End-to-end encryption in Bear (With Advanced Data Protection)

I really want to use Bear for work and encryption is a hard requirement for me. I appreciate the acknowledgement that this will be worked on, but I hope the time frame is sooner rather than later.

I also need a good way to separate work from personal items. I’m completely open to ideas on how that is handled. Family Sharing so I can use Pro on a work iCloud account, workspaces, vaults, Focus Filters, multiple databases, etc…

Bear is the best, and I can use Bear for work, but I need separation of data and encryption to make that happen.

I’d suggest having two separate tags for work and personal stuff, and manually backing up to iCloud Drive each tag separately so that even the backups are separate. As long as you have ADP active, your manual backups on your drive should be 2E2 encrypted.
I guess a cool feature would be the ability to lock or hide tags with Face ID so that if you leave your device on at work, no one can snoop around at your private notes!

Doing this sadly means no sync between devices.

Today President Trump apparently threatened Great Britian that if the GB government pushed ahed with requiring access to Apple iCloud, the US would stop intelligence sharing with Great Britain through the Five Eyes agreement. I’m betting Great Britain backs down very quickly.

I didn’t realize they were asking for access. That’s wild. I’m sure they back down as well but regardless this is kind of just another reason why zero knowledge E2E encryption is just a necessity. They just play around with our data. And man for a paid app in 2025, it’s kind of baffling to me that Bear doesn’t have true encryption.

I’ve personally moved back to Obsidian as my daily driver but I’d move back to Bear as soon as they adopt true E2EE.

Well done Mr Trump, that’ll bea wake up call to the nonsense of the British demand. Sometimes I really do wonder what is going on in the UK…

I’m sorry, but these days, with sensitive, private data being targeted by government actors and others, in the US and elsewhere, we need E2EE. We need it more than any other new feature for Bear. Developers should drop all other projects, and focus on this. I know I’m not the only one who’s already looking for secure alternatives, even though I would much prefer to keep using Bear.

E2EE for Bear cannot wait.

(The original version of this post was flagged, presumably for being too political. Unfortunately, even forums like these can’t always steer clear of politics. Software is used in the real world. This encryption issue is a case in point. In order to make the post visible again, I toned it down a bit, even though it was quite mild and well-mannered to begin with.)

Yeah, I completely agree. I absolutely love Bear and the devs really have something great on their hands but the fact that we don’t have zero knowledge e2ee is just bonkers. I understand that most of us don’t know how much work it would actually take to make this a reality — but nonetheless, this should be the devs number one priority and sadly it doesn’t even seem to be a priority at all. I get I’m only one person, but I’ve already cancelled my subscription and moved back over to Obsidian for most of my notes simply because you can encrypt your vault with ADP, even when using iCloud. But alas, I miss Bear.

Even if Bear was compatible with ADP, like so many apps are these days, then we’d be able to have true e2ee. But sadly, until then, I must move on. I’ve seen other users come to the same conclusion. It seems the Bear devs are prioritizing users with older devices (literally iOS 16 I think I saw?) which was EOL (end of support is what Apple calls it?) when iOS 18 came out. No offense but I think it’s wild that people who are stuck in the past using an outdated OS are getting priority over us who keep our devices updated. Make it make sense. If Bear was free, sure whatever. But it’s a paid app and it’s 2025. E2EE is a necessity.

I’ll happily return if we ever get true E2EE but sadly it seems that is far far in the future.

New here, love Bear and wanted to add a comment.

I think there is an angle not mentioned yet that I believe is big threat to the average user of Bear. The folks that are non-technical and just expect that their data is safe, not fully understanding the risk of having such troves of personal data and not being fully in control of its custody.

Criminal bad actors gaining access to data and using it to facilitate their malicious intentions is a bigger day to day threat, IMO. The miscreants that may or may not be sponsored by state entities, but have incredible resources, expertise and attack at scale.

Look at the past few years, the number of our top technology firms that have been compromised. Microsoft was breached to the point that actors had access to all Outlook mail including government agencies that use their services. Six months after the breach, there was still no confirmation that MS had control of the breach or even knowing if the actors were still within their systems. Take a look at the CISA report publicly reprimanding MS in very harsh language about their lackluster attitude to security practices. The rebuke was a real eye opener.

That’s only the tip of the iceberg. Every entity is under attack, many high level sucessful breaches. Many of us have been victims of data breaches, from the credit bureaus to the telecoms to the data aggregation firms. Reading Security Week archives would stun the average computer user to learn just how bad our state of cyber security and data protection is.

Apple having the key to iCloud data is not protection. It is merely a set of policies, procedures, and access control to the data. Teams of well funded bad actors are work 24 to compromise just those types of controls. Most breaches are the result of some type of social engineering, knowledge of the target, then manipulation of the target to gain trust.

Apple is not an exception, rather it is a prime target. I personally feel that Apple has some of the best security and policies of the big tech companies, but that doesn’t fully mitigate the risk.

The only way that a business or user can mitigate risk to an acceptable level is by having control and custody of the data, and when that data is stored on a third party system, they must have the only key. ADP is a very good level of protection. Bear not taking advantage of it is a big weak spot. It’s the their non-technical users at the most risk. Its implementation really should be a priority, the top priority.

I really don’t want to pile on here, as the developer has already stated their intention, but for a topic as important as this, I feel as though it is worth it. As many others have stated, while there are a number of great enhancements on the roadmap, privacy, truly is paramount.

This isn’t a new concern, but consider just a few events from around the world over the last few months:

• Renewed interest from governments in requesting backdoors
• Dismantling of governmental systems that offer basic protections to their civilians
• AI companies that are always looking for new sources of data to ingest
• Increased scrutiny on media and policing of speech.

Or, how about Larry Ellison recently discussing how he’d like to see all data unified into a single national database, ostensibly for the purposes of ‘improving healthcare and reducing fraud’, but it’s all-too-easy to see how that goes sideways.

The point being, we are seeing a confluence of more and more groups interested in any data they can get their hands on, a reduction in government protections, and increased danger for those whose data is exposed. Now is not the time to sit back and assume that you’ll be protected by a company or system, we need basic protections built into the software, by default.

One last thing, when it comes to privacy, there is always discussion around the idea that ‘my data isn’t important to anyone’, or ‘I have nothing to hide, so go for it’. To that, I would say a couple of things, just a few years ago, no one thought that reddit posts and general internet conversations would be a goldmine for AI companies, and hence, have immense value. Likewise, we have no idea what will be valuable in five years time, nor do we know what will be acceptable to say, or to have recorded in note form.

I’m a long time Bear subscriber, and I really hope they listen to the feedback here and bump E2EE up on their roadmap.

Stay safe out there.

I couldn’t agree with you more.

Now from what I’ve seen (which isn’t much cause I’m pretty new here too) the main “deterrent”, if you will, for the devs are because a large number of users are still on older operating systems. It’d be cool to know which OS version people are using that is stopping them from enabling ADP. Because (and correct me if I’m wrong) isn’t ADP supported on iOS 16.2 and up? So are there users that are on an even older OS? Or can Bear only adopt ADP for a certain version of iOS? And if that’s the case, should I (and it seems many other) have to sacrifice security and privacy because there’s people out there that don’t keep their phones up to date? I know that’s selfish, but that doesn’t make it wrong. On top of this, I think a lot of Bear users are just completely misinformed. I’ve seen multiple posts over on Reddit with people claiming that Bear is E2EE with ADP turned on and we all know that’s not true. I think if more people actually knew the truth, there would be even more unhappy customers.

Shiny Frog is in a difficult spot with this. So, for now, I understand that I need to choose to secure individual notes when important to do so.
With that said, I believe our individual privacy is the last battle ground between individual autonomy, and complete control by governments around the world. We must hold the line on this.

Could you please share the news with us? Like, where can I read about it? I’m curious. Thanks.

Unfortunately UK has chosen to go ahead. Apple has pulled off ADP.

in the UK at least, kind of makes the ADP question pointless for everyone in the UK. its no longer an option. which makes app implemented e2e encryption all the more important I guess

If Bear were to implement e2e would that work the same way as Obsidian encrypts notes via sync?

This is from today’s Economist. Developers, please take note!

image1404×346 43.4 KB

I do not understand the discussion at all and why people want ADP. If ADP doesn’t protect the notes 100% as you can see in the UK act then why do you want it while at the same time you have a stronger protection with the feature to lock notes inside bear? Am I missing something?

I think there has been a degree of confusion around encryption and ADP. But you’re right, if ADP is removed by Apple, first in the UK, but then other countries after that, ADP is pretty worthless.

Which is where e2e encryption & syncing comes into play as they do it in Obsidian. Even if government demands the encryption key from Obsidian, they never have it, they only hold the encrypted data.

This is my understanding anyway

When the government demands Apple to remove ADP, Apple can only prevent new users from turning on, but it can’t turn off the current users who is turning on. They may be able to make users do in other means like not allowing them to access data until turning off ADP.

Will customers sue Apple in this case? Someone said Apple changed the terms a few months ago. Let’s see.

Obsidian is no difference from Apple, but as the e2e encryption is by default, they will have to make customers remove the function, or close their company (and make it open source so in short run users are still able to use and in the long run some people may create a similar non-profit app to allow transfer of data).

It depends how the technology goes and how people and organization deal with. At least I see ADP is better than nothing.

ADP would protect your notes. The UK government is demanding that apple CHANGE ADP so that they can have access to people’s data. Apple chose to disable the service in the UK instead.