Security & Encryption - Better Keep Notes

Security Overview

End-to-End Encryption

Notes are encrypted on your device before being uploaded. We cannot read your data.

Zero-Knowledge Architecture

Your encryption keys never leave your devices. Even we can't decrypt your notes.

No Metadata Leakage

Note titles, labels, and content are all encrypted. Only timestamps are visible.

Open Source Crypto

We use well-audited cryptographic libraries. No custom "security through obscurity".

Technical Details

Cryptographic Algorithms

Symmetric Encryption: AES-256-GCM for note content
Key Derivation: PBKDF2 with SHA-256, 100,000 iterations
Key Exchange: X25519 (Curve25519 ECDH)
Digital Signatures: Ed25519 for device verification
Random Number Generation: Platform-native CSPRNG

Key Management

Your encryption keys are generated on your device and never transmitted to our servers.

Master Key: Derived from your account credentials using PBKDF2
Device Keys: Unique keypair generated per device
Note Keys: Random symmetric key per note, encrypted with your master key
Recovery Key: Optional 24-word mnemonic for account recovery

How End-to-End Encryption Works

1. You Write a Note

Your note exists only in memory on your device.

2. Local Encryption

A unique AES-256-GCM key is generated. Your note is encrypted with this key.

3. Key Encryption

The note's key is encrypted with your master key (derived from your credentials).

4. Secure Upload

Only encrypted data is sent to our servers over TLS. We never see plaintext.

5. Sync to Other Devices

Your other devices decrypt using your master key. Notes are readable only by you.

Result: Even if someone gains access to our servers, they cannot read your notes. Only devices with your master key can decrypt them.

PIN-Protected Notes

Locked notes add an additional layer of encryption on top of the standard E2EE. When you lock a note with a PIN:

The note content is encrypted with a key derived from your PIN
This encrypted content is then encrypted again with your master key for sync
The PIN never leaves your device or gets stored anywhere
If you forget your PIN, the note cannot be recovered (by design)

Locked Note = E2EE( PIN_Encrypt( Your Note ) )

What We Can See vs. Cannot See

What We CAN See (Metadata)

Your email address (for authentication)
Timestamps of when notes were created/modified
Encrypted blob sizes (how big encrypted notes are)
Device information (for multi-device sync)
Aggregate usage statistics (anonymized)

What We CANNOT See

Note titles
Note content (text, checklists, etc.)
Labels/tags
Colors
Attachment contents (images, files)
Anything inside your notes

Account Recovery

Because we use true end-to-end encryption, we cannot reset your encryption keys if you lose access. That's why we provide a recovery key when you set up E2EE.

Recovery Key

Your recovery key is a 24-word mnemonic phrase that can restore access to your encrypted notes. Store it somewhere safe—if you lose both your device access and recovery key, your encrypted notes cannot be recovered.

          Example: abandon ability able about above absent absorb abstract ...
          (Store your actual recovery key securely, not in digital notes!)
        

Our Security Practices

Regular audits: We regularly review our cryptographic implementation
Dependency updates: Security patches are applied promptly
Open source: Our encryption code is open for inspection
No telemetry: We don't collect analytics on your note content
Secure infrastructure: Firebase/GCP with SOC 2 compliance
TLS everywhere: All data in transit is encrypted

🔐 Security & Encryption