[GH-ISSUE #8047] [Feature] Bank Sync Token End-to-End encryption #117653

Closed
opened 2026-06-11 13:05:40 -05:00 by GiteaMirror · 5 comments
Owner

Originally created by @seth-hoisington on GitHub (Jun 2, 2026).
Original GitHub issue: https://github.com/actualbudget/actual/issues/8047

Verified feature request does not already exist?

  • I have searched and found no existing issue

💻

  • Would you like to implement this feature?

Pitch: what problem are you trying to solve?

My partner and I would both like to use Actual for Bank sync. However, we maintain separate finances, and she is (understandably) uncomfortable with the fact that the server administrator (me) would be able to find her bank sync tokens and be able to read her bank account info. End-to-end encryption solves this for budgets, but sync tokens are not included in E2E. Any plans or progress on including Bank sync tokens in E2E?

Originally created by @seth-hoisington on GitHub (Jun 2, 2026). Original GitHub issue: https://github.com/actualbudget/actual/issues/8047 ### Verified feature request does not already exist? - [x] I have searched and found no existing issue ### 💻 - [ ] Would you like to implement this feature? ### Pitch: what problem are you trying to solve? My partner and I would both like to use Actual for Bank sync. However, we maintain separate finances, and she is (understandably) uncomfortable with the fact that the server administrator (me) would be able to find her bank sync tokens and be able to read her bank account info. End-to-end encryption solves this for budgets, but sync tokens are not included in E2E. Any plans or progress on including Bank sync tokens in E2E?
GiteaMirror added the featureneeds votes labels 2026-06-11 13:05:40 -05:00
Author
Owner

@github-actions[bot] commented on GitHub (Jun 2, 2026):

Thanks for sharing your idea!

This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution).

The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+

Don't forget to upvote the top comment with 👍!

<!-- gh-comment-id:4606944685 --> @github-actions[bot] commented on GitHub (Jun 2, 2026): :sparkles: Thanks for sharing your idea! :sparkles: This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution). The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+ Don't forget to upvote the top comment with 👍! <!-- feature-auto-close-comment -->
Author
Owner

@MatissJanis commented on GitHub (Jun 2, 2026):

👋 I'm curious: how would e2e encryption work for tokens (secrets)?

I get how it works for transaction data where we store encrypted content on the server and decrypt it when it arrives to the users device. But the secrets are always on the server. They are never transferred back to the client. And the e2e key also shouldn't cross the network boundary.

<!-- gh-comment-id:4606969272 --> @MatissJanis commented on GitHub (Jun 2, 2026): 👋 I'm curious: how would e2e encryption work for tokens (secrets)? I get how it works for transaction data where we store encrypted content on the server and decrypt it when it arrives to the users device. But the secrets are always on the server. They are never transferred back to the client. And the e2e key also shouldn't cross the network boundary.
Author
Owner

@seth-hoisington commented on GitHub (Jun 2, 2026):

Hi MatissJanis,

Thank you for your reply and the information. I can think of two ways to implement this. I don't know too much about how bank sync works here, but the first method is relatively straightforward regardless.

  1. Derive from E2E secret a separate client-held key which can encrypt the sync tokens on the server and decrypt them at the user's sync request. This could be implemented seamlessly without user input and would not require any major changes to the bank sync infrastructure. I believe that this could be achieved with a proper derived key--where it cannot expose the E2E secret over the internet but can be recovered using the E2E key. This obviously isn't the same strength as E2E security, but I feel that it is likely good enough for my partner :)
  2. Store tokens with budget data and let the client send requests to initiate bank sync directly with the provider. I haven't fleshed this out at all because I don't know how it works, but this was more or less my original idea based on how I assumed bank sync worked.

My feeling is that any E2E user isn't willing to trust the server with their financial information, so access to bank sync tokens feels like a major security hole since you can just query the banks yourself!

<!-- gh-comment-id:4607457786 --> @seth-hoisington commented on GitHub (Jun 2, 2026): Hi MatissJanis, Thank you for your reply and the information. I can think of two ways to implement this. I don't know too much about how bank sync works here, but the first method is relatively straightforward regardless. 1. Derive from E2E secret a separate client-held key which can encrypt the sync tokens on the server and decrypt them at the user's sync request. This could be implemented seamlessly without user input and would not require any major changes to the bank sync infrastructure. I believe that this could be achieved with a proper derived key--where it cannot expose the E2E secret over the internet but can be recovered using the E2E key. This obviously isn't the same strength as E2E security, but I feel that it is likely good enough for my partner :) 2. Store tokens with budget data and let the client send requests to initiate bank sync directly with the provider. I haven't fleshed this out at all because I don't know how it works, but this was more or less my original idea based on how I assumed bank sync worked. My feeling is that any E2E user isn't willing to trust the server with their financial information, so access to bank sync tokens feels like a major security hole since you can just query the banks yourself!
Author
Owner

@MatissJanis commented on GitHub (Jun 2, 2026):

(1) - doesn't this require sending the e2e secret over the network layer in order to decrypt the sever secret? That kinda defeats the purpose of e2e encryption, no? Since then the server admin can still relatively easily intercept the secret.

(2) - I wish we could do that on all devices, but some bank sync providers (for example I'm certain about Gocardless) require usage in node environment which isn't available in browser context; plus storing secrets in local cache could be wonky from a security POV

<!-- gh-comment-id:4607484035 --> @MatissJanis commented on GitHub (Jun 2, 2026): (1) - doesn't this require sending the e2e secret over the network layer in order to decrypt the sever secret? That kinda defeats the purpose of e2e encryption, no? Since then the server admin can still relatively easily intercept the secret. (2) - I wish we could do that on all devices, but some bank sync providers (for example I'm certain about Gocardless) require usage in node environment which isn't available in browser context; plus storing secrets in local cache could be wonky from a security POV
Author
Owner

@MatissJanis commented on GitHub (Jun 2, 2026):

ps.- I'm not saying this to discourage your idea. I would love to improve the security of our secrets and I have thought about this long and hard, but have not found a viable solution. And that's not to say that there isn't one. There could be one that I have not thought of, so discussions like this are really helpful.

<!-- gh-comment-id:4607502316 --> @MatissJanis commented on GitHub (Jun 2, 2026): ps.- I'm not saying this to discourage your idea. I would love to improve the security of our secrets and I have thought about this long and hard, but have not found a viable solution. And that's not to say that there isn't one. There could be one that I have not thought of, so discussions like this are really helpful.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#117653