---
id: TASK-77
title: 'EncryptID: Optional encrypted VPS backup for client-side data'
status: To Do
assignee: []
created_date: '2026-03-02 20:19'
labels:
  - encryptid
  - privacy
  - feature
dependencies: []
references:
  - src/encryptid/wallet-store.ts
  - src/encryptid/key-derivation.ts
  - src/encryptid/server.ts
priority: medium
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Add an EncryptID settings option for users to backup their encrypted client-side data (wallet associations, etc.) to a VPS. Default is client-side only (maximum privacy). Optional backup enables device-loss recovery and cross-device sync.

Architecture:
- Client-side encrypted localStorage is the default (current wallet-store.ts pattern)
- Settings toggle: "Backup encrypted data to server"
- When enabled, encrypted blobs (already AES-256-GCM) are synced to the EncryptID server or a user-specified VPS
- Server stores opaque ciphertext — same zero-knowledge pattern as encrypted_addresses
- On new device login, user can restore from backup after passkey authentication

Consider extending this to all client-side data (wallet associations, preferences) and potentially migrating encrypted_addresses to the same pattern (client-first, optional server backup).
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [ ] #1 Settings UI toggle for encrypted backup (default: off)
- [ ] #2 Encrypted blobs sync to EncryptID server when enabled
- [ ] #3 Restore flow on new device after passkey auth
- [ ] #4 Server never sees plaintext — only stores opaque ciphertext + IV
- [ ] #5 User can optionally specify a custom VPS endpoint for backup
<!-- AC:END -->