Both your structured data and your audio recordings are encrypted at rest, with a single key tied to your operating system user account. Here's the actual mechanism.
The database
All your structured data — patients, sessions, transcripts, notes, settings — lives in a single SQLite database file inside Confidant's data folder.
That file is encrypted using SQLCipher, an extension to SQLite that applies AES-256 in CBC mode to every page of the database. SQLCipher is widely used in apps that handle sensitive data on disk.
If someone copies the database file off your machine — say, by plugging in an external drive and grabbing it — they get a file full of unreadable encrypted bytes.
Audio recordings
Audio files captured during sessions are also encrypted at rest, using AES-256-GCM. After a recording stops, the file is encrypted in-place. The encrypted format starts with an 8-byte marker, a 12-byte randomly-generated nonce, and the ciphertext with an authentication tag. There's never an unencrypted audio file at rest after recording finishes.
When the file needs to be used (replay, re-transcribe), Confidant decrypts it to a temporary file, uses it, and removes the temporary copy.
Where the key lives
A single 256-bit (32-byte) random key encrypts both the database and the audio files. It's generated at first launch and stored in a file named .dbkey inside Confidant's data folder, with file permissions restricted to your user account only (0600 on Unix — owner read/write, no access for any other user).
This is intentionally simpler than using the OS keychain:
Both the database and the key live under the same OS-level access boundary — your user account
A copy of the database file alone (without
.dbkey) is unreadableA copy of
.dbkeyalone (without the encrypted database) is also uselessAn attacker would need access to your unlocked OS user account to read both — at which point they have everything else on your machine anyway
The trade-off vs OS keychain storage: keychain offers slightly stronger isolation against same-user processes, but in exchange the key isn't portable, requires extra access prompts, and complicates backup. The single-file model gives the same effective protection against the threats Confidant is built to defend against (network exfiltration, disk theft, multi-user machines).
What an attacker would need
To read your Confidant data, someone would need:
The Confidant data folder (database +
.dbkey+ encrypted audio)Permission to read those files — which on a properly-configured machine means access to your unlocked OS user account
If your Mac or PC is locked, FileVault / BitLocker is on, or your machine is off, none of that is possible. If someone has access to your unlocked user account, they have access to everything else on your machine too — your email, your browser, your iCloud — so encrypted Confidant data isn't the bottleneck.
What this means for backups
Both the encrypted database and the .dbkey file are just files in the data folder. A normal Time Machine or Windows Backup restore brings them back together, and you're up and running. No special keychain dance required.
See Backing up your Confidant data for specifics.
What happens if I lose the data folder?
The data is unrecoverable. We don't have a copy. The encryption key was never on our servers; nothing was on our servers. This is the trade-off of the local-only design — your privacy comes with the responsibility of backing up.
