Skip to content

Keep Encrypted Notes That Never Leave Your Browser

Most notes apps are cloud services wearing a notebook interface — your text lives on their servers under their policies. This is the opposite: an encrypted notebook stored only in your browser's local database, locked with a master password that never leaves your device. No account, no sync, no server copy — with the honest consequences that design carries, spelled out below.

The actual tool runs in our ad-free secure workspace — nothing on this page processes your file.

Open Local Private Notes

What this tool does

  • Stores notes encrypted in your browser's IndexedDB — encrypted at rest on your own device, nowhere else.
  • Derives the encryption key from your master password with PBKDF2-HMAC-SHA-256 (600,000 iterations); notes are sealed with AES-256-GCM.
  • Auto-locks after inactivity, requiring the master password to read anything again.
  • Supports Markdown formatting, rendered safely.
  • Exports your whole notebook as an encrypted file for backup, and imports it on another machine.
  • Works offline entirely — the notebook is a local application that happens to live in a tab.

Your privacy on this tool

Stays on your device

  • Notes are encrypted and stored in this browser's IndexedDB on this device — there is no server-side copy at all.
  • The master password and derived key exist only in page memory while unlocked; auto-lock clears them.
  • Encrypted exports are generated locally; even your backups never touch our infrastructure.

Reaches our server: nothing

This tool makes no upload. Your content is processed entirely in your browser.

How to use it

  1. Open the notebook at /app/local-private-notes.
  2. Set a master password — a passphrase you can genuinely remember, since it cannot be reset.
  3. Write notes in Markdown; each is encrypted before it touches storage.
  4. Let auto-lock guard the notebook when you step away, and unlock with the master password on return.
  5. Export an encrypted backup periodically, and keep it somewhere other than this device.
  6. Test your backup once by importing it — an untested backup is a hope, not a plan.
Open Local Private Notes

Common uses

  • Journaling on genuinely personal topics — health, relationships, finances — where cloud storage feels wrong.
  • Keeping a scratchpad of sensitive work notes on a machine you control.
  • Drafting things too raw to sync anywhere: grievances, difficult letters, therapy notes.
  • Holding temporarily sensitive details — a upcoming surprise, negotiation numbers — that need a lock, not a cloud.
  • A private notebook on a personal laptop in a shared household, protected even if someone opens the browser.

Supported formats

  • Markdown text notes
  • Backup: encrypted export file (importable on any device running the tool)

Works in all modern browsers with IndexedDB and the Web Crypto API; use a browser profile you keep long-term, not a private/incognito window, since incognito storage evaporates on close.

Limitations & security notes

Limitations

  • Local-only cuts both ways: clearing this browser's site data deletes the notebook, permanently. Browser cleanup tools, 'clear cookies and site data', and some privacy modes will destroy it — exports are your safety net.
  • No sync means exactly that: notes on your laptop do not appear on your phone. Moving them is a manual export/import.
  • Forget the master password and the notes are gone — encryption without a reset path is the entire point, and it has no exceptions.
  • Anyone who can log into your device profile and knows (or captures) your master password can read the notebook; device security remains yours to maintain.
  • SecretPNG is in beta and has not been independently audited.

Security notes

  • Encryption at rest in IndexedDB means a casual snoop with access to your device's files sees ciphertext, not diary entries — but a keylogger or a compromised device defeats any notebook, this one included.
  • The master password is the single point of failure and rescue: use a real passphrase (our generator makes good ones) and never reuse a password from another service.
  • Auto-lock protects against the walk-away scenario — the unlocked-tab-in-the-break-room problem — by re-requiring the password after idle time.
  • Markdown rendering is sandboxed so a pasted snippet cannot execute anything — pasting untrusted text into a note should never be dangerous.
  • Schedule backups like you mean it: local-only storage makes the encrypted export the only thing standing between a browser reset and total loss.

Frequently asked questions

Where exactly are my notes stored?
In IndexedDB — a database your browser maintains on your device, scoped to this site. Every note is encrypted with AES-256-GCM before it is written there, using a key derived from your master password. There is no other copy anywhere: not on our servers (we don't have storage for this tool at all), not in a cloud, not in your other browsers.
What happens if I clear my browser data?
The notebook is deleted along with the rest of the site's data, and there is no undo — we have no copy to restore. This is the sharpest edge of local-only design, and it is why the tool nags about encrypted exports. If you regularly run cleanup tools or aggressive privacy settings, either exempt this site or back up religiously.
Can I access my notes from my phone and my laptop?
Not automatically — no sync exists, by design, because sync means a server-side copy. You can move the notebook manually: export the encrypted backup on one device, transfer the file however you like (it is safely encrypted), and import it on the other. Each device then has an independent copy.
I forgot my master password. Is there really no way back in?
Really none. The notes are encrypted with a key derived from that password; without it, they are indistinguishable from random data, and no reset mechanism exists because a reset mechanism would be a backdoor. If you have an older encrypted export whose password you do remember, import that — it is the only recovery path.
How is this better than my phone's notes app with a lock?
Different, mainly: most phone notes apps sync to a cloud account, and their 'locked notes' features vary in what they actually encrypt versus merely hide. This notebook makes one clear promise — encrypted with your password, stored only on your device — and accepts the costs of that promise (no sync, no reset) openly. Whether the trade is better depends on whether the cloud copy was the thing worrying you.
Is a browser really a safe place for sensitive notes?
It is a reasonable place with honest caveats. The cryptography (AES-256-GCM, PBKDF2 at 600,000 iterations) is standard and solid, and encryption at rest genuinely protects against device theft and casual access. The limits are the platform's: a compromised device or browser extension with page access could capture data while a note is open and decrypted, and this beta has not been independently audited. For nation-state-grade concerns, use audited native tooling; for private-from-cloud-and-household, this fits.

Related tools

Was this tool helpful?

Last reviewed: 2026-07-14Open Local Private Notes

SecretPNG is in beta and has not been independently audited. Security status.