diff --git a/apps/mana/apps/web/src/lib/data/cross-app-queries.ts b/apps/mana/apps/web/src/lib/data/cross-app-queries.ts
index 4a686eaaf..30310cc25 100644
--- a/apps/mana/apps/web/src/lib/data/cross-app-queries.ts
+++ b/apps/mana/apps/web/src/lib/data/cross-app-queries.ts
@@ -272,13 +272,17 @@ export function useRecentDecks(limit = 5) {
 /** Recent documents + spaces. */
 export function useRecentDocuments(limit = 5) {
 	return useLiveQueryWithDefault(async () => {
-		return db
+		// title + content are encrypted on disk; the dashboard surfaces the
+		// title so we have to decrypt before returning. limit is applied
+		// pre-decrypt to keep the batch small.
+		const visible = await db
 			.table<LocalDocument>('documents')
 			.orderBy('updatedAt')
 			.reverse()
 			.filter((d) => !d.deletedAt)
 			.limit(limit)
 			.toArray();
+		return decryptRecords('documents', visible);
 	}, [] as LocalDocument[]);
 }
 
diff --git a/apps/mana/apps/web/src/lib/data/crypto/registry.ts b/apps/mana/apps/web/src/lib/data/crypto/registry.ts
index 349a62801..277a5e093 100644
--- a/apps/mana/apps/web/src/lib/data/crypto/registry.ts
+++ b/apps/mana/apps/web/src/lib/data/crypto/registry.ts
@@ -117,7 +117,12 @@ export const ENCRYPTION_REGISTRY: Record<string, EncryptionConfig> = {
 	cycleDayLogs: { enabled: true, fields: ['notes', 'mood'] },
 
 	// ─── NutriPhi ────────────────────────────────────────────
-	meals: { enabled: false, fields: ['description', 'notes', 'aiAnalysis'] },
+	// LocalMeal only has `description` as user-typed text (mealType /
+	// inputType / nutrition numbers stay plaintext for the daily-summary
+	// aggregations and the calorie-progress widget). portionSize is a
+	// short label like "1 Tasse" — same sensitivity as description, so
+	// we encrypt it too.
+	meals: { enabled: true, fields: ['description', 'portionSize'] },
 
 	// ─── Planta ──────────────────────────────────────────────
 	// `name` is NOT in the schema index for plants (only isActive +
@@ -140,7 +145,11 @@ export const ENCRYPTION_REGISTRY: Record<string, EncryptionConfig> = {
 	slides: { enabled: true, fields: ['content'] },
 
 	// ─── Context ─────────────────────────────────────────────
-	documents: { enabled: false, fields: ['title', 'content', 'body'] },
+	// LocalDocument has `title` + `content` (no `body` column on the
+	// schema). DocumentType (text/context/prompt) and the spaceId
+	// foreign key stay plaintext so the workspace tree still groups
+	// documents per space without a key.
+	documents: { enabled: true, fields: ['title', 'content'] },
 
 	// ─── Storage ─────────────────────────────────────────────
 	files: { enabled: false, fields: ['name', 'originalName', 'notes'] },
@@ -153,12 +162,12 @@ export const ENCRYPTION_REGISTRY: Record<string, EncryptionConfig> = {
 	mukkePlaylists: { enabled: false, fields: ['name', 'description'] },
 
 	// ─── Questions ───────────────────────────────────────────
-	// Writes from views are not yet routed through a store — registry
-	// is set so future store creation gets encryption automatically;
-	// existing direct db.table().update() call sites in the views need
-	// to migrate to a store before they actually flow through encryptRecord.
-	questions: { enabled: false, fields: ['title', 'body', 'notes'] },
-	answers: { enabled: false, fields: ['body'] },
+	// LocalQuestion uses `title` + `description`; LocalAnswer uses
+	// `content` (not `body`). The view-driven write sites are wrapped
+	// directly via encryptRecord at each call site since this module
+	// has no central store yet.
+	questions: { enabled: true, fields: ['title', 'description'] },
+	answers: { enabled: true, fields: ['content'] },
 
 	// ─── Events (social gatherings) ──────────────────────────
 	socialEvents: { enabled: false, fields: ['title', 'description', 'notes'] },
@@ -172,7 +181,13 @@ export const ENCRYPTION_REGISTRY: Record<string, EncryptionConfig> = {
 	transactions: { enabled: true, fields: ['description', 'note'] },
 
 	// ─── uLoad ───────────────────────────────────────────────
-	links: { enabled: false, fields: ['title', 'description', 'targetUrl'] },
+	// `originalUrl` STAYS PLAINTEXT — the redirect handler resolves
+	// shortCode → originalUrl on every click, encrypting it would force
+	// the public redirect path to do an async decrypt before the 302.
+	// shortCode is a public lookup key. We encrypt the user-typed
+	// metadata (title + description) which is the part the user actually
+	// expects to be private, and leave the routing primitives alone.
+	links: { enabled: true, fields: ['title', 'description'] },
 	manaLinks: { enabled: false, fields: ['label', 'url', 'notes'] },
 
 	// ─── Inventar ────────────────────────────────────────────
diff --git a/apps/mana/apps/web/src/lib/modules/context/ListView.svelte b/apps/mana/apps/web/src/lib/modules/context/ListView.svelte
index 1b36c551d..a9ba4ab25 100644
--- a/apps/mana/apps/web/src/lib/modules/context/ListView.svelte
+++ b/apps/mana/apps/web/src/lib/modules/context/ListView.svelte
@@ -5,6 +5,7 @@
 <script lang="ts">
 	import { liveQuery } from 'dexie';
 	import { db } from '$lib/data/database';
+	import { decryptRecords } from '$lib/data/crypto';
 	import type { LocalContextSpace, LocalDocument } from './types';
 
 	let spaces = $state<LocalContextSpace[]>([]);
@@ -24,10 +25,9 @@
 
 	$effect(() => {
 		const sub = liveQuery(async () => {
-			return db
-				.table<LocalDocument>('documents')
-				.toArray()
-				.then((all) => all.filter((d) => !d.deletedAt));
+			const all = await db.table<LocalDocument>('documents').toArray();
+			const visible = all.filter((d) => !d.deletedAt);
+			return decryptRecords('documents', visible);
 		}).subscribe((val) => {
 			documents = val ?? [];
 		});
diff --git a/apps/mana/apps/web/src/lib/modules/context/queries.ts b/apps/mana/apps/web/src/lib/modules/context/queries.ts
index a9bff5480..5eb26ac44 100644
--- a/apps/mana/apps/web/src/lib/modules/context/queries.ts
+++ b/apps/mana/apps/web/src/lib/modules/context/queries.ts
@@ -8,6 +8,7 @@
 
 import { useLiveQueryWithDefault } from '@mana/local-store/svelte';
 import { db } from '$lib/data/database';
+import { decryptRecords } from '$lib/data/crypto';
 import type { LocalContextSpace, LocalDocument, Space, Document, DocumentType } from './types';
 
 // ─── Type Converters ──────────────────────────────────────
@@ -60,8 +61,9 @@ export function useAllSpaces() {
 export function useAllDocuments() {
 	return useLiveQueryWithDefault(async () => {
 		const locals = await db.table<LocalDocument>('documents').toArray();
-		return locals
-			.filter((d) => !d.deletedAt)
+		const visible = locals.filter((d) => !d.deletedAt);
+		const decrypted = await decryptRecords('documents', visible);
+		return decrypted
 			.map(toDocument)
 			.sort((a, b) => new Date(b.updated_at).getTime() - new Date(a.updated_at).getTime());
 	}, [] as Document[]);
@@ -75,8 +77,9 @@ export function useSpaceDocuments(spaceId: string) {
 			.where('spaceId')
 			.equals(spaceId)
 			.toArray();
-		return locals
-			.filter((d) => !d.deletedAt)
+		const visible = locals.filter((d) => !d.deletedAt);
+		const decrypted = await decryptRecords('documents', visible);
+		return decrypted
 			.map(toDocument)
 			.sort((a, b) => new Date(b.updated_at).getTime() - new Date(a.updated_at).getTime());
 	}, [] as Document[]);
diff --git a/apps/mana/apps/web/src/lib/modules/nutriphi/ListView.svelte b/apps/mana/apps/web/src/lib/modules/nutriphi/ListView.svelte
index 9d764e481..93f863c7e 100644
--- a/apps/mana/apps/web/src/lib/modules/nutriphi/ListView.svelte
+++ b/apps/mana/apps/web/src/lib/modules/nutriphi/ListView.svelte
@@ -5,6 +5,7 @@
 <script lang="ts">
 	import { liveQuery } from 'dexie';
 	import { db } from '$lib/data/database';
+	import { decryptRecords } from '$lib/data/crypto';
 	import type { LocalMeal, LocalGoal } from './types';
 
 	let meals = $state<LocalMeal[]>([]);
@@ -14,10 +15,9 @@
 
 	$effect(() => {
 		const sub = liveQuery(async () => {
-			return db
-				.table<LocalMeal>('meals')
-				.toArray()
-				.then((all) => all.filter((m) => !m.deletedAt));
+			const all = await db.table<LocalMeal>('meals').toArray();
+			const visible = all.filter((m) => !m.deletedAt);
+			return decryptRecords('meals', visible);
 		}).subscribe((val) => {
 			meals = val ?? [];
 		});
diff --git a/apps/mana/apps/web/src/lib/modules/nutriphi/queries.ts b/apps/mana/apps/web/src/lib/modules/nutriphi/queries.ts
index 1c89ad1e1..907a62777 100644
--- a/apps/mana/apps/web/src/lib/modules/nutriphi/queries.ts
+++ b/apps/mana/apps/web/src/lib/modules/nutriphi/queries.ts
@@ -6,6 +6,7 @@
 
 import { liveQuery } from 'dexie';
 import { db } from '$lib/data/database';
+import { decryptRecords } from '$lib/data/crypto';
 import type {
 	LocalMeal,
 	LocalGoal,
@@ -39,7 +40,9 @@ export function toMealWithNutrition(local: LocalMeal): MealWithNutrition {
 export function useAllMeals() {
 	return liveQuery(async () => {
 		const locals = await db.table<LocalMeal>('meals').toArray();
-		return locals.filter((m) => !m.deletedAt).map(toMealWithNutrition);
+		const visible = locals.filter((m) => !m.deletedAt);
+		const decrypted = await decryptRecords('meals', visible);
+		return decrypted.map(toMealWithNutrition);
 	});
 }
 
diff --git a/apps/mana/apps/web/src/lib/modules/questions/ListView.svelte b/apps/mana/apps/web/src/lib/modules/questions/ListView.svelte
index 6d760b593..8a77c5cb2 100644
--- a/apps/mana/apps/web/src/lib/modules/questions/ListView.svelte
+++ b/apps/mana/apps/web/src/lib/modules/questions/ListView.svelte
@@ -5,6 +5,7 @@
 <script lang="ts">
 	import { liveQuery } from 'dexie';
 	import { db } from '$lib/data/database';
+	import { decryptRecords } from '$lib/data/crypto';
 	import type { LocalQuestion, LocalCollection } from './types';
 	import type { ViewProps } from '$lib/app-registry';
 
@@ -15,10 +16,9 @@
 
 	$effect(() => {
 		const sub = liveQuery(async () => {
-			return db
-				.table<LocalQuestion>('questions')
-				.toArray()
-				.then((all) => all.filter((q) => !q.deletedAt));
+			const all = await db.table<LocalQuestion>('questions').toArray();
+			const visible = all.filter((q) => !q.deletedAt);
+			return decryptRecords('questions', visible);
 		}).subscribe((val) => {
 			questions = val ?? [];
 		});
diff --git a/apps/mana/apps/web/src/lib/modules/questions/queries.ts b/apps/mana/apps/web/src/lib/modules/questions/queries.ts
index 685219bea..92a520a6c 100644
--- a/apps/mana/apps/web/src/lib/modules/questions/queries.ts
+++ b/apps/mana/apps/web/src/lib/modules/questions/queries.ts
@@ -6,6 +6,7 @@
 
 import { liveQuery } from 'dexie';
 import { db } from '$lib/data/database';
+import { decryptRecords } from '$lib/data/crypto';
 import type { LocalCollection, LocalQuestion, LocalAnswer } from './types';
 
 // ─── Shared Types (inline to avoid cross-app dependency) ───
@@ -114,7 +115,9 @@ export function useAllCollections() {
 export function useAllQuestions() {
 	return liveQuery(async () => {
 		const locals = await db.table<LocalQuestion>('questions').toArray();
-		return locals.filter((q) => !q.deletedAt).map(toQuestion);
+		const visible = locals.filter((q) => !q.deletedAt);
+		const decrypted = await decryptRecords('questions', visible);
+		return decrypted.map(toQuestion);
 	});
 }
 
@@ -122,7 +125,9 @@ export function useAllQuestions() {
 export function useAnswersByQuestion(questionId: string) {
 	return liveQuery(async () => {
 		const locals = await db.table<LocalAnswer>('answers').toArray();
-		return locals.filter((a) => !a.deletedAt && a.questionId === questionId).map(toAnswer);
+		const visible = locals.filter((a) => !a.deletedAt && a.questionId === questionId);
+		const decrypted = await decryptRecords('answers', visible);
+		return decrypted.map(toAnswer);
 	});
 }
 
diff --git a/apps/mana/apps/web/src/lib/modules/questions/views/DetailView.svelte b/apps/mana/apps/web/src/lib/modules/questions/views/DetailView.svelte
index e05b28149..1ac1e8006 100644
--- a/apps/mana/apps/web/src/lib/modules/questions/views/DetailView.svelte
+++ b/apps/mana/apps/web/src/lib/modules/questions/views/DetailView.svelte
@@ -5,6 +5,7 @@
 <script lang="ts">
 	import { liveQuery } from 'dexie';
 	import { db } from '$lib/data/database';
+	import { encryptRecord, decryptRecord } from '$lib/data/crypto';
 	import { toastStore } from '@mana/shared-ui/toast';
 	import { Trash } from '@mana/shared-icons';
 	import type { ViewProps } from '$lib/app-registry';
@@ -32,31 +33,36 @@
 	});
 
 	$effect(() => {
-		const sub = liveQuery(() => db.table<LocalQuestion>('questions').get(questionId)).subscribe(
-			(val) => {
-				question = val ?? null;
-				if (val && !focused) {
-					editTitle = val.title;
-					editDescription = val.description ?? '';
-					editStatus = val.status;
-					editPriority = val.priority;
-					editResearchDepth = val.researchDepth;
-				}
+		const sub = liveQuery(async () => {
+			const raw = await db.table<LocalQuestion>('questions').get(questionId);
+			// title + description are encrypted on disk; decrypt a clone so
+			// the inline editor binds to plaintext.
+			return raw ? await decryptRecord('questions', { ...raw }) : null;
+		}).subscribe((val) => {
+			question = val ?? null;
+			if (val && !focused) {
+				editTitle = val.title;
+				editDescription = val.description ?? '';
+				editStatus = val.status;
+				editPriority = val.priority;
+				editResearchDepth = val.researchDepth;
 			}
-		);
+		});
 		return () => sub.unsubscribe();
 	});
 
 	async function saveField() {
 		focused = false;
-		await db.table('questions').update(questionId, {
+		const diff: Record<string, unknown> = {
 			title: editTitle.trim() || question?.title || 'Ohne Titel',
 			description: editDescription.trim() || undefined,
 			status: editStatus,
 			priority: editPriority,
 			researchDepth: editResearchDepth,
 			updatedAt: new Date().toISOString(),
-		});
+		};
+		await encryptRecord('questions', diff);
+		await db.table('questions').update(questionId, diff);
 	}
 
 	async function handleSelectChange() {
diff --git a/apps/mana/apps/web/src/lib/modules/uload/ListView.svelte b/apps/mana/apps/web/src/lib/modules/uload/ListView.svelte
index 69e51aff7..3aacdcf34 100644
--- a/apps/mana/apps/web/src/lib/modules/uload/ListView.svelte
+++ b/apps/mana/apps/web/src/lib/modules/uload/ListView.svelte
@@ -5,6 +5,7 @@
 <script lang="ts">
 	import { liveQuery } from 'dexie';
 	import { db } from '$lib/data/database';
+	import { decryptRecords } from '$lib/data/crypto';
 	import type { LocalLink, LocalFolder } from './types';
 	import type { ViewProps } from '$lib/app-registry';
 
@@ -15,10 +16,9 @@
 
 	$effect(() => {
 		const sub = liveQuery(async () => {
-			return db
-				.table<LocalLink>('links')
-				.toArray()
-				.then((all) => all.filter((l) => !l.deletedAt && l.isActive));
+			const all = await db.table<LocalLink>('links').toArray();
+			const visible = all.filter((l) => !l.deletedAt && l.isActive);
+			return decryptRecords('links', visible);
 		}).subscribe((val) => {
 			links = val ?? [];
 		});
diff --git a/apps/mana/apps/web/src/lib/modules/uload/queries.ts b/apps/mana/apps/web/src/lib/modules/uload/queries.ts
index 5e8122d83..67507e098 100644
--- a/apps/mana/apps/web/src/lib/modules/uload/queries.ts
+++ b/apps/mana/apps/web/src/lib/modules/uload/queries.ts
@@ -8,6 +8,7 @@
 import { liveQuery } from 'dexie';
 import { useLiveQueryWithDefault } from '@mana/local-store/svelte';
 import { db } from '$lib/data/database';
+import { decryptRecord, decryptRecords } from '$lib/data/crypto';
 import type { LocalLink, LocalTag, LocalFolder, LocalLinkTag } from './types';
 
 // ─── Shared View Types ────────────────────────────────────
@@ -133,7 +134,9 @@ export function toLinkTag(local: LocalLinkTag): LinkTag {
 export function allLinks$() {
 	return liveQuery(async () => {
 		const locals = await db.table<LocalLink>('links').toArray();
-		return locals.filter((l) => !l.deletedAt).map(toLink);
+		const visible = locals.filter((l) => !l.deletedAt);
+		const decrypted = await decryptRecords('links', visible);
+		return decrypted.map(toLink);
 	});
 }
 
@@ -163,7 +166,9 @@ export function allLinkTags$() {
 export function useAllLinks() {
 	return useLiveQueryWithDefault(async () => {
 		const locals = await db.table<LocalLink>('links').toArray();
-		return locals.filter((l) => !l.deletedAt).map(toLink);
+		const visible = locals.filter((l) => !l.deletedAt);
+		const decrypted = await decryptRecords('links', visible);
+		return decrypted.map(toLink);
 	}, [] as Link[]);
 }
 
@@ -194,7 +199,8 @@ export function useLinkById(id: string) {
 			if (!id) return null;
 			const local = await db.table<LocalLink>('links').get(id);
 			if (!local || local.deletedAt) return null;
-			return toLink(local);
+			const decrypted = await decryptRecord('links', { ...local });
+			return toLink(decrypted);
 		},
 		null as Link | null
 	);
diff --git a/apps/mana/apps/web/src/lib/modules/uload/views/DetailView.svelte b/apps/mana/apps/web/src/lib/modules/uload/views/DetailView.svelte
index d3f4196db..7a1e186e2 100644
--- a/apps/mana/apps/web/src/lib/modules/uload/views/DetailView.svelte
+++ b/apps/mana/apps/web/src/lib/modules/uload/views/DetailView.svelte
@@ -5,6 +5,7 @@
 <script lang="ts">
 	import { liveQuery } from 'dexie';
 	import { db } from '$lib/data/database';
+	import { encryptRecord, decryptRecord } from '$lib/data/crypto';
 	import { toastStore } from '@mana/shared-ui/toast';
 	import { Trash } from '@mana/shared-icons';
 	import type { ViewProps } from '$lib/app-registry';
@@ -33,7 +34,12 @@
 	});
 
 	$effect(() => {
-		const sub = liveQuery(() => db.table<LocalLink>('links').get(linkId)).subscribe((val) => {
+		const sub = liveQuery(async () => {
+			const raw = await db.table<LocalLink>('links').get(linkId);
+			// title + description are encrypted on disk; decrypt a clone so
+			// the inline editor binds to plaintext.
+			return raw ? await decryptRecord('links', { ...raw }) : null;
+		}).subscribe((val) => {
 			link = val ?? null;
 			if (val && !focused) {
 				editTitle = val.title ?? '';
@@ -49,7 +55,7 @@
 
 	async function saveField() {
 		focused = false;
-		await db.table('links').update(linkId, {
+		const diff: Record<string, unknown> = {
 			title: editTitle.trim() || undefined,
 			originalUrl: editOriginalUrl.trim() || link?.originalUrl || '',
 			customCode: editCustomCode.trim() || undefined,
@@ -57,7 +63,9 @@
 			isActive: editIsActive,
 			expiresAt: editExpiresAt ? new Date(editExpiresAt).toISOString() : null,
 			updatedAt: new Date().toISOString(),
-		});
+		};
+		await encryptRecord('links', diff);
+		await db.table('links').update(linkId, diff);
 	}
 
 	async function handleActiveToggle() {
diff --git a/apps/mana/apps/web/src/routes/(app)/context/documents/+page.svelte b/apps/mana/apps/web/src/routes/(app)/context/documents/+page.svelte
index 633b70974..b96b037ed 100644
--- a/apps/mana/apps/web/src/routes/(app)/context/documents/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/context/documents/+page.svelte
@@ -8,7 +8,8 @@
 		getAllDocumentTags,
 	} from '$lib/modules/context/queries';
 	import { documentTable } from '$lib/modules/context/collections';
-	import type { DocumentType } from '$lib/modules/context/types';
+	import { encryptRecord } from '$lib/data/crypto';
+	import type { DocumentType, LocalDocument } from '$lib/modules/context/types';
 
 	let searchQuery = $state('');
 	let typeFilter = $state<DocumentType | 'all'>('all');
@@ -32,7 +33,7 @@
 
 	async function handleCreateDocument() {
 		const id = crypto.randomUUID();
-		await documentTable.add({
+		const row: LocalDocument = {
 			id,
 			spaceId: null,
 			title: 'Neues Dokument',
@@ -41,7 +42,9 @@
 			shortId: null,
 			pinned: false,
 			metadata: null,
-		});
+		};
+		await encryptRecord('documents', row);
+		await documentTable.add(row);
 		goto(`/context/documents/${id}`);
 	}
 
diff --git a/apps/mana/apps/web/src/routes/(app)/context/documents/[id]/+page.svelte b/apps/mana/apps/web/src/routes/(app)/context/documents/[id]/+page.svelte
index 51aba0e23..7e97f91d1 100644
--- a/apps/mana/apps/web/src/routes/(app)/context/documents/[id]/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/context/documents/[id]/+page.svelte
@@ -4,6 +4,7 @@
 	import { ArrowLeft, Trash } from '@mana/shared-icons';
 	import { useAllDocuments, findDocumentById } from '$lib/modules/context/queries';
 	import { documentTable } from '$lib/modules/context/collections';
+	import { encryptRecord } from '$lib/data/crypto';
 	import type { DocumentType } from '$lib/modules/context/types';
 
 	let showDeleteConfirm = $state(false);
@@ -47,7 +48,7 @@
 			.map((t) => t.trim())
 			.filter(Boolean);
 		const wordCount = editContent.split(/\s+/).filter(Boolean).length;
-		await documentTable.update(docId, {
+		const diff: Record<string, unknown> = {
 			title: editTitle,
 			content: editContent,
 			type: editType,
@@ -56,7 +57,9 @@
 				tags,
 				word_count: wordCount,
 			},
-		});
+		};
+		await encryptRecord('documents', diff);
+		await documentTable.update(docId, diff);
 		saving = false;
 	}
 
diff --git a/apps/mana/apps/web/src/routes/(app)/context/spaces/[id]/+page.svelte b/apps/mana/apps/web/src/routes/(app)/context/spaces/[id]/+page.svelte
index b2ee449d3..04118c0d3 100644
--- a/apps/mana/apps/web/src/routes/(app)/context/spaces/[id]/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/context/spaces/[id]/+page.svelte
@@ -11,7 +11,8 @@
 		findSpaceById,
 	} from '$lib/modules/context/queries';
 	import { contextSpaceTable, documentTable } from '$lib/modules/context/collections';
-	import type { DocumentType } from '$lib/modules/context/types';
+	import { encryptRecord } from '$lib/data/crypto';
+	import type { DocumentType, LocalDocument } from '$lib/modules/context/types';
 
 	let editingName = $state(false);
 	let editName = $state('');
@@ -39,7 +40,7 @@
 
 	async function handleCreateDocument() {
 		const id = crypto.randomUUID();
-		await documentTable.add({
+		const row: LocalDocument = {
 			id,
 			spaceId,
 			title: 'Neues Dokument',
@@ -48,7 +49,9 @@
 			shortId: null,
 			pinned: false,
 			metadata: null,
-		});
+		};
+		await encryptRecord('documents', row);
+		await documentTable.add(row);
 		goto(`/context/documents/${id}`);
 	}
 
diff --git a/apps/mana/apps/web/src/routes/(app)/nutriphi/add/+page.svelte b/apps/mana/apps/web/src/routes/(app)/nutriphi/add/+page.svelte
index c55294314..892d56379 100644
--- a/apps/mana/apps/web/src/routes/(app)/nutriphi/add/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/nutriphi/add/+page.svelte
@@ -2,6 +2,7 @@
 	import { _ } from 'svelte-i18n';
 	import { goto } from '$app/navigation';
 	import { db } from '$lib/data/database';
+	import { encryptRecord } from '$lib/data/crypto';
 	import { useAllFavorites } from '$lib/modules/nutriphi/queries';
 	import { MEAL_TYPE_LABELS, suggestMealType } from '$lib/modules/nutriphi/constants';
 	import type { MealType, NutritionData } from '$lib/modules/nutriphi/types';
@@ -64,7 +65,7 @@
 						}
 					: null;
 
-			await db.table('meals').add({
+			const row: Record<string, unknown> = {
 				id: crypto.randomUUID(),
 				date: today,
 				mealType,
@@ -75,7 +76,9 @@
 				nutrition,
 				createdAt: now,
 				updatedAt: now,
-			});
+			};
+			await encryptRecord('meals', row);
+			await db.table('meals').add(row);
 
 			goto('/nutriphi');
 		} catch {
diff --git a/apps/mana/apps/web/src/routes/(app)/questions/[id]/+page.svelte b/apps/mana/apps/web/src/routes/(app)/questions/[id]/+page.svelte
index 858d409a7..f4a3b95c0 100644
--- a/apps/mana/apps/web/src/routes/(app)/questions/[id]/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/questions/[id]/+page.svelte
@@ -2,6 +2,7 @@
 	import { _ } from 'svelte-i18n';
 	import { page } from '$app/stores';
 	import { db } from '$lib/data/database';
+	import { encryptRecord } from '$lib/data/crypto';
 	import {
 		useAllQuestions,
 		useAnswersByQuestion,
@@ -67,11 +68,13 @@
 
 	async function saveEdit() {
 		if (!question || !editTitle.trim()) return;
-		await db.table('questions').update(question.id, {
+		const diff: Record<string, unknown> = {
 			title: editTitle.trim(),
 			description: editDescription.trim() || null,
 			updatedAt: new Date().toISOString(),
-		});
+		};
+		await encryptRecord('questions', diff);
+		await db.table('questions').update(question.id, diff);
 		editing = false;
 	}
 
@@ -98,7 +101,7 @@
 
 		try {
 			const now = new Date().toISOString();
-			await db.table('answers').add({
+			const row: Record<string, unknown> = {
 				id: crypto.randomUUID(),
 				questionId: question.id,
 				researchResultId: null,
@@ -108,7 +111,9 @@
 				isAccepted: false,
 				createdAt: now,
 				updatedAt: now,
-			});
+			};
+			await encryptRecord('answers', row);
+			await db.table('answers').add(row);
 			newAnswer = '';
 
 			// Mark question as answered if it was open
diff --git a/apps/mana/apps/web/src/routes/(app)/questions/new/+page.svelte b/apps/mana/apps/web/src/routes/(app)/questions/new/+page.svelte
index 56d2fd84c..77ac41c18 100644
--- a/apps/mana/apps/web/src/routes/(app)/questions/new/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/questions/new/+page.svelte
@@ -2,6 +2,7 @@
 	import { _ } from 'svelte-i18n';
 	import { goto } from '$app/navigation';
 	import { db } from '$lib/data/database';
+	import { encryptRecord } from '$lib/data/crypto';
 	import { useAllCollections } from '$lib/modules/questions/queries';
 	import type { ResearchDepth, QuestionPriority } from '$lib/modules/questions/types';
 	import { ArrowLeft, Lightning, Clock, Sparkle } from '@mana/shared-icons';
@@ -63,7 +64,7 @@
 			const now = new Date().toISOString();
 			const id = crypto.randomUUID();
 
-			await db.table('questions').add({
+			const row: Record<string, unknown> = {
 				id,
 				collectionId: collectionId || null,
 				title: title.trim(),
@@ -74,7 +75,9 @@
 				researchDepth,
 				createdAt: now,
 				updatedAt: now,
-			});
+			};
+			await encryptRecord('questions', row);
+			await db.table('questions').add(row);
 
 			goto(`/questions/${id}`);
 		} catch (e) {
diff --git a/apps/mana/apps/web/src/routes/(app)/uload/+page.svelte b/apps/mana/apps/web/src/routes/(app)/uload/+page.svelte
index e3a8d572e..68e4f96c1 100644
--- a/apps/mana/apps/web/src/routes/(app)/uload/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/uload/+page.svelte
@@ -13,6 +13,7 @@
 		type StatusFilter,
 	} from '$lib/modules/uload/queries';
 	import { linkTable, uloadFolderTable } from '$lib/modules/uload/collections';
+	import { encryptRecord } from '$lib/data/crypto';
 	import type { LocalLink } from '$lib/modules/uload/types';
 	import {
 		CaretRight,
@@ -141,7 +142,7 @@
 			return;
 		}
 
-		await linkTable.add({
+		const newRow: LocalLink = {
 			id: crypto.randomUUID(),
 			shortCode,
 			customCode: newCustomCode || null,
@@ -159,7 +160,9 @@
 			utmCampaign: newUtmCampaign || null,
 			folderId: selectedFolderId,
 			order: links.length,
-		} satisfies LocalLink);
+		};
+		await encryptRecord('links', newRow);
+		await linkTable.add(newRow);
 		toast.success(`Link erstellt: ${shortCode}`);
 		newUrl = '';
 		newTitle = '';
@@ -205,7 +208,7 @@
 			return;
 		}
 
-		await linkTable.update(editingLink.id, {
+		const diff: Record<string, unknown> = {
 			originalUrl: editUrl,
 			title: editTitle || null,
 			utmSource: editUtmSource || null,
@@ -214,7 +217,9 @@
 			expiresAt: editExpiresAt || null,
 			password: editPassword || null,
 			maxClicks,
-		});
+		};
+		await encryptRecord('links', diff);
+		await linkTable.update(editingLink.id, diff);
 		toast.success('Link aktualisiert');
 		editingLink = null;
 	}
diff --git a/apps/mana/apps/web/src/routes/(app)/uload/settings/+page.svelte b/apps/mana/apps/web/src/routes/(app)/uload/settings/+page.svelte
index 9fc96869d..f92e72733 100644
--- a/apps/mana/apps/web/src/routes/(app)/uload/settings/+page.svelte
+++ b/apps/mana/apps/web/src/routes/(app)/uload/settings/+page.svelte
@@ -1,6 +1,7 @@
 <script lang="ts">
 	import { ArrowLeft, Trash, DownloadSimple } from '@mana/shared-icons';
 	import { linkTable, uloadTagTable, uloadFolderTable, linkTagTable } from '$lib/modules/uload';
+	import { decryptRecords } from '$lib/data/crypto';
 	import { useAllLinks, useAllTags, useAllFolders } from '$lib/modules/uload';
 	import { toast } from 'svelte-sonner';
 
@@ -20,7 +21,10 @@
 	}
 
 	async function exportData() {
-		const allLinks = await linkTable.toArray();
+		// Decrypt links before serializing the export — otherwise the user
+		// would download a JSON of ciphertext blobs they couldn't restore.
+		const rawLinks = await linkTable.toArray();
+		const allLinks = await decryptRecords('links', rawLinks);
 		const allTags = await uloadTagTable.toArray();
 		const allFolders = await uloadFolderTable.toArray();
 		const allLinkTags = await linkTagTable.toArray();