Cloud Sync
Sync your vault across the internet using an encrypted relay server.
Overview
Cloud sync uses a WebSocket relay server to sync data between devices anywhere in the world. All data is end-to-end encrypted—the relay only sees encrypted blobs and cannot read your content.
Key Points:
Relay cannot decrypt your data (zero-knowledge)
Optional—Skelenote works fully offline without it
Self-hostable for complete control
Use Cloud sync when devices aren't on the same network. For local sync, see Local sync.
Architecture
┌─────────────────┐ ┌─────────────────┐
│ Device A │ │ Device B │
│ (Home Mac) │ │ (Office PC) │
│ │ │ │
│ ┌───────────┐ │ │ ┌───────────┐ │
│ │ Encrypt │──┼──────────────────────────────┼──│ Decrypt │ │
│ └───────────┘ │ │ └───────────┘ │
└────────┬────────┘ └────────▲────────┘
│ │
│ Encrypted Blobs Only │
│ │
▼ │
┌─────────────────────────────────────────────────────────────────┐
│ Relay Server │
│ │
│ • Receives encrypted data │
│ • Stores in room by User ID │
│ • Forwards to connected devices │
│ • Cannot decrypt anything │
│ │
└──────────────────────────────────────────────────────────────────┘The relay is a dumb pipe. It routes encrypted packets between your devices but cannot read, index, or analyze your data.
Encryption Guarantees
Even with Cloud sync, your data remains private:
Before transmission
Data encrypted with your Sync Key (derived from Skeleton Key)
In transit
TLS (wss://) + XChaCha20-Poly1305
At rest on server
Still encrypted—server has no keys
On receipt
Decrypted locally with your Sync Key
The relay never has access to:
Your Skeleton Key
Your Sync Key
Any plaintext data
Ability to decrypt anything
Using the Hosted Relay
Skelenote offers a hosted relay for convenience.
Setup
Open Settings > Sync > Cloud sync
Enter the relay URL (provided with your subscription)
Toggle Enable Cloud sync on
Verify connection status shows "Connected"
What the Relay Stores
Encrypted update blobs
Your data (we cannot read it)
User ID
Derived from your key—we don't know who you are
Device metadata
For presence indicators
Update sequence numbers
For catch-up sync
What the Relay Never Has
Your Skeleton Key
Your Sync Key
Any plaintext data
Ability to decrypt anything
Self-Hosting the Relay
For maximum control, run your own relay server.
Requirements
Server with public IP or domain
Docker (recommended) or Rust toolchain
TLS certificate (Let's Encrypt works)
Docker Deployment
Configuration
PORT
8080
WebSocket listen port
RUST_LOG
info
Log level (debug, info, warn, error)
MAX_ROOM_SIZE
50
Max devices per room
HISTORY_RETENTION
7d
How long to keep update history
TLS Setup
For production, put the relay behind a reverse proxy (nginx, Caddy) with TLS:
Connecting Clients
In Skelenote, go to Settings > Sync > Cloud sync
Enter your relay URL:
wss://relay.yourdomain.com/Enable Cloud sync
Verify connection status
When to Use Cloud sync vs Local sync
Same building/network
Local sync (maximum security)
Different cities/countries
Cloud sync
Untrusted network (hotel, conference)
Local sync only
Solo user, multiple devices at home
Either works
Team with remote members
Cloud sync
High-security environment
Local sync + self-hosted relay
Using Both
You can enable both Local sync and Cloud sync simultaneously:
Local devices sync via Local sync (faster, air-gapped)
Remote devices sync via Cloud sync
Skelenote automatically uses the fastest available path.
Troubleshooting
Connection Failed
Verify relay URL is correct (must start with
ws://orwss://)Check internet connectivity
Verify Skeleton Key is configured
Check firewall allows WebSocket connections
Not Syncing
Ensure both devices use the same Skeleton Key
Check Cloud sync is enabled on all devices
Verify devices show as connected in Settings
Check relay status in Settings > Sync
Self-Hosted Relay Issues
Check TLS certificate is valid and not expired
Verify firewall allows incoming WebSocket connections
Check server logs for errors:
docker logs skelenote-relayTest WebSocket with a tool like
wscat:
Sync Conflicts
Loro CRDTs handle conflicts automatically. If you see unexpected content:
Check both devices have synced (status shows "Synced")
Use Time Machine to view history and restore if needed
Conflicts are merged, not overwritten—no data is lost
Privacy Comparison
Who can read data
Company, hackers, governments
Only you
Encryption
At rest (they have keys)
End-to-end (you have keys)
Metadata
Full access
User ID only (anonymous)
Subpoena response
They hand over data
Encrypted blobs (useless)
Self-host option
No
Yes
Further Reading
Security & Privacy Deep Dive — Full encryption architecture
Local sync Guide — Local network sync
Last updated