Encrypted Notes — AES-256 Browser-Side, Server Sees Ciphertext

Why client-side encryption matters

Most online services encrypt data “at rest” on their servers. This protects against physical disk theft, but the service itself can always read your data — it holds the keys. If the service is hacked, your data is exposed. If served with a legal request, your data is handed over.

Client-side encryption is different. The encryption key is derived from your password in your browser. The server never sees the password, the key, or the plaintext. It only stores ciphertext. This is zero-knowledge: even a full server compromise reveals nothing readable.

How Note Shuttle's encryption works

When you set an encryption password on a document or folder, here's what happens in your browser:

1. Salt generation. A random 16-byte salt is generated using crypto.getRandomValues(). The salt is stored on the server (it's not secret — it prevents rainbow table attacks).
2. Key derivation. Your password + the salt are fed into PBKDF2 with 100,000 iterations and SHA-256 hashing. This produces a 256-bit AES key. The high iteration count makes brute-force attacks slow — each guess requires 100,000 hash rounds.
3. Encryption. The document content is encrypted with AES-256-GCM using a fresh 12-byte initialization vector (IV). GCM mode provides both confidentiality and integrity — any tampering is detected on decryption.
4. Upload. The ciphertext (IV + encrypted data, base64-encoded) is uploaded to the server. The plaintext never leaves your browser.

When a viewer enters the password, the same derivation runs in their browser. If the password is correct, the ciphertext is decrypted and displayed. If wrong, decryption fails and an error is shown.

Threat model: what encryption protects against

• Server compromise. If Note Shuttle's servers are breached, attackers get only ciphertext. Without your password, they cannot decrypt it.
• Database leak. Even if the entire D1 database is exfiltrated, encrypted documents are unreadable.
• Insider access. Note Shuttle's operator cannot read encrypted content. There is no master key or backdoor.
• Network interception. All traffic is over HTTPS, but even if a TLS termination point is compromised, the content is already encrypted at the application layer.

What it does not protect against: a compromised browser (malware on your device), a weak password (use 12+ characters), or someone watching your screen. Encryption protects data in transit and at rest, not on your own device.

Comparison with other encrypted communication

End-to-end encrypted messengers like Signal use a similar principle: keys are generated on-device, the server only relays ciphertext. Note Shuttle applies the same model to Markdown documents. The key difference is that Note Shuttle uses a password-based key (you share the password out-of-band) rather than per-user key pairs.

Encrypted email (PGP/S-MIME) is another comparison point. PGP requires both parties to exchange keys and set up software. Note Shuttle requires nothing from the viewer except the password — they open a link, type the password, and read.

Common encrypted note issues

Forgot the password — can you recover it?

No. Note Shuttle does not store your password. There is no recovery mechanism. This is the tradeoff of zero-knowledge encryption: maximum privacy means no safety net. Use a password manager.

Decryption fails with the correct password

If you're sure the password is correct, check that the document wasn't re-encrypted with a different password. If a parent folder was encrypted separately, the document might need the folder's password, not its own.

Can I share an encrypted note publicly?

Yes. Publish the note as a share link, then share both the link and the password through separate channels (e.g., link via email, password via Signal). This way, intercepting one channel alone is not enough.

Does encryption affect performance?

For documents under 1 MB, encryption and decryption are near-instant (under 100ms on modern devices). For very large documents, there may be a brief delay during encryption. The PBKDF2 key derivation takes about 200-500ms depending on the device.

Frequently Asked Questions

What encryption algorithm does Note Shuttle use?

AES-256-GCM for encryption, with keys derived from your password via PBKDF2 using 100,000 iterations and SHA-256. The initialization vector (IV) is 12 bytes, and the salt is 16 bytes, both generated with cryptographically secure random number generation.

Can Note Shuttle read my encrypted notes?

No. Encryption and decryption happen entirely in your browser using the Web Crypto API. The server only receives and stores the ciphertext. Without your password, neither Note Shuttle nor any attacker who compromises the server can read your content.

What happens if I forget my encryption password?

The content is permanently unrecoverable. Note Shuttle does not store your password or any recovery key. This is a fundamental property of zero-knowledge encryption — there is no backdoor. Write down your password or use a password manager.

Is browser-side encryption really secure?

Yes, when implemented correctly. Note Shuttle uses the Web Crypto API, which is a W3C standard implemented natively by all modern browsers. The PBKDF2 key derivation with 100,000 iterations makes brute-force attacks computationally expensive. AES-256-GCM provides both confidentiality and integrity — any tampering with the ciphertext will be detected during decryption.

Can I encrypt a folder and all its documents at once?

Yes. When you encrypt a folder, all documents inside it inherit the encryption. You unlock the folder once with the password, and all its documents are decrypted. Subfolders also inherit encryption from their parent.