Encryption Details

For users who want the technical specifics. If you just want to know whether your data is safe, Security Overview is enough.

Algorithm: AES-256-GCM

OMIMA uses AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) to encrypt all sensitive fields in every record.

Why AES-256-GCM:

• Authenticated encryption (AEAD): Encrypts and provides integrity verification simultaneously. Tampered ciphertext fails to decrypt rather than returning corrupted data
• Industry standard: Used by US government agencies, financial institutions, and TLS
• 256-bit key: No known practical attack exists

What's encrypted: The fields payload of every record — account names, passwords, ID numbers, policy numbers, all sensitive content

What's not encrypted: title, tags, recordType — kept in plaintext for search. A deliberate trade-off.

Key Management

Encryption keys are stored in Cloudflare Workers' isolated environment — not in the database. This means:

• D1 database breached → attacker gets ciphertext only, key isn't there, can't decrypt
• Keys and data are physically separated → attack surface is split

Access Control Layer

Encryption is the first line of defense. Access control is the second:

Request reaches OMIMA API
    │
    ▼ Identity verification
    Valid session token / bot binding credential?
    │
    ├── No → Rejected, 401
    │
    └── Yes → Can only access data under that account
               ↓
               Decrypt → return plaintext

Each account's data is fully isolated. An authentication token for one account cannot access another account's data.

Screenshot Assets

Before a screenshot is uploaded to Cloudflare R2:

1. SHA-256 hash of image content is computed (for deduplication)
2. Image is encrypted with a randomly generated key
3. The encryption key is associated with the record and protected by access control

Technical Summary