EncryptedNote LogoEncryptedNote
Get Started

Security Model

This page describes what EncryptedNote protects against, how encryption works, and what it explicitly does not protect against. It is written for technical readers and intentionally avoids marketing language.

Encryption

All encryption and decryption happens in your browser. The server stores only ciphertext and is architecturally unable to read note contents.

Algorithm: XChaCha20-Poly1305 (via libsodium-wrappers)
Key size: 256 bits
Nonce: 192-bit random nonce generated per encryption operation
Key derivation (Simple mode): BLAKE2b-256 applied to a 256-bit randomly generated key
Key derivation (Secure mode): Argon2id via libsodium crypto_pwhash, with a randomly generated 16-byte salt and interactive parameters (64 MB memory, 2 iterations). Memory-hard: makes offline brute-force attacks expensive. Use a strong, randomly generated password regardless.

Two Sharing Modes

Simple mode

A 256-bit random key is generated in your browser. It is encoded into the URL fragment (#key). Browsers do not include URL fragments in HTTP requests, so the key never reaches the server. Anyone with the full URL can decrypt the note.

Secure mode

You supply a password. The encryption key is derived from that password in the browser; the password is never transmitted. The share URL contains only the note ID. The recipient needs both the link and the password. Keep the password and link in separate channels.

What This Service Protects Against

  • Server-side reading: the server stores only ciphertext. No key is ever transmitted to the server.
  • Database breach: an attacker who dumps the database obtains ciphertext without keys. Simple mode notes are protected by a 256-bit random key.
  • Accidental content logging: API routes log only request metadata. Note content is never written to logs.
  • View-count bypass: the view count is incremented and the document deleted (when the limit is reached) inside a single atomic Firestore transaction. Concurrent requests cannot consume extra views.
  • Access after expiry: expired notes are rejected and deleted on the first access attempt after expiry.

What This Service Does NOT Protect Against

  • Screenshots or copy by the recipient: once decrypted in the browser, the plaintext is accessible to the user.
  • Compromised recipient device: malware or a compromised browser can capture plaintext at decryption time.
  • Malicious browser extensions: extensions can read page content and intercept network requests.
  • Very weak passwords in Secure mode: Argon2id makes brute-force expensive but not impossible for very short or common passwords. Use a strong, randomly generated password (≥ 20 characters).
  • URL-logged Simple mode links: browser history, employer-managed proxies, and other intermediaries may record the full URL including the fragment that contains the key.
  • Infrastructure-level backup retention: Firebase may retain deleted documents in infrastructure backups. Application-level deletion is immediate; infrastructure retention is outside this application's control.
  • Phishing: this service cannot verify that a recipient opens a genuine URL.
  • Legal compulsion: if compelled to disclose data, only ciphertext can be provided. The service holds no decryption keys.

Deletion Lifecycle

Notes are deleted from the database when the view limit is reached (atomic Firestore transaction) or when an access attempt occurs after the expiry time.

Time-based expiry is lazy: the document is not deleted at the moment expiresAt passes. It is deleted on the next access attempt after that time. If nobody attempts to access an expired note, the document persists in Firestore beyond its expiry time.

EncryptedNote maintains no application-level backups of note content. Full deletion lifecycle →

Analytics

The site uses Google Analytics and Vercel Analytics for aggregate usage metrics (page views, device type, referrer). These analytics do not receive note content, note IDs sent in API requests, or decryption keys. If you prefer no analytics, blocking Google Analytics via browser settings or an ad blocker will prevent collection.

Report a Vulnerability

If you discover a security issue, please report it responsibly. Do not disclose it publicly until we have had a reasonable opportunity to investigate and respond.

Contact: security@encryptednote.com

We aim to acknowledge reports within 72 hours and provide a substantive response within 14 days.

Related documents: Privacy Policy · Terms of Service · FAQ