Wealth Curve

End-to-end encryption (E2EE)

How Wealth Curve keeps synced models private, what the tradeoffs are and what you should know.

What is E2EE?

End-to-end encryption means your data is encrypted on your device before it is uploaded and it is only decrypted on your device when you view it again.

With typical “cloud encryption,” data is protected while it travels over the network and may be encrypted at rest on the server—but the service can still decrypt it. With E2EE, the service stores ciphertext only: encrypted blobs that are useless without your passphrase-derived keys.

Quick definition

Plaintext = readable data (your model JSON).
Ciphertext = unreadable encrypted data (what the server stores).
E2EE = only your device can turn ciphertext back into plaintext.

Why Wealth Curve uses it

A long-range financial model is unusually sensitive. Even if you never enter account numbers, a forecast still contains information most people wouldn’t want shared: income, spending, net worth trajectory, retirement timing, education plans, large purchases and “what if” scenarios.

Wealth Curve doesn’t need to read your model content to provide value. E2EE is a straightforward way to reduce trust: the best privacy promise is “we can’t see it,” not “we promise not to look.”

What changes when E2EE is enabled

  • The backend stores encrypted blobs (ciphertext) instead of readable JSON.
  • Your passphrase never needs to be sent to Wealth Curve servers.
  • Sync across devices becomes possible without exposing model content to the cloud.

What it protects

E2EE is designed to protect your model content from being read in places where cloud systems are most vulnerable: misconfiguration, unauthorized access, third-party compromise and data breaches.

Protected

  • Your model inputs (income, expenses, inflation, assumptions)
  • Portfolio balances, contributions, withdrawals and return assumptions
  • One-offs, overrides and notes/comments
  • Your full exported model structure (when stored as synced data)

Not magically protected

  • Your device (malware, a compromised browser extension or an unlocked stolen laptop is a different risk)
  • Metadata needed for syncing (for example: document IDs, timestamps, and encryption parameters). The server can store ciphertext without reading it, but it may still store basic “wrapper” fields.

The basic flow

Here’s the “movie trailer” version of what happens when you use synced storage with E2EE:

  1. Your browser builds a model object (plaintext JSON).
  2. Your browser derives encryption keys from your passphrase (locally) and encrypts the JSON into ciphertext.
  3. The ciphertext is uploaded and stored in the cloud.
  4. On another device, you sign in, enter your passphrase, download ciphertext, and your browser decrypts it back into JSON.
Your device
Plaintext model
Readable JSON
Cloud
Ciphertext only
Encrypted blob
Your device
Plaintext model
Readable JSON

The key idea: encryption and decryption happen on the client. The server stores ciphertext and can’t decrypt it without your passphrase-derived keys.

Passphrase & keys

When you enable synced storage, Wealth Curve uses a passphrase you know (and ideally write down) to derive encryption keys on your device.

Why a passphrase (and not your login password)?

Your Wealth Curve sign-in is for authentication and account access. Your passphrase is for encryption. Keeping those separate reduces risk and keeps the server from ever needing decryption capability.

Key derivation (in plain English)

A passphrase is human-friendly, but encryption keys need to be random-looking and the right length. A key derivation function (KDF) turns your passphrase into a cryptographic key using a salt and iteration count.

  • Salt — random per user/model so two people with the same passphrase don’t get the same key.
  • Iterations — extra work that makes brute-force guessing much slower.
  • Derived key — the actual key used by the encryption algorithm.
Important

If you lose your passphrase, your encrypted synced data cannot be recovered. Wealth Curve can’t reset or “email you” the key because Wealth Curve never had it.

Plaintext vs ciphertext

Here’s a simplified example showing the difference between a readable model (plaintext) and an encrypted stored version (ciphertext wrapper).

Plaintext (JSON)

{
  "meta": {
    "name": "Base Forecast",
    "startYear": 2026,
    "startAge": 38
  },
  "modelInputs": {
    "monthlyIncomeTakeHomeCents": 1200000,
    "monthlyExpensesCents": 1100000,
    "inflationRate": 0.03
  },
  "portfolios": [
    { "name": "Non-Retirement", "balanceCents": 125000000, "cagr": 0.07 }
  ],
  "oneOffs": [
    { "year": 2029, "type": "expense", "amountCents": 2100000, "description": "Big Vacation" }
  ]
}

Ciphertext (stored in cloud)

{
  "v": 1,
  "alg": "AES-256-GCM",
  "kdf": "PBKDF2-SHA256",
  "iter": 100000,
  "salt": "m3m7dWlQh6r1bE0l4YfA5w==",
  "iv": "Qm0o2CzQ2pHhYgZB",
  "ct": "9Yk3ZkZ2xGxq3m3d8v1kO0s1B+8i8y1n5sJwzG4j0o4Q9Jm2V9...d0Q=",
  "tag": "pYw0cFvNn7x7m0r9kYb1kA=="
}

The ciphertext object above is intentionally boring: it’s just the information needed to decrypt if you have the right passphrase. Without that passphrase-derived key, it’s not useful.

What you give up

E2EE is a deliberate trade. You gain privacy and reduce trust in the server, but you also take on more responsibility.

Key tradeoffs

  • No recovery if you lose your passphrase. There is no “reset my encryption” button that can decrypt existing data—because the server can’t decrypt it.
  • Some features must be client-side. Anything that requires reading model content (searching inside models, server-side analysis, etc.) must be done in your browser after decryption.
  • Device security matters more. E2EE protects the cloud. It doesn’t protect you from a compromised device.
Local-only mode

If you don’t need multi-device sync, you can use local-only storage. In that mode, data stays on the device and isn’t uploaded.

Best practices

A few simple habits make E2EE dramatically more effective in the real world:

  • Write down your passphrase and store it somewhere safe (offline is fine).
  • Use a unique passphrase (don’t reuse a password you use elsewhere).
  • Keep your browser and OS updated, and be conservative with browser extensions.

FAQ

Is E2EE the same as HTTPS?

No. HTTPS protects data in transit. E2EE ensures the server never receives readable data in the first place.

Can Wealth Curve staff decrypt my models?

No. With E2EE enabled, decryption requires your passphrase-derived keys, and those keys are not stored on Wealth Curve servers.

What happens if I change my passphrase?

Changing a passphrase typically requires re-encrypting data with a new key. If Wealth Curve supports passphrase rotation in the future, it would be done by decrypting and re-encrypting on your device (not on the server).

Does E2EE slow down the app?

There’s some extra work during unlock and save/sync, but for typical model sizes it’s not noticeable on modern devices. The goal is “secure by default” without making the app feel heavy.

Want the big picture? See Storage and sign-in in the user guide.