VailNote is a simple, open-source note-sharing app designed for maximum privacy. All notes are encrypted using modern encryption technology before being stored, ensuring that no one else can access them. The app is built with a focus on user-friendliness and security.
🔗 See VailNote in action at vailnote.com.
- 🔒 End-to-end encryption
- 🗂️ Self-destructing notes - automatically deleted after viewing
- 🔑 Optional password protection
- ⏰ Configurable expiration times (10 minutes to 30 days)
- 🚫 No tracking or analytics
- 🛡️ Privacy-preserving rate-limiting using Anonymous Rate-Limited Credentials (ARC) (View Implementation)
- Framework: Fresh (Deno)
- Runtime: Deno
- Database: FoundationDB (Deno KV)
- Encryption: AES-GCM with PBKDF2 key derivation for content encryption, bcrypt for password storage
- Frontend: Tailwind CSS & Preact
Note
Safety and transparency are our top priorities. VailNote is made to be as secure as possible while still being easy to use and compatible with most clients. I highly encourage you to look into the architecture to ensure your safety!
Take a look at the architecture diagram for a better visual representation.
Every possible step where I think it might be insecure, given the possibility that the network, server, or database has The system has been compromised and is marked with (!).
- Before sending anything to the server, the content will be encrypted.
- First, the password will be hashed with PBKDF2 for security
- The original password (not the hash) will then be used to encrypt the content.
- If no password is provided, the client will generate a random phrase (auth key).
- The client will send the encrypted content, PBKDF2 hashed password, and expiration time to the server.
- If the document is valid, the server will generate a random note ID, hash the PBKDF2 password again using bcrypt for secure storage, and store the note in the database.
- The server will send a successful response containing the new note ID.
- The client will generate a valid link using the note ID and local auth key using the following structure:
https://vailnote.com/[noteId]#auth=[authKey]
- When a note is accessed, the client fetches the encrypted note data from the server.
- The client asks the user for confirmation before viewing (and destroying) the note.
- If an auth key is present in the URL, the client uses it to decrypt the note. If a password is required, the client prompts for it and decrypts locally.
- The client never sends the password or auth key to the server—decryption always happens in the browser.
- After successful decryption, the client requests that the server delete the note.
- If decryption fails, the note remains on the server until a valid decryption attempt is made or it expires.
(None)
- Deno v2.3 or later
-
Clone the repository:
git clone https://github.com/emilkrebs/VailNote.git cd VailNote -
Set up environment variables:
-
Start the development server:
deno task start
-
Open http://localhost:8000 in your browser
DATABASE_URI- Deno KV connection stringARC_SECRET- Secret for ARC rate-limiting
This project is licensed under the MIT License - see the LICENSE.md file for details.
