Skip to content

Password & encryption

Zorite can encrypt your entire database with a password. This is real encryption at rest (SQLCipher, AES-256), not a cosmetic gate: without the password, the zorite.db file on disk is unreadable bytes.

Settings → Security → Set password… encrypts the database in place. From then on Zorite shows an unlock screen at launch; your notes, whiteboards, search index, and settings are all inside the encrypted file.

Change password… and Remove password… live in the same card — both ask for the current password first. Removing decrypts the file back to a plain SQLite database.

An encrypted database boots to a small unlock window. Type the password and press Enter (or the Unlock button); a wrong password clears the field and lets you retry. The window follows your saved theme when it can, and falls back to the default look — the theme settings live inside the lock too.

Checking Remember on this device (on the unlock screen or in Settings → Security) stores the password in the operating system’s credential store:

PlatformStoreLifetime
macOSKeychainuntil you turn it off
WindowsCredential Manageruntil you turn it off
Linuxkernel keyring (keyutils)until reboot/logout

With a remembered password Zorite unlocks itself at launch. Zorite only touches the credential store at all after you opt in, and turning the toggle off deletes the stored entry.

Settings → Security → Auto-lock locks Zorite after a period of inactivity (5 minutes to 1 hour), closing every window and returning to the unlock screen. Lock now does the same immediately. Re-unlocking after a lock always requires typing the password — the remembered credential is only consulted at launch.

  • The password itself: nowhere. SQLCipher derives the encryption key from your passphrase at each unlock (PBKDF2). The only copy that ever persists is the optional credential-store entry above, on your explicit opt-in.
  • While unlocked, the key lives in the app’s memory and is wiped when you lock or quit.
  • Earlier backups stay as they were. Pre-migration snapshots (zorite.db.bak-*) made before you set a password are still plaintext until you delete them; snapshots made after are encrypted like the main file.
  • Data location moves (Settings → General) copy the encrypted file as-is — the password travels with it.
  • Schema migrations on app updates run after unlock, inside the encrypted file, with the same pre-migration snapshot safety net.
  • A corrupt-file recovery flow can’t mistake an encrypted database for a damaged one — encryption is detected before any recovery is attempted.