Frequently Asked Questions

Secure, End-to-End encrypted, and privacy respecting sync for contacts, calendars, tasks and notes with clients available on all major platforms.

It creates a new account on your device to which you can save contacts and calendars. These are then synchronized across your devices in a secure way while maintaining a complete history of your changes both locally, and securely on our servers. After setup, you won't even know it's there. You just keep on using the same contacts and calendar apps you were using before.

For more information please take a look at the Why use EteSync? FAQ section.

All of your data is end-to-end encrypted, so if you lost your password, we can't help you access it.

You can, however, reset your account so you can start from scratch with a new password and a clean slate. To do it, please go to the dashboard (use email login), and initiate a reset request.

Short answer: You need to upgrade your account to EteSync 2.0.

Long answer: EteSync used to use emails as a login identifier. However, starting from version 2.0, EteSync uses usernames. If you don't have a username it means you haven't ugpraded your account to version 2 yet. Upgrading the account is easy and takes only a few minutes. It's highly recommended and improves the EteSync experience on many fronts. For more information please refer to the announcement blog post.

You do not need a Google account! On Android, EteSync behaves exactly like a Google account so your address book and calendar apps will just use EteSync directly. This means, that after you have imported all of your data to EteSync, you can disable contacts and calendar sync for your Google account and never use it again.

EteSync provides you with strong assurances of privacy and safety for your personal information (why care?), more control of your data, and a full history of all the changes made to it.

For example, since all of your changes are saved, you can use EteSync to retrieve a deleted calendar event to find lost information, or see when an unknown contact was added to help figure out who that person is.

Over the past few years we've been proven again and again that companies can't be trusted with our data. Either because of negligence (they get hacked), malice (they sell your data) or helplessness (the government forces them to give away your data).

This is why some people choose to host their own servers, and synchronize their data with those. However those are vulnerable to the same issues. They get hacked, or the government forces the hosting provider to hand over the server. In addition to that, maintaining and installing a private server is a lot of work, and not trivial to get right.

We thus designed EteSync so you don't need to trust us, improving upon both alternatives. With that being said, we do support self-hosting for those who prefer it.

The service comes with a two week trial, after which you will be charged based on your chosen plan. Please take a look at the pricing page for exact prices.

Payment information is not required until after the trial is over, though you can add your payment information at any time from the dashboard.

No. You can just create a normal subscription for yourself, and an "Associate" subscription for your spouse. Then share the calendar with the second account, and that's it.

However, Associate accounts can't create their own calendars. So in order to have a personal calendar (that you can't see), your spouse will have to get a normal subscription too.

To create an associate account, go to the dashboard, and share the associate invitation link from there.

While the only automatic payment method is cards, we can manually process some other ones. Just use one of the methods below and we will then, within 72 hours, apply the balance to your account and send you a confirmation email.

Yes we do, here.

EteSync doesn't sync existing accounts, but instead provides you with a new account to save to. Backing up existing accounts (such as a Google account) defeats the purpose of EteSync, which is to sync your personal information in a secure way.

In order to add contacts and calendar events to EteSync, just choose these accounts when using your existing contact and calendar apps. For more information please refer to the relevant section of the user guide.

EteSync supports importing either from file (vCard and iCal), or from an account on the device (for example a Google account). For more information, please refer to the user guide.

When you share a journal with a user, two things happen: the user is granted access by the server to the encrypted journal, and you share the encryption key with that user. This means all users have access to the encryption key used for a shared journal. In addition, because the journal is append-only (so you can't rewrite the history), the journal's encryption key can't be changed.

This means that a malicious user, using specialised software, could potentially keep the encryption key for a journal even after access has been revoked. This is usually not a major concern, as the user won't be able to access the encrypted journal because the access to the server would have been revoked, however if such a user gets access by, for example, hacking into the server, the user would be able to decrypt the data.

Follow the instructions here.

Short answer: yes.
Long answer: it depends. The code should be perfectly safe to use, so if you run your own instance locally which you got from a trusted source, it is as safe as using any other client. Alternatively, you can use the Signed Pages browser extension in conjunction with the hosted web app which will provide you with almost the same level of security. Last, depending on your threat model, it may be fine to use the hosted version without the extra security measures, though we would advise against that, or if you must, not on a regular basis.

The main problem with using a web client is that the client, which is what handles your encryption password and ensures your information is safe, is served to you live from the server on each access. This means that the server could potentially serve malicious versions (either to everyone, or targeted to you) which will steal your encryption password and compromise your data.

We take measures to ensure the server is secure, for example by using a hardened Linux installation, patching vulnerabilities as they are known, using HTTP safety mechanisms like TLS, CSPA, HSTS and make sure to disable weak ciphers. However even with all of that, we can't provide the same level of assurance as running a verified local installation.

Exporting your data is easy! Either setup EteSync-DAV and use the web UI for a full export of your data, or use an Android app that supports exporting, such as Google Contacts and Calendar Import - Export. Additionally, you can just download the data as we have it, in raw form (encrypted), by accessing the browsable API explorer and downloading the parts that you'd like exported.

If you are looking for a tool to automatically download your data to your computer (encrypted or not), e.g. for backup purposes, you can just use the example script from the Python API repository.

In addition, please remember that our slogan is Your Data, Yours Only. Your data is yours, and we will always have a way to export your data, so just reach out if you have any more questions.

You shouldn't. This is why we've taken every measure to make sure we never see your data. You don't believe us? Check for yourself, both the client and the server are open source.

EteSync writes all of the calendar and contact changes to an encrypted and integrity checked journal (similar to how the famous git scm works). This means that even if the client malfunctions or your credentials are hacked, your data is safely stored. In addition, we backup our entire database on a daily basis, so even if our servers fail, your data is safe.
With that being said, there could still be bugs in the client, however, EteSync is based on the widely used DAVx5, which reduces the likeliness of a bug in the client. If you do encounter one, please let us know.

On Android, calendar and contacts are handled by two different types of apps. The first is the provider, which is in charge with syncing the data, and the second is the client, which is in charge of showing the data to the user. Example providers include: the Google account (syncs with Google), DAVx5 (syncs with DAV servers) and EteSync (encrypts and syncs with the EteSync server). Example clients include: Google Calendar, AOSP Calendar and Etar.

Clients should not have internet access, though even if they do, it's unlikely Google will be extracting your private data in this way, as it's quite easy to detect if they do. With that being said, it's a better idea to use open-source clients (such as Etar) so you can be extra sure you are using privacy respecting software.

It's an often requested feature and we plan on offering it soon, though it's really mostly just about ticking that box than adding much to the overall security of your data. The whole point of end-to-end encrypted services is that your data is safeguarded by encryption and can't be accessed even by the hosting provider, hackers or other bad actors. 2FA doesn't help this requirement at all, as 2FA is just the server saying "This login is OK".

The correct way of doing 2FA with encrypted applications is by using a real encryption token that does your encryption for you (e.g. Nitrokey, Yubkey and the likes), though that's not what most people mean when they say 2FA, and will be incompatible with what people expect 2FA to be.

Yes we do, for the web app. Settings can be found here.

Yes. Security systems are only as strong as their weakest link, so while EteSync can make your data secure, you can still mess things up.
Here are a few tips to securing your setup:

• Don't reuse passwords, and have a different password for authentication and encryption. Reusing the encryption password increases the chance it will leak. Create a unique password and use a password manager, or do whatever it takes, just don't reuse or use a simple, easily guessable one.
• Never give anyone your encryption password, not even to us.
• If your encryption password is hard to remember, save it in a password manager, or have a securely kept paper copy to prevent data-loss.
• Do you trust your device? Make sure your device is up to date with the latest security patches, and is not compromised (by for example, installing root apps from untrusted sources).
• Don't let untrusted apps access your personal information. There is no reason why a game should get access to your calendar and etc. Watch out.
• Protect your phone with a pin/password, and preferably encrypt the drive.

Have we forgotten anything? Please let us know.

The source code for our client, server and other projects is available here.

Yes we do.

We are based in the United Kingdom, and our servers are currently located in Austria and are hosted by EDIS.

EteSync 2.0 is powered by Etebase. Please take a look at the Etebase protocol specifications for more information.

EteSync uses LetsEncrypt, which means the certificate changes every ~2 months, and with that the fingerprint. So putting the fingerprint here would not be very useful as it changes all the time.

The public key however, should remain the same across certificate updates. Here is the public key information for the API, and how to get it:

% openssl s_client -connect api.etebase.com:443 | openssl x509 -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxyGGC4OGCR90bqqBLz9c
d77gVc7uy250efyooTH26n7pelSuim6ul098iN+XAjD5MI8DbHE4Ha1P96+HR5ED
DW5Lmn/HFsgd7RRI7r29D57zEF68Wj6EX4kG3l40H2RWcL0F//WwfsJlNTYpElb3
gm/9MSX7tZ+jCTE6sUBkv6HLxahRBt6LtCZF50nkRx9jcHrNHu6TDNpNW+2bta2R
n7oLcfTMrmZYBxeHN9hQWc6Vh9Q6cK5WQmljk1nP1xtsf/5BT+6pisZwxDn/WqYv
QvfanIyZcsaqT2meJfAbvpUumraGoo1zggJPggVwObazgizSwOdDyMGXWOgSsApi
uRNTJEtsVS70UbGWj0af4akv+pTlBCGs31Hsalv4CLf7pJhTFWK22KYsG89aHaeY
V/2hHB4g5tUXW7gsv4usBswHfFLjpxcOAVteni/TsHUvup+GrfwhcHmAJF/wB5IL
oF13Aig1h7QL4uvGJxdXm1XgRpjvZphS9dmBQ7KtMqa3Nl/aK0wsMCnv749FhlS+
V2eOr0paYRCj4LDGwhTyu+zxDY01xprlVCQ9w0H/PXAY52ClqEYCAXedd3Ruckj9
k8PjbSlEofgPUFwPdqGjbPB6hFx9OzBUBw68+JLwZ6QP8NvDLvpstpFABrTvT2u7
F77XOA57jbnP7+1im8CYfwkCAwEAAQ==
-----END PUBLIC KEY-----
                

End-to-end encrypted: encrypted in a way that only the users (ends) and not the server (EteSync) have access to the information. Unfortunately, most of the services you use are not end-to-end encrypted.
Journaled: comes from the word journal. It means that all the actions taken on the data are stored, keeping track of changes.
Synchronization: keeping data up to date between a group of devices. We also use it to mean backed (securely!) up on the server.
Open source: The term open source refers to something people can modify and share because its design is publicly accessible.

Android is used by many different manufacturers on a myriad of different devices and configurations. This is a great thing because it has brought many innovations. Unfortunately though, some manufacturers modify the system irresponsibly in intrusive and buggy ways that cause some apps to malfunction. In this case in particular, it seems like the Xiaomi and Huawei are breaking EteSync and other similar apps such as DAVdroid.

Luckily, there are ways to work around these issues, and the people behind DAVdroid have a good FAQ entry on the matter. Please follow the instructions there, specifically section 3.

In case you are still experiencing or you are unsure how to follow the above instructions, please contact support.