Security you can verify

Symbol offers end-to-end encryption as an opt-in feature, available through the mobile and desktop apps. When enabled, each capsule is encrypted locally with a unique 256-bit content encryption key (CEK) before it reaches Symbol's servers. CEKs are wrapped with your master key using AES-256-GCM, so only you can decrypt them. Titles, content, and metadata are all encrypted. Symbol receives only ciphertext.

Your passphrase is never used directly as a key. It is processed through Argon2id (m=64 MB, t=3, p=4) to derive the key that protects your master key. Argon2id is memory-hard and CPU-hard simultaneously, making it significantly more resistant to GPU and ASIC brute-force attacks than PBKDF2. It won the Password Hashing Competition in 2015 and is recommended by OWASP.

When you link a new device with E2EE enabled, your master key is transferred via an ephemeral X25519 (Curve25519) key exchange. Both devices generate a temporary key pair, derive a shared secret using Elliptic Curve Diffie-Hellman, then use HKDF-SHA256 to derive a one-time AES key that encrypts the transfer. The shared secret is never stored or transmitted. Private keys are discarded immediately after the session completes.

When end-to-end encryption is active, all encryption and decryption happens on your device. Symbol's servers receive only ciphertext. We have no technical ability to decrypt E2EE-protected capsules, produce your keys, or hand over your plaintext data, because we do not have it. In the event of a full server breach, encrypted capsules would remain computationally infeasible to decrypt without your passphrase.

When E2EE is enabled, each user has a persistent X25519 key pair. Sharing an encrypted capsule with an organization wraps the content key to each member's public key individually, the same model used by Proton Pass for vault sharing. Revoking access requires only re-wrapping the key for the remaining members. A user's private key is stored encrypted with their master key and never leaves their devices in plaintext.

Symbol's crypto layer is designed for algorithm agility. Every encrypted value carries a version identifier, and key metadata records which algorithm suite was used, so algorithms can be upgraded without re-encrypting existing data. The symmetric AES-256-GCM layer already provides 128-bit post-quantum security against Grover's algorithm. As the ecosystem around ML-KEM (Kyber) and ML-DSA (Dilithium), standardised by NIST in 2024, matures, Symbol is designed to adopt them for the asymmetric layer with a version bump, not a rewrite.

Add an extra layer of protection to your account with two-factor authentication. Once enabled, signing in requires both your password and a second verification step, significantly reducing the risk of unauthorized access even if your password is compromised.