Documentation

Sync Setup

Keep your vault in sync across every device — your infrastructure, your rules.

On this page

  1. How sync works
  2. Git remote sync
  3. WebDAV sync
  4. SFTP sync
  5. Cloud storage (iCloud, Google Drive, Dropbox)
  6. Claspt relay (Pro)
  7. Conflict resolution
  8. Security considerations

Key principle: Your vault is a folder of files. Claspt does not invent a proprietary sync protocol — it works with standard file-sync tools you already trust. Secret blocks are encrypted before they hit the filesystem, so anything that can sync files can sync your vault securely.

How sync works

Claspt's vault is a folder on your filesystem containing:

  • Markdown files (.md) — Your pages, with encrypted secret blocks stored as Base64-encoded ciphertext inline.
  • vault.key — Your encrypted master key. Must be present on every device.
  • Folder structure — Standard directories matching your vault's folder hierarchy.
  • .claspt/ — Settings, preferences, and local metadata (excluded from sync by default).

Any tool that can sync files across devices can sync your Claspt vault. The secret blocks inside the markdown files are already encrypted — what travels over the network is ciphertext, not plaintext. Even if your sync provider is compromised, the attacker gets encrypted blobs they cannot read without your master password.

Git remote sync

Best for: Developers who want version history, branching, and full control over their sync infrastructure.

Claspt includes built-in Git integration. Your vault is automatically initialised as a Git repository, with local commits on every save. To sync across devices, add a remote:

Setup

1
Create a private repository on GitHub, GitLab, Bitbucket, or your own Git server. Ensure the repository is private — your page titles, folder names, and markdown content are plaintext.
2
Open Claspt Settings → Sync → Git. Enter the remote URL and select your authentication method (SSH key or personal access token).
3
Choose sync frequency. Options: manual (push/pull on demand), on save (push after every change), or interval (every 5, 15, or 30 minutes).
4
Clone on second device. On your second machine, open Claspt and choose "Open existing vault." Navigate to a folder, then go to Settings → Sync → Git and pull from the same remote. The vault.key file syncs with the vault — enter your master password to unlock.

Pro tip: Add a .gitignore in your vault to exclude .claspt/local/ (device-specific preferences). Claspt creates this automatically, but if you initialise Git manually, add it yourself.

Advantages of Git sync

  • Full version history — roll back any page to any previous state
  • Branch support — experiment with vault organisation without risk
  • Works with any Git hosting (GitHub, GitLab, Gitea, bare SSH)
  • Offline-first — changes queue locally when disconnected
  • Diff-friendly — only changed blocks update, not entire files

WebDAV sync

Best for: Users with a NAS (Synology, QNAP, TrueNAS) or a self-hosted Nextcloud / ownCloud instance.

1
Open Settings → Sync → WebDAV. Enter the WebDAV server URL (e.g., https://nas.example.com/dav/claspt/), username, and password.
2
Test connection. Claspt verifies it can read/write to the remote path and reports any permission issues.
3
Select sync direction. For the first sync on a new device, choose "Pull from remote" to download your existing vault. For a new vault, choose "Push to remote."

WebDAV sync uses file timestamps and checksums to detect changes. Claspt uploads only changed files, not the entire vault. Your WebDAV credentials are stored in the OS keychain, not in plain text.

SFTP sync

Best for: Users with a VPS or dedicated server who want direct file transfer over SSH.

1
Open Settings → Sync → SFTP. Enter the host, port (default: 22), username, and select authentication (SSH key or password).
2
Set remote path. Specify the directory on the remote server where your vault should be stored (e.g., /home/you/vault/).
3
Sync. Claspt uses rsync-style delta transfers over SFTP — only changed bytes are transferred.

Cloud storage sync

Best for: Non-technical users who already use iCloud, Google Drive, or Dropbox.

The simplest approach: place your Claspt vault folder inside a cloud-synced directory.

iCloud Drive

Create your vault in ~/Library/Mobile Documents/com~apple~CloudDocs/Claspt/ or simply inside your iCloud Drive folder. iCloud handles sync automatically across all Apple devices.

Google Drive

Create your vault inside your Google Drive folder. If using Google Drive for desktop, enable "Mirror files" (not "Stream files") so the vault is always available offline.

Dropbox

Create your vault inside your Dropbox folder. Dropbox's LAN sync feature makes multi-device sync on the same network nearly instant.

Important: Cloud storage providers can read your file names, folder names, and plaintext markdown content. They cannot read encrypted secret blocks. If you need full metadata privacy, use Git, WebDAV, or SFTP instead — or use the Claspt relay (Pro), which transmits only encrypted blobs.

Claspt relay sync Pro

The Claspt relay is an optional, zero-knowledge sync service available to Pro subscribers. It is the simplest setup — no server configuration required.

1
Subscribe to Pro and sign in to your Claspt account within the app.
2
Enable relay sync in Settings → Sync → Claspt Relay. Toggle it on.
3
Sign in on second device. Open Claspt on another device, sign in with the same account, and your vault appears. Enter your master password to unlock.

How the relay works

  • Your vault files are encrypted locally before upload. The relay receives opaque encrypted blobs.
  • The relay never receives your master password or encryption keys.
  • Encrypted blobs are stored only for the duration needed to sync between your devices, then deleted.
  • The relay does not log or inspect file contents. It cannot decrypt your vault (zero-knowledge architecture).
  • If you cancel Pro, encrypted data on the relay is deleted within 30 days. Your local vault remains intact.

Storage indicators

Settings → Sync shows two storage gauges so you always know where you stand:

  • Local Vault — total size of notes, secrets, and the search index on this device.
  • Server Sync — used / quota for your account on the relay, with a colour-coded progress bar (green → yellow → red as you approach the limit).

The default quota is 1 GB. Pro+ accounts can be lifted to 2, 5, 10, 20, or 50 GB (or a custom value) on request — admins set per-license overrides from the admin portal.

Force Push Recovery

If your sync ever ends up in an unrecoverable state — for example after a master password change, a key derivation mismatch, or corrupted blobs on the server — open Settings → Sync and click Force Push (overwrite server). Claspt resets the server-side blobs and pushes a fresh full snapshot of your current vault. This replaces the older workaround of disabling and re-enabling sync, which left old blobs behind and would fail on the next push.

Sync Revision (formerly "Version")

The Sync panel shows a Sync Revision number that increments on every successful push. It used to be labelled "Version" but that caused confusion with the app version — they are now clearly separated.

Mobile sync setup

On iOS or Android (Pro+), the relay also drives the mobile vault. The first-run flow is:

  1. Activate license on the device
  2. Verify your email via OTP
  3. Enter your master password
  4. The app fetches the manifest, derives the group key, and downloads & decrypts every bundle
  5. Mobile initializes a local git repo, applies the bundles, and unlocks the vault

The same Rust crypto and Git code (claspt-core via UniFFI) runs on every platform — there is no JavaScript crypto on mobile. On first sync the mobile vault is read-only; after your first edit on mobile, incremental pushes flow both ways.

Conflict resolution

Conflicts occur when the same page is edited on two devices before either syncs. Claspt handles this depending on your sync method:

Sync Method Conflict Handling
Git Standard Git merge. Claspt auto-merges non-overlapping changes. For conflicting edits to the same line, Claspt presents both versions side-by-side and lets you choose. Encrypted blocks are treated as atomic units — if the same block was changed on both sides, you pick one.
WebDAV / SFTP Last-write-wins by default, with an option to keep both versions. When a conflict is detected, Claspt saves the remote version as a .conflict copy alongside the local version so no data is lost.
Cloud storage Handled by the cloud provider's native conflict resolution (e.g., Dropbox creates "conflicted copy" files). Claspt detects these and prompts you to merge.
Claspt relay Operational transform-based merge. Non-overlapping changes merge automatically. Conflicting changes present a merge UI. No data is silently discarded.

Security considerations

  • What's encrypted in transit: Secret block contents are always encrypted (AES-256-GCM). Markdown content, file names, and folder structure are plaintext in the files being transferred.
  • Transport encryption: All sync methods except local cloud folders use TLS/SSH for transport encryption. This means an eavesdropper cannot see even the plaintext content during transfer. Cloud storage providers encrypt at rest on their servers.
  • vault.key must be accessible: Every device needs the vault.key file to decrypt secrets. It syncs with the vault. If you use Git, it is committed alongside your vault files.
  • Revocation: If you lose a device, change your master password on any remaining device and sync. The lost device's cached password-derived key becomes invalid. The vault.key file on the lost device contains the master key encrypted with the old password-derived key, which the attacker would need your old master password to access.

Recommendation: For maximum security, use Git over SSH or SFTP with key-based authentication. For maximum convenience, use the Claspt relay (Pro). All methods protect your encrypted secrets equally — the difference is in how much metadata the sync provider can see.