Sharing encrypted notes without leaking the key: what we learned
Sharing a note means sharing the link and the password. Sounds simple until you think about how that password travels.
The only way to share an encrypted note is to share the URL and the password. There’s no way around that in a zero-knowledge design. So the real question is: how do you get the password to the right person without exposing it?
Don’t put the password in the same channel as the link
If you paste the link and the password in the same Slack thread or email, anyone with access to that thread has full access. Send the link one way (e.g. email or chat) and the password another (e.g. a quick call or a different app). It’s a small habit that cuts risk a lot.
One password per note
We don’t have “users” or “accounts”—each note has its own password. So when you share, you’re sharing access to that one note. If you need to revoke access later, change the note’s password (we support that in the editor) and share the new password only with people who should still have access.
FAQ: Sharing encrypted notes safely
Q1. Why can’t you just include the password in the encrypted link?
Because that would put the decryption secret in the same place as the ciphertext, defeating the point of zero-knowledge. Keeping URL and password separate reduces risk if one channel is compromised.
Q2. What’s the safest way to share the password?
Use a different channel than the link—email + phone call, chat + in-person, or separate apps. The goal is to avoid a single transcript that contains both URL and password.
Q3. How do I revoke access after I’ve shared a note?
Change the note’s password and only share the new one with people who should keep access. Anyone with the old password loses the ability to decrypt.
Q4. Can I reuse the same password for multiple shared notes?
You can, but it’s better not to. If that password leaks, every note using it is at risk. Unique passwords per note keep incidents contained.
Q5. Does the server ever see the password during sharing?
No. In Inkrypt, passwords are used only in the browser to derive keys via PBKDF2; the server never sees them. Sharing is purely about how you communicate the URL and password to other people.
Where to go next
To go deeper on how sharing fits into the zero-knowledge model:
- Read “Zero-knowledge encryption: what it actually means when we can't see your data”.
- Read “Why your note URL isn't a secret (and what actually is)”.
- Try sharing an Inkrypt note at https://www.inkrypt.online using separate channels for URL and password.