General
What is EteSync?
Secure, End-to-End encrypted, and privacy respecting sync for contacts, calendars, tasks and notes with clients available on all major platforms.
It creates a new account on your device to which you can save contacts and calendars. These are then synchronized across your devices in a secure way while maintaining a complete history of your changes both locally, and securely on our servers. After setup, you won't even know it's there. You just keep on using the same contacts and calendar apps you were using before.
For more information please take a look at the Why use EteSync?
FAQ section.
I forgot my password, can you please help me?
All of your data is end-to-end encrypted, so if you lost your password, we can't help you access it.
You can, however, reset your account so you can start from scratch with a new password and a clean slate. To do it, please go to the dashboard (use email login), and initiate a reset request.
I don't have a username and I'm unable to login to some of the apps using my email. How can I fix this?
Short answer: You need to upgrade your account to EteSync 2.0.
Long answer: EteSync used to use emails as a login identifier. However, starting from version 2.0, EteSync uses usernames. If you don't have a username it means you haven't ugpraded your account to version 2 yet. Upgrading the account is easy and takes only a few minutes. It's highly recommended and improves the EteSync experience on many fronts. For more information please refer to the announcement blog post.
Do I need a Google account? Can I remove mine after using EteSync?
You do not need a Google account! On Android, EteSync behaves exactly like a Google account so your address book and calendar apps will just use EteSync directly. This means, that after you have imported all of your data to EteSync, you can disable contacts and calendar sync for your Google account and never use it again.
It doesn't work/I found an issue. What do I do?
Unfortunately bugs sometimes happen. Please check if a similar issue was already reported on our bug tracker. If so, please add any information you may have, if not please provide us with as much information as possible so we can fix it as quickly as possible. If you found a security vulnerability, please take a look at our security.txt file for more information.
I have a suggestion, complaint or feedback, how do I reach you?
We love, welcome and appreciate feedback, suggestions and even complaints. You can reach us here.
Why use EteSync?
What does EteSync provide?
EteSync provides you with strong assurances of privacy and safety for your personal information (why care?), more control of your data, and a full history of all the changes made to it.
For example, since all of your changes are saved, you can use EteSync to retrieve a deleted calendar event to find lost information, or see when an unknown contact was added to help figure out who that person is.
I already use a service I trust (e.g. Google) or self-host, why should I switch?
Over the past few years we've been proven again and again that companies can't be trusted with our data. Either because of negligence (they get hacked), malice (they sell your data) or helplessness (the government forces them to give away your data).
This is why some people choose to host their own servers, and synchronize their data with those. However those are vulnerable to the same issues. They get hacked, or the government forces the hosting provider to hand over the server. In addition to that, maintaining and installing a private server is a lot of work, and not trivial to get right.
We thus designed EteSync so you don't need to trust us, improving upon both alternatives. With that being said, we do support self-hosting for those who prefer it.
Payment
How much does it cost to use this service?
The service comes with a two week trial, after which you will be charged based on your chosen plan. Please take a look at the pricing page for exact prices.
Payment information is not required until after the trial is over, though you can add your payment information at any time from the dashboard.
If I want to share a calendar with my spouse, do I need to get two subscriptions?
No. You can just create a normal subscription for yourself, and an "Associate" subscription for your spouse. Then share the calendar with the second account, and that's it.
However, Associate accounts can't create their own calendars. So in order to have a personal calendar (that you can't see), your spouse will have to get a normal subscription too.
To create an associate account, go to the dashboard, and share the associate invitation link from there.
Can I use an alternative payment method? For example, Bitcoin?
While the only automatic payment method is cards, we can manually process some other ones. Just use one of the methods below and we will then, within 72 hours, apply the balance to your account and send you a confirmation email.
PayPal
- Pay from the link in the dashboard.
Bank Transfer - Euro (SEPA EU only!)
Please make a transfer in Euro to the following account, and let us know by email once you have.
- Recipient: Etesync Ltd
- IBAN: BE56 9670 0401 8388
- Bank code (SWIFT / BIC): TRWIBEB1XXX
- Address:
TransferWise Europe SA Square de Meeûs 38 bte 40 Brussels 1000 Belgium
Bank Transfer - GBP
Please make a transfer in GBP to the following account, and let us know by email once you have.
- Recipient: Etesync Ltd
- Sort code: 23-14-70
- Account number: 73521142
- Address:
TransferWise 56 Shoreditch High Street E1 6JJ London United Kingdom
Cryptocurrencies
Cryptocurrencies are temporarily disabled while we are updating our payment integration.
Other Forms of Payment
We can also accept other forms of payment. Please contact us for more information.
Do you offer a referral program?
Yes we do. Share your referral code (available from the dashboard) with friends, and ask them to use it when they register. For every friend that becomes a paying user, you will both get two weeks added to your accounts for free!
Usage
Do you have a user guide?
Yes we do, here.
My existing contacts and calendars aren't syncing, why is that?
EteSync doesn't sync existing accounts, but instead provides you with a new account to save to. Backing up existing accounts (such as a Google account) defeats the purpose of EteSync, which is to sync your personal information in a secure way.
In order to add contacts and calendar events to EteSync, just choose these accounts when using your existing contact and calendar apps. For more information please refer to the relevant section of the user guide.
How do I import my contacts and calendars to EteSync?
EteSync supports importing either from file (vCard and iCal), or from an account on the device (for example a Google account). For more information, please refer to the user guide.
When removing a member from a group, I get a warning about malicious users potentially being able to retain data, what is it about?
When you share a journal with a user, two things happen: the user is granted access by the server to the encrypted journal, and you share the encryption key with that user. This means all users have access to the encryption key used for a shared journal. In addition, because the journal is append-only (so you can't rewrite the history), the journal's encryption key can't be changed.
This means that a malicious user, using specialised software, could potentially keep the encryption key for a journal even after access has been revoked. This is usually not a major concern, as the user won't be able to access the encrypted journal because the access to the server would have been revoked, however if such a user gets access by, for example, hacking into the server, the user would be able to decrypt the data.
How can I run my own instance (self-host)?
Follow the instructions here.
Is the web app safe?
Short answer: yes.
Long answer: it depends.
The code should be perfectly safe to use, so if you run your own
instance locally which you got from a trusted source, it is as safe
as using any other client.
Alternatively, you can use the Signed Pages
browser extension in conjunction with the hosted web app
which will provide you with almost the same level of security.
Last, depending on your threat model, it may be fine to use the
hosted version without the extra security measures, though we would
advise against that, or if you must, not on a regular basis.
The main problem with using a web client is that the client, which is what handles your encryption password and ensures your information is safe, is served to you live from the server on each access. This means that the server could potentially serve malicious versions (either to everyone, or targeted to you) which will steal your encryption password and compromise your data.
We take measures to ensure the server is secure, for example by using a hardened Linux installation, patching vulnerabilities as they are known, using HTTP safety mechanisms like TLS, CSPA, HSTS and make sure to disable weak ciphers. However even with all of that, we can't provide the same level of assurance as running a verified local installation.
How can I export my data?
Exporting your data is easy! Either setup EteSync-DAV and use the web UI for a full export of your data, or use an Android app that supports exporting, such as Google Contacts and Calendar Import - Export. Additionally, you can just download the data as we have it, in raw form (encrypted), by accessing the browsable API explorer and downloading the parts that you'd like exported.
- The journal list.
- Per-journal entries list where you'd need to replace JOURNAL_UID with the relevant journal UID.
If you are looking for a tool to automatically download your data to your computer (encrypted or not), e.g. for backup purposes, you can just use the example script from the Python API repository.
In addition, please remember that our slogan is
Your Data, Yours Only
. Your data is yours, and we will
always have a way to export your data, so just reach out if you
have any more questions.
Trust & Privacy
Why should I trust you with my data? (privacy)
You shouldn't. This is why we've taken every measure to make sure we never see your data. You don't believe us? Check for yourself, both the client and the server are open source.
Why should I trust you with my data? (data-loss)
EteSync writes all of the calendar and contact changes to an encrypted and integrity checked journal (similar to how the famous git scm works). This means that even if the client malfunctions or your credentials are
hacked, your data is safely stored. In addition, we backup our entire database on a daily basis, so even if our servers fail, your data is safe.
With that being said, there could still be bugs in the client, however, EteSync is based on the widely used DAVx5, which reduces
the likeliness of a bug in the client. If you do encounter one, please let us know.
Why should I care about privacy?
In the current age of mass surveillance, mass hacking and big data
everyone is being monitored, because it's cheap to do so. Think of it like a CCTV camera in the street, it's always on, and not just turned on when suspects are
expected to walk in front of it.
A common reply to the above statement is: Wow, I had no idea, but it doesn't matter as I have nothing to hide
, which is most likely not true, but even if it was, privacy isn't just about you, it's about all of us.
Without privacy we would still have prohibition; homosexuals would still be arrested, castrated or forced to go through conversion therapy
; slavery and segregation would still be legal; and the list goes on.
It's not by chance that privacy, the right to assemble and the right to protest are some of the base tenants of democracy, those enable the population to regulate those in power, resist, and change the world to the better.
Even if we are not fighting for a cause, it's our duty for us and our future generations that we make sure that those who do are still able to do so.
Can anyone (including EteSync) access my data?
Short answer: No.
Long answer: it depends. EteSync utilises end-to-end encryption and TLS which
together ensure your data is both transported securely and saved securely on our servers. We can't access your data even if we wanted (we don't), however there are some factors that can mitigate this security.
For example, if you use a simple encryption password, or use one you've also used elsewhere (password reuse) an attacker may be able to decrypt your data. See the securing EteSync entry for more information.
I can see my data in the Google Calendar Android app, can Google access my data?
On Android, calendar and contacts are handled by two different types of apps. The first is the provider, which is in charge with syncing the data, and the second is the client, which is in charge of showing the data to the user. Example providers include: the Google account (syncs with Google), DAVx5 (syncs with DAV servers) and EteSync (encrypts and syncs with the EteSync server). Example clients include: Google Calendar, AOSP Calendar and Etar.
Clients should not have internet access, though even if they do, it's unlikely Google will be extracting your private data in this way, as it's quite easy to detect if they do. With that being said, it's a better idea to use open-source clients (such as Etar) so you can be extra sure you are using privacy respecting software.
Why don't you offer two-factor authentication (2FA) for account protection?
It's an often requested feature and we plan on offering it soon, though it's really mostly just about ticking that box than adding much to the overall security of your data. The whole point of end-to-end encrypted services is that your data is safeguarded by encryption and can't be accessed even by the hosting provider, hackers or other bad actors. 2FA doesn't help this requirement at all, as 2FA is just the server saying "This login is OK".
The correct way of doing 2FA with encrypted applications is by using a real encryption token that does your encryption for you (e.g. Nitrokey, Yubkey and the likes), though that's not what most people mean when they say 2FA, and will be incompatible with what people expect 2FA to be.
Do you support Signed Pages?
Yes we do, for the web app. Settings can be found here.
Any tips for securing EteSync?
Yes. Security systems are only as strong as their weakest link, so while EteSync can make your data secure, you can still mess things up.
Here are a few tips to securing your setup:
- Don't reuse passwords, and have a different password for authentication and encryption. Reusing the encryption password increases the chance it will leak. Create a unique password and use a password manager, or do whatever it takes, just don't reuse or use a simple, easily guessable one.
- Never give anyone your encryption password, not even to us.
- If your encryption password is hard to remember, save it in a password manager, or have a securely kept paper copy to prevent data-loss.
- Do you trust your device? Make sure your device is up to date with the latest security patches, and is not compromised (by for example, installing root apps from untrusted sources).
- Don't let untrusted apps access your personal information. There is no reason why a game should get access to your calendar and etc. Watch out.
- Protect your phone with a pin/password, and preferably encrypt the drive.
Have we forgotten anything? Please let us know.
Where can I find the source code?
The source code for our client, server and other projects is available here.
Do you have a warrant canary?
Yes we do.
Where are you and your servers located?
We are based in the United Kingdom, and our servers are currently located in Austria and are hosted by EDIS.
Technical Details
Do you have a document detailing the protocol, or how EteSync works?
EteSync 2.0 is powered by Etebase. Please take a look at the Etebase protocol specifications for more information.
What is the certificate's fingerprint/public-key?
EteSync uses LetsEncrypt, which means the certificate changes every ~2 months, and with that the fingerprint. So putting the fingerprint here would not be very useful as it changes all the time.
The public key however, should remain the same across certificate updates. Here is the public key information for the API, and how to get it:
% openssl s_client -connect api.etebase.com:443 | openssl x509 -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxyGGC4OGCR90bqqBLz9c
d77gVc7uy250efyooTH26n7pelSuim6ul098iN+XAjD5MI8DbHE4Ha1P96+HR5ED
DW5Lmn/HFsgd7RRI7r29D57zEF68Wj6EX4kG3l40H2RWcL0F//WwfsJlNTYpElb3
gm/9MSX7tZ+jCTE6sUBkv6HLxahRBt6LtCZF50nkRx9jcHrNHu6TDNpNW+2bta2R
n7oLcfTMrmZYBxeHN9hQWc6Vh9Q6cK5WQmljk1nP1xtsf/5BT+6pisZwxDn/WqYv
QvfanIyZcsaqT2meJfAbvpUumraGoo1zggJPggVwObazgizSwOdDyMGXWOgSsApi
uRNTJEtsVS70UbGWj0af4akv+pTlBCGs31Hsalv4CLf7pJhTFWK22KYsG89aHaeY
V/2hHB4g5tUXW7gsv4usBswHfFLjpxcOAVteni/TsHUvup+GrfwhcHmAJF/wB5IL
oF13Aig1h7QL4uvGJxdXm1XgRpjvZphS9dmBQ7KtMqa3Nl/aK0wsMCnv749FhlS+
V2eOr0paYRCj4LDGwhTyu+zxDY01xprlVCQ9w0H/PXAY52ClqEYCAXedd3Ruckj9
k8PjbSlEofgPUFwPdqGjbPB6hFx9OzBUBw68+JLwZ6QP8NvDLvpstpFABrTvT2u7
F77XOA57jbnP7+1im8CYfwkCAwEAAQ==
-----END PUBLIC KEY-----
Glossary
End-to-end encrypted, journaled, etc, what do these words mean?
End-to-end encrypted: encrypted in a way that only the users (ends) and not the server (EteSync) have access to the information. Unfortunately, most of the services you use are not end-to-end encrypted.
Journaled: comes from the word journal
. It means that all the actions taken on the data are stored, keeping track of changes.
Synchronization: keeping data up to date between a group of devices. We also use it to mean backed (securely!) up on the server.
Open source: The term open source
refers to something people can modify and share because its design is publicly accessible.
Errors
I'm getting a warning about potential vendor issues, what should I do?
Android is used by many different manufacturers on a myriad of different devices and configurations. This is a great thing because it has brought many innovations. Unfortunately though, some manufacturers modify the system irresponsibly in intrusive and buggy ways that cause some apps to malfunction. In this case in particular, it seems like the Xiaomi and Huawei are breaking EteSync and other similar apps such as DAVdroid.
Luckily, there are ways to work around these issues, and the people behind DAVdroid have a good FAQ entry on the matter. Please follow the instructions there, specifically section 3.
In case you are still experiencing or you are unsure how to follow the above instructions, please contact support.