ParrotScribeParrot Scribe
Security/Encryption Architecture

Encryption Architecture

Technical deep-dive into how Parrot Scribe secures your data

Section: SecurityUpdated March 5, 2026

Encryption Architecture

Parrot Scribe is built on a local-first architecture. Session artifacts and the session metadata index are encrypted at rest in app storage, and core processing does not require sending raw session data to a server.

Root of Trust: Secure Enclave

The foundation of Parrot Scribe's security is the Apple Secure Enclave. The app uses a Secure Enclave P-256 key agreement key as the hardware root and derives working keys from it.

  • Hardware-bound root key: The private key operations stay in Secure Enclave-backed APIs.
  • Device-only persistence: Keychain entries use ThisDeviceOnly accessibility so key material does not sync through iCloud Keychain.

Key Hierarchy

Parrot Scribe uses domain-separated key derivation to isolate different storage surfaces.

[ Secure Enclave ]
       |
       v
[ Master Key (P-256) ]
       |
       v
[ ECDH + HKDF ]
       |
       +-----------------------+-----------------------+-------------------+
       |                       |                       |                   |
       v                       v                       v                   v
[ Session Artifacts ]   [ Speaker Artifacts ]   [ Comments ]       [ SQLite Index ]
 (AES-256-GCM)           (AES-256-GCM)           (AES-256-GCM)      (SQLCipher key)
  1. Master Key: The hardware-bound key in the Secure Enclave.
  2. Key Derivation: Key derivation uses a device-bound root with domain separation so storage domains remain isolated, based on constructions like HKDF.
  3. Per-Artifact Isolation: Transcript, audio, speaker, comment, and index keys are separated so compromise in one path does not automatically expose another.

Data Encryption

  • Session and speaker artifacts use AES-256-GCM (GCM overview).
  • Transcript chunks include authenticated data (AAD) with session context and sequence information.
  • Session metadata index is encrypted with SQLCipher using a key derived from the same device-bound root.

This provides confidentiality plus tamper detection for artifact files and encrypted index-at-rest for metadata.

Cryptographic Deletion

When you delete a session or forget a speaker, Parrot Scribe removes associated encrypted artifacts and metadata references from app-managed storage.

For session metadata, Parrot Scribe also performs database maintenance steps on the encrypted SQLite index to reduce residual references after deletion operations.

Device-Bound Nature

Because the Root of Trust is the Secure Enclave of your specific Mac, your Parrot Scribe data is device-bound.

  • No Cloud Sync: We do not sync your encryption keys or raw data to iCloud or any other cloud service.
  • Physical Security: Without access to your Mac account and local key material, copied encrypted artifacts are not readable.
  • Cross-device behavior: Copying encrypted session artifacts to another machine does not provide usable plaintext without matching local key material.

Further Reading