What is Secure Notes?

Write notes encrypted with AES-256-GCM. Your notes never leave your device — they're stored encrypted locally and can only be unlocked with your password.

Encryption uses the Web Crypto API with AES-256-GCM and a key derived from your password through PBKDF2 (100,000 iterations of SHA-256 by default). The encrypted blob, salt, and IV all stay in your device's local storage. There is no account, no sync, no recovery email; only the password you set can unlock a note. Export the encrypted JSON to back up across devices.

How to use

1. Create a new note by entering a title and your content. Set a strong password that will be used to encrypt the note.
2. Lock the note to encrypt it. Your encrypted notes appear in the sidebar — click one and enter your password to decrypt and read it.
3. Export encrypted notes as a backup file, or delete notes you no longer need. All encryption happens locally — nothing is sent to any server.

When to use

• Storing software licence keys you need on hand but do not want in a cloud password manager.
• Keeping personal journal entries on a shared laptop where other accounts have access.
• Holding sensitive travel info (passport numbers, two-factor backup codes) for offline reference.

Result

A user stores their Wi-Fi passwords and software license keys in separate encrypted notes, each protected with a unique password, knowing the data never leaves their device.

FAQ

What happens if I forget the password to a note?

The note becomes unrecoverable. AES-256-GCM with a derived key has no back door, so without the password the encrypted contents are indistinguishable from random data. Pick a password you can remember or store a hint somewhere separate from the device.

Are my notes synced between my phone and laptop?

No, they stay on whichever device created them because storage is local. Use the Export button on the source device to save the encrypted JSON file, then Import it on the other device. The password remains the same.

Can someone read the notes if they have my device?

They can see that encrypted notes exist and read the titles and any tags, but the body content requires the password to decrypt. Keep sensitive details out of the title and tags, and for extra protection on a shared computer set a strong device login password and lock the screen when you walk away.

Why AES-256-GCM specifically?

GCM adds an authentication tag that detects tampering, so a modified ciphertext fails to decrypt rather than producing garbled plaintext. The 256-bit key length is widely considered out of reach for any practical brute force attack.

Does clearing browsing data delete my notes?

Yes. Clearing site data, cookies, or local storage for this domain wipes the encrypted blob. Always export a backup file before clearing data or switching devices, because there is no copy stored anywhere else.

Related Tools