Encryption

For highly sensitive content, tagd-ai offers end-to-end encryption. Content is encrypted on your device before upload and can only be decrypted by those with the key.

How Encryption Works

End-to-End Encryption

Content is encrypted on your device
Only encrypted data is transmitted and stored
tagd-ai servers cannot read your content
Only someone with the decryption key can view

What's Encrypted

All text content in the tag
File attachments
Image captions
Metadata (titles, descriptions)

What's Not Encrypted

QR code/short ID (needed for routing)
Tag existence (tagd-ai knows tags exist)
Access timestamps (who accessed when)

Setting Up Encryption

Enable on a Tag

Create or open a tag
Go to Settings → Security
Toggle End-to-End Encryption
Create an encryption key
Save the key securely - tagd-ai cannot recover it

Important

If you lose your encryption key, you lose access to the content. tagd-ai cannot help recover encrypted data.

Encryption Key Options

Password-based:

You create a memorable password
Key is derived from password
Easier to remember, slightly less secure

Generated key:

Random cryptographic key
Very secure
Must be stored safely

With Key Recipients

To share encrypted content:

Share the tag link as normal
Share the decryption key separately
Recipient enters key to view content

Key Distribution

Share keys securely:

In-person verbal communication
Encrypted messaging (Signal, WhatsApp)
Secure password manager sharing
Never email keys with links

Team Access

For team use:

Use a shared password the team knows
Or use a team password manager
Key management is your responsibility

Viewing Encrypted Content

As a Viewer

Open the encrypted tag
See "This content is encrypted" message
Enter the decryption key
Content is decrypted locally
You can now view the content

Session Persistence

After entering the key:

Content viewable for session
Key isn't stored permanently
Re-enter key after browser close
Each device needs key entry

Key Management

Storing Keys

Recommended storage:

Password manager (1Password, Bitwarden)
Encrypted notes application
Physical safe (for critical keys)
Split key storage for high security

Key Rotation

Periodically change encryption keys:

Decrypt the tag
Go to Settings → Security
Click Change Encryption Key
Enter new key
Content is re-encrypted
Distribute new key to authorized users

Multiple Keys (Pro)

For different access levels:

Master key: Full access
Limited keys: Specific sections
Time-limited keys: Expire after period

Technical Details

Algorithms Used

Encryption: AES-256-GCM
Key Derivation: PBKDF2 or Argon2id
Integrity: HMAC-SHA256

Client-Side Encryption

All encryption happens:

In your browser (JavaScript)
Before data leaves your device
Using Web Crypto API
With no server-side access

Zero-Knowledge

tagd-ai operates with zero knowledge of:

Your encryption keys
Your decrypted content
Who has access (beyond access logs)

Use Cases

Medical/Health Information

HIPAA-sensitive data:

Patient information
Medical records
Health data

Financial Information

Protect:

Banking details
Investment information
Tax documents

Legal Documents

Secure:

Contracts
Legal proceedings
Confidential communications

Personal Secrets

Store:

Passwords and credentials
Personal notes
Private information

Encryption vs Other Security

Comparison

Feature	Password Protection	Encryption
Server access	tagd-ai can read	Zero knowledge
Key recovery	tagd-ai can reset	Not possible
Performance	Instant	Slight delay
Use case	Casual privacy	Maximum security

When to Use Each

Use Password Protection:

Moderate sensitivity
Convenience important
Need password recovery option

Use Encryption:

Highly sensitive data
Compliance requirements (HIPAA, etc.)
Maximum security needed
Willing to manage keys

Combining with Other Security

Recommended Stack

For maximum security:

Two-factor authentication on account
End-to-end encryption on tag
Access logging enabled
Strong encryption key

Layered Access

Account (2FA required)
  └── Tag (Encrypted)
       └── Protected Fields (Password)

Limitations

What Encryption Can't Do

Protect against key compromise
Prevent screenshots after decryption
Stop authorized users from sharing
Recover data if key is lost

Performance Impact

Encrypted tags:

Slightly slower to open
Larger storage size (encrypted)
Client processing required
Mobile devices may be slower

Troubleshooting

Wrong Key Error

Check for typos
Verify correct tag
Ensure complete key entry
Key is case-sensitive

Can't Decrypt

Verify you have correct key
Check if key was changed
Try different browser
Contact person who shared key

Lost Encryption Key

If you've lost the key:

Check password managers
Check secure notes
Ask anyone who has access
Data may be unrecoverable

Recovery Prevention

Back Up Keys

Before encrypting:

Generate/create your key
Store in password manager
Create physical backup
Test that backup works

Test Decryption

After encrypting:

Log out of tagd-ai
Log back in
Try decrypting with backed-up key
Verify before adding sensitive content

How Encryption Works​

End-to-End Encryption​

What's Encrypted​

What's Not Encrypted​

Setting Up Encryption​

Enable on a Tag​

Encryption Key Options​

Sharing Encrypted Content​

With Key Recipients​

Key Distribution​

Team Access​

Viewing Encrypted Content​

As a Viewer​

Session Persistence​

Key Management​

Storing Keys​

Key Rotation​

Multiple Keys (Pro)​

Technical Details​

Algorithms Used​

Client-Side Encryption​

Zero-Knowledge​

Use Cases​

Medical/Health Information​

Financial Information​

Legal Documents​

Personal Secrets​

Encryption vs Other Security​

Comparison​

When to Use Each​

Combining with Other Security​

Recommended Stack​

Layered Access​

Limitations​

What Encryption Can't Do​

Performance Impact​

Troubleshooting​

Wrong Key Error​

Can't Decrypt​

Lost Encryption Key​

Recovery Prevention​

Back Up Keys​

Test Decryption​

Next Steps​