Sharing encrypted notes without leaking the key: what we learned
Sharing a note means sharing the link and the password. Sounds simple until you think about how that password travels.
The only way to share an encrypted note is to share the URL and the password. There’s no way around that in a zero-knowledge design. So the real question is: how do you get the password to the right person without exposing it?
Don’t put the password in the same channel as the link
If you paste the link and the password in the same Slack thread or email, anyone with access to that thread has full access. Send the link one way (e.g. email or chat) and the password another (e.g. a quick call or a different app). It’s a small habit that cuts risk a lot.
One password per note
We don’t have “users” or “accounts”—each note has its own password. So when you share, you’re sharing access to that one note. If you need to revoke access later, change the note’s password (we support that in the editor) and share the new password only with people who should still have access.