Keep Encrypted Notes That Never Leave Your Browser
Most notes apps are cloud services wearing a notebook interface — your text lives on their servers under their policies. This is the opposite: an encrypted notebook stored only in your browser's local database, locked with a master password that never leaves your device. No account, no sync, no server copy — with the honest consequences that design carries, spelled out below.
The actual tool runs in our ad-free secure workspace — nothing on this page processes your file.
Open Local Private Notes →What this tool does
- Stores notes encrypted in your browser's IndexedDB — encrypted at rest on your own device, nowhere else.
- Derives the encryption key from your master password with PBKDF2-HMAC-SHA-256 (600,000 iterations); notes are sealed with AES-256-GCM.
- Auto-locks after inactivity, requiring the master password to read anything again.
- Supports Markdown formatting, rendered safely.
- Exports your whole notebook as an encrypted file for backup, and imports it on another machine.
- Works offline entirely — the notebook is a local application that happens to live in a tab.
Your privacy on this tool
Stays on your device
- Notes are encrypted and stored in this browser's IndexedDB on this device — there is no server-side copy at all.
- The master password and derived key exist only in page memory while unlocked; auto-lock clears them.
- Encrypted exports are generated locally; even your backups never touch our infrastructure.
Reaches our server: nothing
This tool makes no upload. Your content is processed entirely in your browser.
How to use it
- Open the notebook at /app/local-private-notes.
- Set a master password — a passphrase you can genuinely remember, since it cannot be reset.
- Write notes in Markdown; each is encrypted before it touches storage.
- Let auto-lock guard the notebook when you step away, and unlock with the master password on return.
- Export an encrypted backup periodically, and keep it somewhere other than this device.
- Test your backup once by importing it — an untested backup is a hope, not a plan.
Common uses
- Journaling on genuinely personal topics — health, relationships, finances — where cloud storage feels wrong.
- Keeping a scratchpad of sensitive work notes on a machine you control.
- Drafting things too raw to sync anywhere: grievances, difficult letters, therapy notes.
- Holding temporarily sensitive details — a upcoming surprise, negotiation numbers — that need a lock, not a cloud.
- A private notebook on a personal laptop in a shared household, protected even if someone opens the browser.
Supported formats
- Markdown text notes
- Backup: encrypted export file (importable on any device running the tool)
Works in all modern browsers with IndexedDB and the Web Crypto API; use a browser profile you keep long-term, not a private/incognito window, since incognito storage evaporates on close.
Limitations & security notes
Limitations
- Local-only cuts both ways: clearing this browser's site data deletes the notebook, permanently. Browser cleanup tools, 'clear cookies and site data', and some privacy modes will destroy it — exports are your safety net.
- No sync means exactly that: notes on your laptop do not appear on your phone. Moving them is a manual export/import.
- Forget the master password and the notes are gone — encryption without a reset path is the entire point, and it has no exceptions.
- Anyone who can log into your device profile and knows (or captures) your master password can read the notebook; device security remains yours to maintain.
- SecretPNG is in beta and has not been independently audited.
Security notes
- Encryption at rest in IndexedDB means a casual snoop with access to your device's files sees ciphertext, not diary entries — but a keylogger or a compromised device defeats any notebook, this one included.
- The master password is the single point of failure and rescue: use a real passphrase (our generator makes good ones) and never reuse a password from another service.
- Auto-lock protects against the walk-away scenario — the unlocked-tab-in-the-break-room problem — by re-requiring the password after idle time.
- Markdown rendering is sandboxed so a pasted snippet cannot execute anything — pasting untrusted text into a note should never be dangerous.
- Schedule backups like you mean it: local-only storage makes the encrypted export the only thing standing between a browser reset and total loss.
Frequently asked questions
- Where exactly are my notes stored?
- In IndexedDB — a database your browser maintains on your device, scoped to this site. Every note is encrypted with AES-256-GCM before it is written there, using a key derived from your master password. There is no other copy anywhere: not on our servers (we don't have storage for this tool at all), not in a cloud, not in your other browsers.
- What happens if I clear my browser data?
- The notebook is deleted along with the rest of the site's data, and there is no undo — we have no copy to restore. This is the sharpest edge of local-only design, and it is why the tool nags about encrypted exports. If you regularly run cleanup tools or aggressive privacy settings, either exempt this site or back up religiously.
- Can I access my notes from my phone and my laptop?
- Not automatically — no sync exists, by design, because sync means a server-side copy. You can move the notebook manually: export the encrypted backup on one device, transfer the file however you like (it is safely encrypted), and import it on the other. Each device then has an independent copy.
- I forgot my master password. Is there really no way back in?
- Really none. The notes are encrypted with a key derived from that password; without it, they are indistinguishable from random data, and no reset mechanism exists because a reset mechanism would be a backdoor. If you have an older encrypted export whose password you do remember, import that — it is the only recovery path.
- How is this better than my phone's notes app with a lock?
- Different, mainly: most phone notes apps sync to a cloud account, and their 'locked notes' features vary in what they actually encrypt versus merely hide. This notebook makes one clear promise — encrypted with your password, stored only on your device — and accepts the costs of that promise (no sync, no reset) openly. Whether the trade is better depends on whether the cloud copy was the thing worrying you.
- Is a browser really a safe place for sensitive notes?
- It is a reasonable place with honest caveats. The cryptography (AES-256-GCM, PBKDF2 at 600,000 iterations) is standard and solid, and encryption at rest genuinely protects against device theft and casual access. The limits are the platform's: a compromised device or browser extension with page access could capture data while a note is open and decrypted, and this beta has not been independently audited. For nation-state-grade concerns, use audited native tooling; for private-from-cloud-and-household, this fits.
Related tools
Was this tool helpful?
SecretPNG is in beta and has not been independently audited. Security status.