ProtectedNote.com

Safe note sharing • One-time key • Two-factor

How does this work?

1. Enter the information you want to share and press the "Store safely" button
2. Copy the "Opening Instructions" and send it to the receiver
3. The receiver can follow the basic instructions to read the information. It can be read only once

Always make sure you trust the receiver with your information before sharing anything. Are you sure the receiver is who they say they are? If not, always verify it first.

With the two-factor options you can

1. Copy and share the "Secret safe key link"
2. Copy and share the "Secret safe", preferably in a different way for additional security

The advantages of ProtectedNote.com

It is more secure than most alternatives. ProtectedNote.com is easy to use and does not provide unsafe options. Even for us it is impossible to read your text. The technical details are shared below.

How is this different from other ways of sharing information?

Information that you enter is made unreadable when you click the "Store safely" button. To read it again, the receiver needs either the "Opening Instructions" or both the "Secret key" and the "Secret safe". Otherwise the information stays unreadable. The first is shown on the screen after pressing "Store safely". The others are shown in the "Two-factor sharing alternative" section.

Normally, your (sensitive) text is saved on a computer somewhere on the internet and you need to trust them to protect it. As only half of the required information is saved on our systems, we cannot use it to read your text at all, even if we wanted to. The other half is not saved and not communicated to us.

Why do I have to go to protectedNote.com and paste information there?

In order to make that possible, we would have to receive both the secret key and secret safe, which would allow us to read your information. It would not be secure.

Why can't I click once to open the safe?

In order to make that possible, we would have to receive both the secret key and secret safe, which would allow us to read your information. It would not be secure.

Why is the Secret safe key stored on your systems?

We cannot read your information without the "Secret safe" or "Opening Instructions", which we don't have. Many people forget to remove passwords or other sensitive information from chats and emails. As a result, if in the future anything happens to the phone or computer of the receiving person, there's a real chance that your information falls into the wrong hands.

We do not want your information to fall into the wrong hands. For that reason, the secret safe key can only be retrieved once. Your secure key data is immediately removed from our systems when the key is retrieved. Then, if the receiver leaves the Opening Instructions or both the Secret key and the Secret safe in emails, chats or wherever and it falls into the wrong hands, it still cannot be used to read your text.

Why is there a link available in two-factor mode and not in the regular mode?

The link is used for the key, which is stored on our systems already. By adding this to the link, less clicking is needed for two-factor mode.

In the regular mode we already store everything in the instructions and this needs to be copied anyway. One copy action is the limit we aim for.

How long do you keep the secret key available for retrieval?

A secret key "expires" in 24 hours. After this, the safe cannot be opened even with the right key and we delete the secret key data from our systems.

How can I delete the secret key data myself?

If you shared the information with the wrong person or for another reason want to invalidate the sharing, the easiest option is to open the safe yourself with the information you shared, because it can only be read once.

Why is there no option for...? and other feedback

Having less options makes it simpler to understand for everyone and we avoid options that are not as secure.

We do consider improvements though and if something turns out to be very useful and as secure, we may add it. You can contact us for feedback and suggestions here: suggestions at ProtectedNote.com

Give me the technical details

The encryption used by ProtectedNote.com means that both the "Secret key" and "Secret safe" are required to unencrypt. It uses XOR encryption with a key as long as the message for confidentiality and a SHA-256 hash for integrity. We add padding to (short) messages so length information is also significantly less useful.

Because we use XOR encryption with a full length key, the data cannot be read without the combination of both the encrypted data and key. That's why saving half of this on our servers is adding to the security (due to expiry and one time reading), compared to trusting the many users to delete the data afterwards (and trusting all the intermediate systems on actually deleting it).

The key generation also needs to be strong enough. We use crypto.getRandomValues for this, which gives cryptographically strong random values⤴.

Verification and local usage

The main page can be locally saved and verified. It is not essential that the hosted page of ProtectedNote.com is used. You can and are allowed to host the unmodified page yourself. It is not needed to "trust" the server afterwards, especially considering that the encryption allows for this.

We do not use crypto.generateKey because we want the page to work when saved locally. This is also the reason the html, css and javascript is combined in one page. This allows for trivial self-hosting for those that would prefer it. The backend code, for the same purpose and under the same conditions can be found here.

Pricing

This service is free of charge for personal and commercial use. If you like the service and want to show your appreciation, we would love to receive any ❤ donation.