Is Privnote safe?

What the encryption does and doesn't protect.

The short answer

Privnote is fine for casual notes. For passwords, API keys, or anything you'd rather not have a server read, the encryption model matters. Privnote uses server-side encryption. Your secret goes to their server in readable form, gets encrypted for storage, and is decrypted again for the recipient. The server handles the plain text twice. There's no way to verify what happens in between because the code is closed-source.

Server-side encryption

When you paste a note into Privnote, your browser sends it to their server as plain text over HTTPS. The server encrypts it for storage. When the recipient opens the link, the server decrypts it and sends it back. HTTPS protects the data in transit, but the server has the secret in readable form at both ends of the process.

This is different from client-side encryption, where the browser encrypts before anything is sent and the server only ever stores ciphertext it can't read.

Closed-source code

Privnote doesn't publish its source code. The encryption algorithm isn't documented. You're trusting claims you can't verify. With open-source or client-side tools, the encryption logic runs in your browser where you can inspect it. With Privnote, the encryption happens on their server behind closed doors.

The phishing problem

Fake Privnote clones have been documented that log secrets or swap cryptocurrency addresses in notes before delivery. Because Privnote's interface is simple, anyone can replicate it. Recipients can't easily tell a clone from the real thing. If someone sends you a link that looks like Privnote but uses a slightly different domain, you might not notice.

With client-side encryption that binds ciphertext to a specific domain, a clone can't decrypt data encrypted for the original site. The authentication breaks if the domain doesn't match.

The alternative: client-side encryption

Your browser encrypts the secret before anything reaches the server. The decryption key stays in the URL fragment, the part after the #, which browsers never include in server requests. The server stores ciphertext it can't read. When the recipient opens the link, their browser downloads the ciphertext and decrypts it locally.

The protocol page documents the full encryption stack, including XChaCha20-Poly1305, Argon2id key derivation, and domain binding.

See also: Privnote alternative and all alternatives compared.

Common questions

Is Privnote safe for passwords?

For casual notes, yes. For passwords or API keys, use a tool with client-side encryption where the server never handles the secret in readable form.

Is Privnote end-to-end encrypted?

No. Privnote uses server-side encryption. The server processes your secret in plain text.

Can Privnote read my notes?

Their server handles your note in readable form during encryption and decryption. Whether they read it is a policy decision, not a technical guarantee.

Are there fake Privnote sites?

Yes. Phishing clones that look identical to Privnote have been documented. Some swap cryptocurrency addresses in notes before delivery.

Share a Secret