End-to-End Encryption (E2EE) in The WebCull Bookmark Manager

Our new end-to-end encryption system was recently released on our new WebCull Pro Plan found here. It is not available on our Advanced or Free plans.

WebCull, the most private cloud to sync your bookmarks

End-to-end encryption (E2EE) is a system for data protection where data remains encrypted and inaccessible to anyone except the originating device and the device(s) intended for final decryption. In our bookmark manager, this means that bookmarks (including bookmark icons) are encrypted on your device before being sent to our servers, and the servers are never sent the passphrase or derived cryptographic key used for decryption. Only your own devices, where your bookmarks are intended to be accessed, have the capability to decrypt the data. This ensures that data transmitted between your devices and our servers remains secure, and not accessible to us or anyone except you because you are the only one who can generate or has access to the cryptographic key generated when logging in with the correct passphrase.

Introducing your E2EE passphrase

After enabling E2EE in the WebCull bookmark manager, you will be asked to set a strong passphrase (which is password for E2EE). This passphrase is vital as it encrypts your bookmarks before they leave your device. It's crucial that you choose a robust, complex passphrase, as it forms the backbone of the encryption process. Your passphrase and the cryptographic key it generates never leave your device. That ensures your data sits behind one of the strongest encryptions in the world that no one can decrypt except you. When you access your bookmarks from any of your devices, the encrypted data is transmitted securely from our servers to your device still in an encrypted format, once you provide your passphrase the data can then be decrypted using the cryptographic key stored in the Web Cryptography API. This system ensures that your data remains confidential and secure across all points of transmission and storage, safeguarding against unauthorized access and data breaches.

Managing Your Passphrase

It's essential to manage your password carefully. Should you lose this key, recovering your encrypted bookmarks becomes impossible, as they cannot be decrypted without it. Unlike your account password which can be changed using our Forgot Password feature, E2EE passphrases cannot be changed without the passphrase that was used to encrypt them. Therefore, we recommend storing a backup of your passphrase in a secure location separate from your primary devices. This preventive measure ensures that you can regain access to your bookmarks in case of device failure, loss, or theft.

We Ensure Maximum Security with AES-256-GCM Encryption

Our bookmark manager uses the Advanced Encryption Standard (AES) with a 256-bit key length in Galois/Counter Mode (GCM) for end-to-end encryption. AES-256-GCM, considered the pinnacle of security technology, is a robust encryption algorithm that provides maximum security and confidentiality for your data. This encryption standard is not only used to secure top-level government information but also in various industries where data security is critical. It is widely recognized as one of the most secure encryption standards available, offering protection against hash-table attacks and other cryptographic vulnerabilities. By using AES-256-GCM encryption, we ensure that your bookmarks are safeguarded against unauthorized access and data breaches, providing you with peace of mind and confidence in the security of your data.

Remember: Encryption Strength is Dependent on a Good Passphrase

While AES-256-GCM encryption is highly secure, the strength of your passphrase is equally important. A strong, complex passphrase is essential for ensuring the security of your encrypted bookmarks. Unlike server-side password attempts that can be throttled and blocked to prevent brute-force attacks, encrypted data presents a unique challenge. Attackers with direct access to encrypted data can attempt to decrypt it offline at their leisure using automated password-guessing software, which is why the complexity of your passphrase is paramount. Your passphrase should be kept confidential and not shared with anyone, even us, as it is the key to decrypting your data. By choosing a strong passphrase, your data could be secure for generations, even against the most determined attackers.

Why we are using AES-256-GCM encryption

  • Robustness: 256-bit encryption, which means it provides a significantly high level of security. It would take billions of years to crack using current computing power, making it virtually impregnable.
  • Speed and Efficiency: Despite its robust security, AES-256-GCM is designed for high performance and efficiency, ensuring that your bookmark management experience is smooth and fast.
  • Authentication: Besides encryption, AES-256-GCM also provides built-in authentication, which checks the integrity and authenticity of your data, ensuring that it has not been tampered with during transmission.

We will regularly update our encryption protocols to adapt to the latest security threats and maintain the highest standards of data protection. By using E2EE in the WebCull bookmark manager, you ensure that you benefit from these enhancements, further securing your data against emerging vulnerabilities.

Security Measures for Passphrase Management in WebCull

In the WebCull bookmark manager, the security of your passphrase is paramount. Your passphrase plays a critical role in the encryption and decryption of your data. Therefore, we have implemented stringent measures to ensure that your passphrase is handled with the utmost care and security within our application.

Secure Handling of Passphrases

  • Passwords are never stored: When you log in, your E2EE passphrase is used to generate a one-way cryptographic key. This key is generated and at-rest within the browser's built-in Web Cryptography API. This method ensures that your passphrase, used for encrypting and decrypting bookmarks, is never stored in our application.
  • We avoid storing cryptographic keys directly in memory: When possible, we keep your key in a non-extractable format within the browser's built-in cryptography API, and not within the memory of the application.
  • Encapsulation & layering: We employ advanced programming techniques such as encapsulation and extensive layering to guard against common vulnerabilities. These practices ensure that the cryptographic key is only available in the areas of the application that are absolutely needed and locked behind as much built-in security as possible.
  • Memory safety: We use memory safety techniques to ensure that the E2EE passphrase is only momentarily available in the application's memory during login and immediately discarded from memory after being turned into a cryptographic key for encrypting and decrypting bookmarks.
  • We encrypt everything: We do not store sensitive data like generated cryptographic keys in memory unencrypted, instead, we have a sophisticated security layer that manages sensitive keys and keeps them encrypted in memory until the moment before they are needed.

It's important to emphasize; that cryptographic keys are one-way, and can not be reversed back into the original passphrase. This means that even if an attacker were to gain access to the cryptographic key, they would not be able to reverse it back into the original passphrase. This is very useful for keeping your E2EE passphrase completely inaccessible even after it was entered into our application during the login process.

Optional Passphrase Remember Feature

For added convenience, we offer an optional "Remember Passphrase" feature that allows you to store your private key locally on your device. This feature is designed to simplify the login process by automatically decrypting your bookmarks when you access the app. It should only ever be used on devices that are considered highly trusted.

Even when your passphrase is considered "remembered" we never store your passphrase on your device or transmit your passphrase or cryptographic keys to our servers. We always only store the one-way cryptographic key that is generated from your passphrase in the browser's local storage using multiple layers of encryption. We always discard your passphrase from memory as soon as the key has been generated during the login process.


End-to-end encryption is a cornerstone of data security in the WebCull bookmark manager, ensuring that your bookmarks remain confidential and secure at all times. By using AES-256-GCM encryption and implementing robust security measures for private key management, we provide you with the highest level of data protection and privacy in the bookmark manager industry. With our commitment to security and privacy, you can trust WebCull as a secure and reliable platform for managing your bookmarks.

WebCull Features An alternate WebCull logo Our mission to create a better bookmark manager.

A PC, tablet and mobile device

Web App.

A bookmark manager that you can access with any browser, any device, any where, any time.
A list of folders that are side-by-side


Organize your bookmarks into stacks just like you would in your browser bookmark manager folders.
A box with an arrow pointing into it representing things being imported into WebCull


Import your bookmarks from your current manager with all folders, titles and tags preserved.
A finger pressing a button


Access your bookmarks using keyboard shortcuts in a multitude of ways for increased productivity.
A magnifying glass that is also a loading icon


A powerful search tool that searches all information including keywords sourced from the actual websites.
A computer monitor with a plus icon in it


Create an aesthetically pleasing bookmark page with beautiful backgrounds provided by Unsplash.
Two arrows, one pointing up and one pointing down


All instances of WebCull automatically update live as they're changed from other devices or browsers.
A puzzle piece


To increase productivity easily save links that you want to hang on to without leaving the website.
An antenna that is broadcasting something


Easily convert a folder of your choise into a Collection with bookmarks you want your friends and colleagues to see.
Data encoded with a password


Keep your data private, even from us, with our end-to-end encryption data security feature.