Client-side encryption

Your workspace is stored on our servers using AES encryption with a 128-bit key, a random salt and a server-side passphrase. For additional peace of mind, you can choose to encrypt your workspace with your own passphrase on the client before uploading it to Structurizr.

Cloud service paid feature

In order to view a client-side encrypted workspace, you will be asked to enter your passphrase when you open the workspace in your web browser. The passphrase is then used to decrypt the workspace in your web browser. At no point does the passphrase leave your computer, and your data will be irretrievable if you forget your passphrase.

For increased usability, and to prevent you from needing to enter the passphrase every time the workspace is opened, you can opt to save the passphrase in your web browser's local storage. This is stored as plaintext, so should only be used if you don't share your browser profile.

Please note that some features will become unavailable when you enable client-side encryption; including the full-text search, automatic layout with Graphviz, and automatic PNG image generation used for the image embed feature.


Here is an example of a client-side encrypted workspace (the passphrase is password).

Passphrase prompt

Creating client-side encrypted workspaces

See Client-side encryption in Java or Client-side encryption in .NET for details of how to create client-side encrypted workspaces.

Adding/removing client-side encryption to/from an existing workspace

The workspace settings page will allow you to add or remove client-side encryption from an existing workspace. Please note that you can only modify client-side encryption when the workspace is unlocked.