP public key. Members can read it — but we (the platform) cannot.
When you post to your church feed, you're choosing to share with your church. The content is encrypted with a key that members have, but The Praying App does not.
Features: eager key rotation for new members, key healing for lost keys, moderation decryption by pastors with container key access
The rule is simple: anything you write for yourself is encrypted with your key. Anything you share with a group is encrypted with a group key. You always choose. We never decide for you.
Since your password is your encryption passphrase, changing your password automatically re-wraps your encryption keys:
Your journal entries don't need re-encryption — they're encrypted with randomly generated per-entry keys that are wrapped with your RSA key. The RSA key re-wrap is all that's needed.
During onboarding, you download a Recovery Kit — a file containing your encryption key, encrypted with a separate recovery passphrase. Store it somewhere safe. Print it.
Family tier users can split their recovery key into 3 shares — any 2 can recover. Distribute among family members so no single person is a single point of failure.
Important
If you lose both your password AND your Recovery Kit, your encrypted data is permanently unrecoverable. This is a feature, not a bug — it proves the encryption is real. We cannot help you recover because we never had the key.
Our encryption library will be open-source. Anyone can audit the code, verify our claims, and confirm that your data is truly private.