Questions & answers

Is payment truly voluntary? Any catches?

Yes … and no! We provide scrutch free to try and free to use. There are no paywalls. Because we believe in the low-threshold to use this writing tool. And it further increases privacy if we can’t link (paying) customers to encrypted contents on scrutch.

However, if you observe yourself using it on a regular basis, there is a somewhat moral expectation to pay for it. So if scrutch proved useful to you, please do some soul-digging and consider supporting it.

How confidential are my texts? How secure is scrutch?

Very confidential. And pretty secure. Every time you create a new text, a random key is being generated by your device. This key is used to encrypt everything you type before it leaves the client. The key is different for each text and exclusively stored on the devices it is shared with. It is never sent to our (or third-party) servers.

Do we guarantee it is 100 % secure? Well, we don’t. Nobody would do that. People make mistakes, software may have errors, bad guys may be powerful or smarter than us. But we do our best. If you have the time, let us explain.

Okay, and how exactly does scrutch encrypt my texts?

scrutch uses client-side symmetric encryption utilizing the Advanced Encryption Standard (AES) with a 256-bit key derived from the encryption key (passphrase) of each text. The key derivation function is PBKDF2 with a thousand iterations. The library used to perform the heavy crypto lifting in the background is CryptoJS.

I want more details.

Sure! The key derived from each text’s encryption key isn’t the actual key used to encrypt/decrypt the contents. It’s rather the key to encrypt/decrypt the actual encryption key. Why so complicated? This ensures the actual key used to encrypt/decrypt your contents stays the same, even if you decided to change the encryption key of your text. This isn’t possible right now, but may be in the future. If it wouldn’t stay the same, we would have to decrypt and re-encrypt all your contents after every passphrase change.

So what’s stored on your servers, then?

Legit question. For each text the server knows the following:

  • Its slug as clear text. Used to identify and find a text.
  • The SHA3 hash of the text’s encryption key. Used to permit access only for people having the matching encryption key.
  • The AES-encrypted lower level encryption key. Used to encrypt/decrypt the contents of the text. Can be decrypted using the key derived from the texts’s encryption key.
  • A checksum of the content. Since the server cannot read to contents of your text, the checksum is used to detect changes.
  • A timestamp of the last change. Used to detect whether there is a newer version of the content on the server than on your client(s).
  • The encrypted content. Binary gibberish only decryptable by your devices.

I wanna know moar!!!

Come on, give me a break! If you’re curious and/or an expert on cryptography, take a look at the crypto component of scrutch, which will be released on GitHub, soon. If you found any mistakes or weird stuff in our crypto, please tell us before going public to give us the chance to fix it asap: hello@scrut.ch

I lost my encryption key. How can I recover it?

Hold on to something … you can’t. That’s the beauty of encryption. The encryption key of a text never leaves your device(s). So, if you lost access to it, we cannot restore it. Without it, your contents are just binary gibberish. Try to remember if you shared your text with another device. It may be still there, including the decryption key.

Can I format my texts? Any hidden features?

scrutch uses Markdown to highlight texts and derive certain information from it (the title, for instance). We’re working on a guide to get you started. In the meantime, take a look at the basic syntax of Markdown and our YouTube channel, which introduces some not-so-obvious features like task lists.

Are there mobile apps for Android/iOS/Nokia 3310?

As of now, we do not plan to develop any native apps. This would mean a lot of extra work. We firmly believe in web technology.

This is why scrutch offers advanced progressive web app (PWA) and offline support. We recommend installing the scrutch PWA on your mobile devices, including tablets. It’s easy and natively supported by the operating system. There is more than one article on how to install a PWA on Android and iOS.

Can I install scrutch on my own server? Is it open-source?

Since scrutch is a truly end-to-end encrypted service, there are no real benefits of hosting your own instance. Except trust issues, of course.

It’s not decided yet, whether to open-source scrutch’s client and server applications. We believe open-source projects should adhere to certain standards and be provided it in a proper and well documented way. This would require quite some extra time, which – as of now – is rather spent on improving user experience and stability.

However, we’re working on bundling all the encryption related code into a package library for everyone to use and verify. Check our official GitHub presence or follow us on Twitter to get updated about this.

If you’re an organization and want to use it with your own branding or within an intranet, you may request a quote for on-premise licensing and support. Take a look at our pricing on how to reach out.

Does scrutch offer built-in spell/grammar checking?

This is sad, but currently it doesn’t. Even sadder: It won’t happen soon.

Spell and grammar checking usually means sending your text to a third-party service which specializes on these things. One of the downsides of end-to-end encryption is that it doesn’t make sense to send your unencrypted content to other parties. So spell checking would have to take place on your client and only on your client. And here we’re talking about a whole domain of challenges. A domain different to the core of scrutch.

So we recommend using the built-in spell checker of your browser or install an appropriate extension. Do keep in mind, that many tools (especially grammar checkers) send your inputs to their servers. If you don’t mind that, go for it or choose an extension that works locally, only.

What is the retention of my texts?

Retention is basically unlimited. As long we can afford to run the servers, the texts will continue to exist. Keep in mind there’s always a copy of your texts on your device(s). So even if servers go down, you’re still able to access them.

What happens if your servers go down or you abandon the project?

This is a valid concern. If you’re offline or the server is gone, you still have access to your texts. There’s always a copy on your device. The sync of changes to other clients will have to wait until you’re online again. So as long as you have access to at least one of your devices, you shared/created texts with, you keep access to your contents.

How can I report bugs or request a feature?

We created a special repository on GitHub to track issues. So if something doesn’t feel right, we’d be happy if you reported it there. Please use it to tell us about issues, only.

To receive support or suggest a feature send us an old-school email: hello@scrut.ch

Are you from Switzerland?

Nope, I’m not. Start from.scrutch.com wouldn’t have sounded cool and (from.)scrat.ch was already taken. If you’re the owner of scrat.ch, please do get in touch if you’re eager to donate your domain. 😘

Any yet unanswered questions on your mind? Please do ask: @scrut_ch or hello@scrut.ch