DevToolKit

Secure Notes

Create, encrypt, and store private notes locally in your browser using AES-256-GCM encryption. Password-protected, zero-server storage, auto-lock on inactivity.
Was this tool helpful?

How to Use

Secure Notes lets you create, encrypt, and manage private notes entirely within your browser. No account registration, no cloud sync, no data collection. Your notes are encrypted with AES-256-GCM before being stored in IndexedDB, and only your password can unlock them.

Getting Started

  1. Create your vault: On first visit, choose a strong password. This password derives a 256-bit encryption key via PBKDF2 with 600,000 iterations of SHA-256 hashing. There is no password recovery, so choose carefully.
  2. Write notes: Click "New Note" to create a note. Give it a title and write your content. Notes auto-save after 2 seconds of inactivity.
  3. Manage notes: Use the sidebar to switch between notes. Click the trash icon and confirm to delete a note permanently.
  4. Lock your vault: Click the "Lock" button or simply wait 5 minutes. The encryption key is wiped from memory, and re-entry of your password is required.
  5. Export and import: Use the Export button to download an encrypted backup as JSON. Import that file on any browser to restore your vault. The export contains only ciphertext.

All cryptographic operations use the browser's native Web Crypto API, which runs in a secure sandbox isolated from JavaScript. Your password and plaintext notes never leave your device.

About This Tool

How AES-256-GCM Encryption Protects Your Notes

AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) is the same symmetric cipher used by password managers, government agencies, and financial institutions worldwide. It provides two guarantees simultaneously: confidentiality (your data cannot be read without the key) and authenticity (any tampering with the ciphertext causes decryption to fail immediately). As of 2026, no practical attack against AES-256 exists.

PBKDF2 Key Derivation

Your password is not used directly as an encryption key. Instead, it passes through PBKDF2 (Password-Based Key Derivation Function 2) with 600,000 iterations of HMAC-SHA-256 hashing, meeting current OWASP recommendations. This computationally expensive process makes brute-force attacks impractical: testing each candidate password requires ~600,000 hash operations, drastically slowing down automated guessing. A random 16-byte salt ensures that identical passwords produce different keys.

Initialization Vectors and Per-Note Security

Each note is encrypted with a unique 12-byte Initialization Vector (IV) generated by crypto.getRandomValues(). The IV ensures that encrypting the same plaintext twice produces completely different ciphertext, preventing pattern analysis. Combined with AES-GCM's authenticated encryption, this makes each note's ciphertext both unique and tamper-evident.

Client-Side Storage with IndexedDB

Encrypted notes are stored in your browser's IndexedDB, a persistent client-side database. Unlike cookies or localStorage, IndexedDB can handle structured data of arbitrary size. The data persists across browser restarts but is scoped to your browser profile and origin. Clearing browser data or switching browsers will remove your notes, which is why the export feature exists for backup.

Why Use This Tool

Why Store Notes Locally Instead of in the Cloud?

Cloud-based note apps like Evernote, Notion, and Google Keep store your content on remote servers. While convenient, this means your notes are accessible to the service provider, potentially subject to data breaches, and available to law enforcement via subpoena. Many services scan note content for advertising or AI training purposes.

Secure Notes eliminates these risks entirely. Your encrypted data never leaves your browser. There is no server to breach, no account to compromise, and no third party with access to your content. The trade-off is that you are responsible for your own backups via the export feature, and there is no password recovery mechanism.

Ideal Use Cases

  • Sensitive credentials: API keys, recovery codes, software license keys, and other secrets you need quick access to.
  • Private journal entries: Personal reflections, medical notes, or therapy session summaries that should remain strictly private.
  • Temporary secure storage: Information you need for a limited time, such as meeting notes with confidential details or interview preparation notes.
  • Offline-first workflows: Unlike cloud note apps, Secure Notes works without an internet connection after the initial page load.

For related security tools, explore the AES Encrypt/Decrypt tool for encrypting arbitrary text, the Password Generator for creating strong vault passwords, the Hash Generator for verifying file integrity, and the Password Strength Analyzer to evaluate your vault password's security.

FAQ

Where are my notes stored?
Notes are encrypted with AES-256-GCM and stored in your browser's IndexedDB. No data is ever sent to any server. If you clear your browser data or use a different browser, your notes will not be available — export them first as a backup.
What happens if I forget my password?
There is no password recovery mechanism. Your password is used to derive the encryption key via PBKDF2 with 600,000 iterations. Without the correct password, your notes cannot be decrypted. This is a security feature, not a limitation — it means nobody (including us) can access your notes without your password.
How does the auto-lock feature work?
After 5 minutes of inactivity (no mouse movement, keyboard input, or touch events), the vault automatically locks. The derived encryption key is wiped from memory, and you must re-enter your password to access your notes. This prevents unauthorized access if you step away from your computer.
Can I export my notes?
Yes. You can export all notes as a JSON file containing the encrypted data. This file can be imported back into the tool on any browser. The export contains only encrypted ciphertext — it is safe to store or transfer without exposing your note contents.
How secure is this compared to dedicated apps?
This tool uses the same AES-256-GCM encryption and PBKDF2 key derivation used by password managers like 1Password and Bitwarden. The Web Crypto API performs all cryptographic operations in a secure browser sandbox. The main trade-off is persistence — browser storage can be cleared, so regular exports are recommended for important notes.
NavigateOpenEscClose