🔒

How does encryption work?

Learn how Horizon encrypts your content.

What is encryption?

Encryption is a method used to protect information by transforming it into a secret code that can only be read by someone who has the correct key. This process ensures that sensitive data, such as personal details and personal files, remain private and secure.

When data is encrypted, it appears as a jumble of random characters to anyone who doesn't have the decryption key. This means that even if someone intercepts the information, they won't be able to understand it. Encryption is widely used in everyday applications like online banking, email services, and secure messaging apps to safeguard your data from unauthorized access and cyber threats.

Encryption consists of complex mathematics. When data is encrypted, it physically cannot be decrypted without the key.

How does Horizon use encryption?

Horizon uses two types of encryption: server-side and client-side.

All File Uploads

At all times, all files are encrypted with AES-256 at rest at least once with a global key that Horizon has access to. If Encryption is enabled in settings, files are encrypted again with another key that Horizon does not store.

Encrypted File Uploads

If enabled, Horizon can encrypt your file uploads at-rest on the server. This means that after your file has been uploaded, Horizon will automatically begin the process of encrypting it on your behalf.

Here's a high-level overview of how Horizon encrypts your files:

  1. Horizon securely generates a random encryption key.
  2. This encryption key consists of 256-bits of entropy amounting to 256-bit encryption.

  3. Horizon encrypts your file with AES-CTR using the encryption key.
  4. Horizon hashes the encryption key using a memory-hard irreversible hashing function.
  5. Horizon hashes the encryption key with Argon2id, a memory-hard hashing function that is resistant to brute-force attacks. This allows Horizon to verify that the encryption key is correct without storing it.

  6. Horizon stores the encrypted file and the hashed encryption key.
  7. Horizon permanently discards the encryption key.
  8. During this process, the encryption key is never stored persistently–only in ephemeral memory.

When you download your encrypted file, Horizon will verify it using the hashed encryption key. This process ensures that only you can access your files, even if they are stored on Horizon's servers.

End-to-end Encrypted Pastes

If enabled, Horizon can end-to-end encrypt your pastes client-side. This means that before uploading your paste to the server, the key is generated on-device and never sent anywhere.

Here's a high-level overview of how Horizon encrypts your pastes:

  1. Horizon generates a random encryption key on your device.
  2. This encryption key consists of 256-bits of entropy amounting to 256-bit encryption.

  3. Horizon encrypts your paste with AES-GCM using the encryption key.
  4. Horizon uploads the encrypted ciphertext to the server.
  5. Your browser appends the encryption key to the URL in a way that it will never send the key.

When you view your encrypted paste, your browser will decrypt it using the encryption key appended to the URL locally. This process ensures that only you can access your pastes, even if they are stored on Horizon's servers.