Browser-side decryption keeps protected entries visible only after unlock.
Trackself uses a zero-knowledge encryption design to protect your time tracking data. This means the server never has access to the plaintext content of your time entries — all encryption and decryption happens in your browser or desktop app.
This page explains how the system works at a conceptual level. For practical steps to manage your keys, see Access Setup.
Core Principles
- Your data is encrypted before it leaves your device. Time entry titles, descriptions, and categories are encrypted client-side before being sent to the server.
- The server stores only encrypted data. The Trackself server never sees or stores plaintext content. It stores encrypted blobs that are meaningless without the correct keys.
- Keys are protected by your access credentials. Your encryption keys are wrapped (encrypted) using your access code, password, or device PIN. The server stores only these wrapped versions — never the raw keys.
- Decryption happens in your browser. When you view the portal, your browser decrypts data locally using keys you unlock with your credentials.
Key Types
Personal Access (UMK)
Your User Master Key is a per-user encryption key. It is the foundation of your personal data security.
- Created during onboarding or on the Access Setup page.
- Protected by one or more wraps: encrypted copies of the key, each sealed with a different method (access code, access password, device PIN, passkey, or X25519 keypair).
- The server stores only the wrapped versions. The plaintext key exists only in your browser's memory while unlocked.
Team Access (TK)
The Team Key is a per-workspace encryption key that allows team members to decrypt each other's entries within the workspace.
- Created by a workspace admin.
- Each team member receives a personal wrap of the TK, sealed to their UMK public key.
- Unlocking your UMK automatically derives the TK if a matching wrap exists.
- This means each member independently unlocks Team Access using their own personal credentials — no shared passwords needed.
How Encryption Works in Practice
Time Entries
When the desktop app records a time entry:
- The entry content (title, description, category) is encrypted using the appropriate key (personal or team).
- The encrypted blob is synced to the server.
- When you view the entry in the portal, your browser decrypts it using the unlocked key.
- If your keys are locked, the entry displays as "Protected content".
Timesheets
When a timesheet is submitted:
- An immutable snapshot of the selected time entries is created.
- The snapshot is encrypted and stored on the server.
- Reviewers decrypt the snapshot client-side using their unlocked Team Access key.
- Changes to live data after submission do not affect the approved snapshot.
Shared Timesheets
When a timesheet is shared via a link:
- A temporary random encryption key is generated in the reviewer's browser.
- The timesheet snapshot is encrypted with this temporary key.
- The key is embedded in the URL fragment (the part after
#). - The URL fragment is never sent to the server — it stays in the browser.
- The recipient's browser extracts the key from the URL and decrypts the snapshot locally.
This means the server facilitates the share but never has access to the shared content.
Browser Key Storage
For convenience, you can store a PIN-protected device key in your browser:
- Your access key is encrypted with a PIN you choose and stored in the browser's IndexedDB.
- Next time you visit, you can unlock with just the PIN instead of your full access code.
- This storage is device-specific — it only works on the browser where it was saved.
- You can clear it at any time from the Access Setup page using "Forget this browser".
What This Means For You
- If you lose your access code and all access methods, your encrypted data cannot be recovered. There is no "forgot password" reset for encryption keys. Make sure you have at least one backup access method.
- Admins cannot read your data without Team Access. Even workspace admins must have the Team Key properly provisioned to decrypt workspace entries.
- The Trackself team cannot read your data. Since the server only stores encrypted blobs, Trackself staff have no ability to decrypt your content.
- Shared links are as sensitive as the data they contain. Anyone with a share link can view the timesheet. Share links expire automatically, but treat them carefully while active.