Security Guide
Complete guide to securing your notes with encryption, best practices, and privacy features.
Why Security Matters
Your notes contain your thoughts, plans, and private information. Securing them protects:
- Personal privacy - Journals, health notes, finances
- Professional data - Client info, business plans
- Sensitive content - Passwords alternatives, personal records
Setting Up Encryption
Step-by-Step Setup
1. Open Settings
Click the gear icon in the sidebar or use keyboard shortcut.
2. Navigate to Security
Find the Security section in settings.
3. Enable Encryption
Toggle Encrypt Notes to ON.
4. Create Master Password
Choose a strong password:
- Minimum 12 characters (longer is better)
- Mix character types - Letters, numbers, symbols
- Consider a passphrase -
correct-horse-battery-staple - Unique to Yooz Notes - Don't reuse passwords
5. Set Auto-Lock Timer
Choose when notes automatically lock:
| Setting | Use Case |
|---|---|
| 1 minute | High security, shared devices |
| 5 minutes | Balanced (recommended) |
| 10 minutes | Personal device, convenience |
| Never | Fully trusted device only |
6. Generate Recovery Key
Critical step - Don't skip!
- Click Generate Recovery Key
- Copy the displayed key
- Store it securely (see below)
- Confirm storage
Recovery Key
Why It's Essential
Yooz Notes uses zero-knowledge encryption. We never see your password and cannot reset it. Your recovery key is the only backup.
Secure Storage Options
Recommended locations:
| Method | Pros | Cons |
|---|---|---|
| Password Manager | Encrypted, accessible | Single point of failure |
| Physical Safe | Offline, secure | Less accessible |
| Bank Safety Box | Very secure | Least accessible |
| Trusted Person | Backup access | Requires trust |
Never store:
- In Yooz Notes itself
- Unencrypted on your computer
- In email or cloud storage
- On sticky notes
Using Recovery Key
If you forget your password:
- Open Yooz Notes
- Click Forgot Password?
- Choose Use Recovery Key
- Enter your recovery key exactly
- Create a new password
- Notes are decrypted
Daily Security Practices
Locking Notes
Automatic: Notes lock after your set timeout.
Manual:
- Click lock icon in sidebar
- Keyboard:
Cmd/Ctrl + L - Close the browser tab
Unlocking Notes
- Open Yooz Notes
- Enter master password
- Press Enter or click Unlock
Working Securely
- Lock before leaving - Even briefly
- Use auto-lock - Set appropriate timeout
- Private browsing - Extra isolation (but no persistence)
- Close when done - Don't leave unlocked overnight
Encryption Deep Dive
How It Works
Technical Specifications
| Component | Implementation |
|---|---|
| Algorithm | AES-256-GCM |
| Key Derivation | PBKDF2-SHA256 |
| Iterations | 600,000 |
| Key Length | 256 bits |
| IV | 96 bits, unique per encryption |
| Auth Tag | 128 bits |
What's Protected
Encrypted:
- Note content (body text)
- Note metadata (timestamps, etc.)
- Future: Attachments
Not Encrypted (by design):
- Note titles (for sidebar display)
- Tag names (for filtering)
- Settings preferences
Enable "Encrypt Titles" in settings for maximum privacy. Sidebar will show generic labels.
Security vs. Convenience
High Security Mode
For maximum protection:
- Enable encryption
- Use strong password (16+ chars)
- Set auto-lock to 1 minute
- Enable title encryption
- Generate and store recovery key
- Use on single trusted device
Balanced Mode (Recommended)
For most users:
- Enable encryption
- Use strong password (12+ chars)
- Set auto-lock to 5 minutes
- Keep titles visible
- Generate recovery key
- Use on personal devices
Convenience Mode
For low-sensitivity notes:
- Encryption optional
- Longer auto-lock (10+ min)
- Visible titles and tags
- Still generate recovery key if encrypted
Threat Model
What Encryption Protects Against
| Threat | Protection |
|---|---|
| Device theft | Yes - encrypted at rest |
| Shoulder surfing | Partial - need to unlock |
| Network interception | Yes - local processing |
| Cloud provider access | Yes - encrypted before sync |
| Government requests | Yes - we have nothing to give |
| Malware on device | Partial - depends on malware |
What It Doesn't Protect Against
| Threat | Mitigation |
|---|---|
| Keyloggers | Use trusted devices, antivirus |
| Screen capture | Physical security |
| Password guessing | Use strong password |
| Lost recovery key | Multiple secure copies |
| Physical coercion | Legal/personal issue |
Troubleshooting
Forgot Password?
- Use recovery key (see above)
- If no recovery key, data cannot be recovered
- This is by design for your protection
Recovery Key Not Working?
- Check for typos (case-sensitive)
- Ensure complete key copied
- Try without spaces
- Contact support if issues persist
Locked Out Completely?
Without password AND recovery key:
- Encrypted notes cannot be recovered
- Unencrypted notes still accessible
- Start fresh with new password
Auto-Lock Not Working?
- Check timer setting
- Ensure encryption is enabled
- Clear cache and restart browser
- Check for browser extensions interfering
Privacy Beyond Encryption
Local-First
- Notes stored on your device
- No account required
- No data sent to servers
- Works offline
No Telemetry
- No usage tracking
- No analytics
- No advertising data
- Complete privacy
Open Source
- Encryption code auditable
- No backdoors
- Community verified
Security Checklist
Initial Setup
- Enable encryption
- Set strong master password
- Configure auto-lock timer
- Generate recovery key
- Store recovery key securely
- Test unlock with password
- Test recovery key (optional but recommended)
Ongoing
- Lock when stepping away
- Update password periodically
- Review auto-lock setting
- Backup recovery key location known
- Export notes backup (encrypted)