How we built an encrypted notepad and how it compares
We wanted something like ProtectedText but with a stack we could maintain and a UX we could improve. Here’s where we landed.
We’re not the first encrypted notepad on the web. Tools like ProtectedText, Standard Notes, and others have been around for years. We built Inkrypt because we wanted a zero-knowledge note that’s simple (no account), uses modern crypto (AES-256-GCM, strong KDF), and runs on a stack we control.
What we kept simple
- No signup. You pick a URL and a password. That’s the whole identity model.
- One password per note. No “account password” vs “note password”—just one secret per note.
- Share by link + password. No invites or roles—whoever has both can open and edit.
Where we invested
We use PBKDF2 with 310k iterations and AES-256-GCM with a random IV per save. We store only ciphertext and metadata. The editor supports rich text, images (encrypted in the same note), and multiple tabs. So: comparable security to the best in class, with a UX that fits “quick secure note” without turning into a full productivity suite.
FAQ: How we built an encrypted notepad
Q1. Why did you build Inkrypt instead of using an existing encrypted notepad?
We wanted a zero-knowledge note app with modern browser crypto (Web Crypto API, AES-256-GCM, PBKDF2 with 310k iterations), no accounts, and a UX focused on quick secure notes rather than a full productivity suite.
Q2. How is Inkrypt’s encryption implemented under the hood?
In the browser, we derive a key from your password using PBKDF2 (310k iterations) and encrypt note content with AES-256-GCM using a fresh random IV per save. The server only ever sees ciphertext, salt, IV, and metadata.
Q3. Why no accounts or password recovery?
Because we never see or store your password or decryption key. Adding accounts and recovery flows would push us away from a strict zero-knowledge model and expand the attack surface.
Q4. How does Inkrypt compare to tools like ProtectedText or Standard Notes?
We aim for a smaller surface: per-note URL + password, client-side-only crypto, and minimal backend logic. Bigger tools often add features like sync, search, and collaboration, which can complicate zero-knowledge guarantees.
Q5. Can I treat Inkrypt as a general-purpose notes app?
You can, but it’s best as a companion for sensitive or time-limited content. Use it where you want client-side encryption and simple sharing; keep everyday, non-sensitive notes in your normal workspace.
Where to go next
To explore more of the design behind Inkrypt:
- Read “Zero-knowledge encryption: what it actually means when we can't see your data”.
- Read “Why we encrypt in the browser (and what happens to your password)”.
- Try Inkrypt at https://www.inkrypt.online and compare the experience with other encrypted notepads you use.