Obsidian
Obsidian Help
Obsidian Sync
Collaborate on a shared vault
Frequently asked questions
Introduction to Obsidian Sync
Local and remote vaults
Migrate a Sync vault
Plans and storage limits
Security and privacy
Set up Obsidian Sync
Status icon and messages
Switch to Obsidian Sync
Sync settings and selective syncing
Troubleshoot Obsidian Sync
Version history
favicon
ICO
favicon-96x96
PNG
Help and support
Home
Live preview update
publish
JS
publish
CSS
index
Valid Internal Link

Security and privacy

Encryption

For your safety, Obsidian Sync encrypts your remote vault and all communication with Obsidian's servers.

When you create a new remote vault, you have two options:

  • End-to-end encryption (default) offers the strongest security but requires you to safely store your encryption password. This guarantees that no one — not even the Obsidian team — can access your notes.
  • Standard encryption uses an encryption key managed by Obsidian to protect your data in transit and on our server.

We recommend end-to-end encryption for all users as it is the most private and secure option. However, be aware that if you forget or lose your encryption password, your data remains encrypted and unusable forever. We're not able to recover your password, or any encrypted data for you.

Your choice only affects your remote vault. Obsidian doesn't encrypt your local vault.

What does end-to-end encryption mean?

End-to-end encryption means that the data is encrypted from the moment it leaves your device, and can only be decrypted using your encryption key once it's back on one of your devices.

We can't read your data. Neither can any potential eavesdroppers, such as your internet service provider.

In the rare case of a complete server breach, your data remains encrypted—no one can decrypt your files without knowing your password.

What are the risks of using standard encryption?

Standard encryption is fundamentally less secure than end-to-end encryption, but it can be a convenient option if you do not expect the data you are syncing to be completely private. For example, if your synced vault is published to a public website like this Help site, then end-to-end encryption is not necessary.

Standard encryption is the same method of encryption used by cloud storage companies and software-as-a-service platforms, such as Google Docs, Dropbox, and iCloud (without Advanced Data Protection). Your encryption key is generated by the app and used to protect your data in transit and on the server. Because the encryption key is stored on company servers, it can be used to decrypt your data, e.g. in a case where the company is subject to a search warrant, or in a case where you want to access your data via a web browser.

End-to-end encryption guarantees that Obsidian can never access your data and should always be used to sync data that you wish to remain completely private and secure.

What encryption do you use?

For data security, we implement industry-standard encryption protocols. Specifically, we use AES-256, the strongest encryption standard, widely employed in contexts such as online banking. The encryption process involves the following technical details:

Can I verify that my data is end-to-end encrypted?

Yes. See our guide, how to verify Obsidian Sync's end-to-end encryption. This guide provide step-by-step instructions for you to trustlessly verify the end-to-end encryption of your data when it is sent and received via Sync servers.

Has Obsidian completed a third-party security audit?

Yes. Obsidian has been independently audited. Visit our Security page to view audit reports. Regular audits by third-party security firms ensure that Obsidian code and procedures meet the highest security standards.

What happens if I forget my encryption password?

If you ever lose or forget the encryption password, you won't be able to connect additional vaults to your remote vault. Since the encryption password isn't saved anywhere, it's forever lost.

Your data, however, is usually safely stored locally on each of your devices.

To continue using Obsidian Sync, we suggest doing a full re-setup to be able to add new devices to your Sync system:

  1. Make a full vault backup on your primary device, just in case something goes wrong. This can be as simple as making a copy of the vault folder, or creating a zip file from the vault.
  2. Disconnect the remote vault in each of your devices. This can be done by going to Settings → Sync → Pick remote vault → Disconnect.
  3. Create a new remote vault on your primary device from the same Settings page. Optionally, you can delete the previous remote vault since you don't have the password for it anyway. (You may have to delete the previous remote vault if you are at the vault limit)
  4. Wait for your primary device to sync. Watch the sync indicator at the bottom right of the screen until it displays a green checkmark.
  5. Connect each of your device to the same newly created remote vault. When connecting, you will be shown a warning about vault merging, this is expected and you can proceed. Wait for each device to fully sync before moving onto the next. This reduces the chances of issues.
  6. Now all your devices should be connected to the new remote vault.

Hosting

Where do you host the servers for Obsidian Sync?

Our data centers, powered by DigitalOcean, provide geo-regional remote vault hosting options in the following locations:

Sync geo-regions

Automatic: Your data center is chosen based on your IP location.

Asia: Singapore
Europe: Frankfurt, Germany
North America: San Francisco, USA
Oceania: Sydney, Australia

Where can I find my current Sync server and where is it hosted?

To locate your Obsidian Sync server, follow these steps:

  1. Go to Settings → Sync → Copy Debug Info.
  2. Paste the copied information into a note or file.
  3. Look for a line similar to this: Host server: wss://sync-xx.obsidian.md

This line indicates the server where your remote vault is hosted. For more details on the server's locations and uptime, visit our status page.

Network and access

Managing access to Obsidian Sync on your network

To regulate access to Obsidian Sync on your network, you need to manage the following domains:

sync-xx.obsidian.md

The xx in this case represents a number ranging from 1 - 100.

If your firewall system supports it, we recommend whitelisting sync-*.obsidian.md to account for the continuous growth in subdomain numbers.
Table Of Contents
Security and privacy
Encryption
What does end-to-end encryption mean?
What are the risks of using standard encryption?
What encryption do you use?
Can I verify that my data is end-to-end encrypted?
Has Obsidian completed a third-party security audit?
What happens if I forget my encryption password?
Hosting
Where do you host the servers for Obsidian Sync?
Where can I find my current Sync server and where is it hosted?
Network and access
Managing access to Obsidian Sync on your network