rspace-online/backlog/tasks/task-77 - EncryptID-Optional-encrypted-VPS-backup-for-client-side-data.md

id	title	status	assignee	created_date	labels	dependencies	references	priority
TASK-77	EncryptID: Optional encrypted VPS backup for client-side data	To Do		2026-03-02 20:19	encryptid privacy feature		src/encryptid/wallet-store.ts src/encryptid/key-derivation.ts src/encryptid/server.ts	medium

Description

Add an EncryptID settings option for users to backup their encrypted client-side data (wallet associations, etc.) to a VPS. Default is client-side only (maximum privacy). Optional backup enables device-loss recovery and cross-device sync.

Architecture:

• Client-side encrypted localStorage is the default (current wallet-store.ts pattern)
• Settings toggle: "Backup encrypted data to server"
• When enabled, encrypted blobs (already AES-256-GCM) are synced to the EncryptID server or a user-specified VPS
• Server stores opaque ciphertext — same zero-knowledge pattern as encrypted_addresses
• On new device login, user can restore from backup after passkey authentication

Consider extending this to all client-side data (wallet associations, preferences) and potentially migrating encrypted_addresses to the same pattern (client-first, optional server backup).

Acceptance Criteria

• #1 Settings UI toggle for encrypted backup (default: off)
• #2 Encrypted blobs sync to EncryptID server when enabled
• #3 Restore flow on new device after passkey auth
• #4 Server never sees plaintext — only stores opaque ciphertext + IV
• #5 User can optionally specify a custom VPS endpoint for backup