Your spots, your keys: how Submarius encrypts your dive log

A good spot took you years to find. Marks, coordinates, dive conditions, what came off of it — this is the kind of data you don’t share casually, and it’s the kind of data every spearo, captain, and diver has worried about handing to an app.

Submarius stores your spots on our servers so you can sync across your phone and tablet and a replacement phone six months from now — but we wrote the encryption so we literally cannot read any of it. Not by choice; by design. A subpoena, a breach, or a rogue engineer couldn’t turn your coordinates into plaintext without your device and your key.

This post is the plain-English version of what we do and why. If you want the byte-level spec, there’s an in-app page at Menu → Privacy → “See exactly what we store” that covers the envelope format and key derivation for anyone who wants to verify the claims.

What gets encrypted

Anything you create that’s personal:

• Saved spots — names, coordinates, notes, categories
• GPS tracks — every timestamp, position, speed, and heading
• Offline areas you’ve downloaded
• Catch log entries, species notes, dive plans

What stays plaintext is only the bare account metadata we need to serve the app at all: your email, your username, your subscription state. That’s it.

The one rule

If we claimed “we can’t read your data” while deriving the encryption key from your login password, the claim would be false — your password passes through our servers during login, and we could in principle log it and derive the key.

So the encryption key never touches our servers. It’s generated once on your device (32 random bytes from the operating system), stored in the device’s secure keystore (iOS Keychain with iCloud sync, Android’s EncryptedSharedPreferences with Google Password Manager sync), and used locally to seal every backup before it leaves your hardware.

What the server sees

For every backup category (spots, tracks, offline areas):

• A row with your user id
• A category name (“spots”, “tracks:…”)
• A one-way fingerprint of your master key (useless for decrypting — mathematically the same way a password hash is useless for recovering the password)
• Opaque encrypted bytes — no structure visible, just noise
• Size and timestamps

That’s it. We can tell that user X has 23 KB of encrypted spots updated two minutes ago. We cannot tell where those spots are, what they’re named, or how many of them there are.

The crypto, without the jargon

Three primitives, all from libsodium:

• XChaCha20-Poly1305 for encrypting + authenticating each payload. Authenticated means a tampered ciphertext won’t decrypt as garbage — it’ll fail loudly, so a hostile server can’t substitute plausible-looking fake data.
• BLAKE2b keyed-hashing to derive a per-category key from your master key. Your “spots” key and your “tracks” key are mathematically unrelated; a compromise of one doesn’t touch the other.
• Bech32 checksum on the recovery code so a single typo is caught immediately, not silently.

The envelope layout is publicly documented:

offset  length  field
0       1       version byte
1       24      random nonce
25      N       ciphertext || AEAD tag

Any developer with the master key can decrypt it with a standard libsodium-compatible tool; we don’t use any proprietary format that locks you to us.

What happens if you…

Lose your phone. Sign in on a new device. If you’re still signed into the same iCloud or Google account, your master key arrived there through the keystore sync already; data rehydrates automatically.

Switch from iPhone to Android. iCloud Keychain doesn’t cross the fence. Export a recovery code from the old phone first (Menu → Privacy → “View code”), paste it on the new one. A recovery code is one bech32 line like smr1qf8a7pehka… — copy it straight into 1Password or similar.

Lose your phone AND forget your recovery code AND lose every other device signed into your cloud account. Your data is permanently unreadable. We can’t recover it because we never had the ability to. That’s the entire trade — total privacy, at the cost of you being the only possible point of recovery. Save the recovery code somewhere.

Get subpoenaed. Apple and Google could be compelled to hand over your cloud-synced keychain under the right legal process. Submarius specifically can’t, because we don’t have the key. If you’re a journalist or someone whose threat model includes state-level actors, use the recovery code as your sole key and decline the cloud sync.

Delete your account. Our server wipes the ciphertext rows immediately via ON DELETE CASCADE. Your master key on your local device stays put — useless without the server-side blobs, harmless in place.

The honest footnote

Metadata still leaks. We know when you backed up, how big your backup is, and what categories (spots / tracks / areas) you use. We don’t know the contents. For most users this is an acceptable trade — the app needs to know you exist to serve you Pro features, and the sizes + timestamps are what let us tell you “your backup is 47 KB, last synced 8 minutes ago” on the settings screen. For users who need stronger metadata privacy, GPX export is in the app too — download everything as a plaintext file you control and never sync again.

We’re not trying to be the encryption-maxing app for dissidents. We’re trying to be the marine app that earns the trust of someone who’s spent a decade mapping every ledge and wreck from Key West to Montauk. Our mental posture is: your spots are a trade secret, not a social feature. Treat them like one.

The full technical spec is in the app. The code is open to inspection in our upcoming open-source crypto module. Ask any question you like — we’ll answer plainly, including to say “we don’t know.” That’s the whole point.