About cryptnote.io

Privacy-First Encrypted Notes

cryptnote.io is a zero-knowledge encrypted note-sharing service designed for sharing sensitive information securely and privately.

In an era where data breaches and privacy violations are commonplace, we believe that sharing sensitive information should be simple, secure, and truly private. That's why we built cryptnote.io with end-to-end encryption at its core.

How It Works

1

Create & Encrypt

Write your note and configure security settings. Your content is encrypted in your browser using AES-256-GCM before it ever leaves your device.

2

Share Securely

Receive a unique URL containing the encryption key in the fragment (#). The key never reaches our servers - it stays in your URL.

3

View & Decrypt

Recipients access the note using the complete URL. Decryption happens in their browser - we never have access to your unencrypted content.

4

Self-Destruct

Notes automatically delete after reaching their view limit or expiration time. Once deleted, they're gone forever - even we can't recover them.

Zero-Knowledge Architecture

We can't read your notes. Period. This isn't just a promise - it's mathematically guaranteed by our zero-knowledge architecture.

  • Client-Side Encryption: All encryption happens in your browser using the Web Crypto API. Your plaintext never touches our servers.
  • Key Management: Encryption keys are generated in your browser and only stored in the URL fragment (after #), which browsers never send to servers.
  • No Server-Side Decryption: We only store encrypted data. Without the key, it's mathematically impossible to decrypt.
  • No Backdoors: There are no master keys, no recovery mechanisms, and no way for us to access your content.

Security Features

🔒 AES-256-GCM Encryption

Military-grade authenticated encryption with 256-bit keys provides both confidentiality and integrity protection.

⏱️ Self-Destructing Notes

Set view limits (1-5 views) and expiration times (12 hours - 7 days). Notes are permanently deleted when either limit is reached.

🔐 Password Protection

Add an extra layer of security with PBKDF2-derived password encryption (100,000 iterations).

📎 Encrypted File Attachments

Attach files up to 250MB. Files are encrypted client-side with the same AES-256-GCM algorithm.

🚫 No Tracking

No cookies, no sessions, no analytics, no tracking. Your privacy is paramount.

🛡️ Rate Limiting

Privacy-preserving rate limiting (HMAC-SHA256 hashed IPs) prevents abuse without compromising your anonymity.

Use Cases

🔑 Share Credentials

Safely share passwords, API keys, or access tokens with colleagues or clients.

💳 Sensitive Data

Share credit card details, SSNs, or other personal information securely.

📄 Confidential Documents

Send contracts, NDAs, or proprietary information that needs to stay private.

💬 Private Messages

Share sensitive communications that shouldn't be stored permanently.

🔐 One-Time Secrets

Share information that should only be viewed once, like temporary access codes.

🏢 Business Communications

Securely share financial data, legal information, or HR documents.

Technical Implementation

Encryption

  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Key Generation: Cryptographically secure random (crypto.getRandomValues)
  • Key Size: 256 bits (32 bytes)
  • IV: Unique 96-bit initialization vector per encryption
  • Password Derivation: PBKDF2 with 100,000 iterations (SHA-256)

Privacy

  • No Cookies: Theme preference stored in LocalStorage only
  • No User Accounts: Completely anonymous - no registration required
  • No IP Storage: Only privacy-preserving HMAC-SHA256 hashes for rate limiting
  • No Analytics: We don't track, monitor, or profile users

Security Headers

  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff

Your Privacy. Your Control.

No backdoors. No data mining. No compromises.
Just secure, private, self-destructing notes.

Create Your First Secure Note

Open Source & Transparency

We believe in transparency. While our specific deployment is private, the core encryption logic is built on standard, well-audited cryptographic primitives using the Web Crypto API.

Key Principles:

  • Use proven cryptographic standards (AES-GCM, PBKDF2)
  • Never roll our own crypto
  • Leverage browser-native security features
  • Follow OWASP security best practices

Questions? Check our FAQ for more information.