Notes App Encryption at Rest: What It Protects and What It Does Not

By · · · 4 min read

Think about what's in your notes app right now. Passwords. Addresses. Medical info. Bank account numbers. Business ideas. Journal entries you'd never want anyone else to read.

Now think about where those notes are stored, and whether anything is protecting them.

If the answer is "I'm not sure," that's exactly the problem.

Encryption at Rest vs End-to-End: Who Holds the Key

Both terms mean "your notes are encrypted." The difference is who can decrypt them, and that comes down to one question: who holds the key.

Encryption at rest scrambles your notes while they sit on a disk, on your phone, on the app maker's server, or both. The vendor usually keeps a copy of the key so the app can show you your notes, sync them between devices, and recover them if you forget your password. That convenience is the catch: if the vendor holds the key, the vendor can read your notes.

End-to-end encryption means the key never leaves your control. Your notes are encrypted before they reach the server, and only your device, unlocked by a passphrase or key only you have, can turn them back into readable text. The vendor stores ciphertext it cannot open. The trade-off is real: if you lose the key, no one can recover your notes, not even the company.

So encryption at rest is the floor. End-to-end is the ceiling. Most notes apps stop at the floor because the floor is easier to build and lets them offer password resets, server-side search, and ad targeting.

What Each One Actually Stops

The threat matters more than the label. Here is what each kind protects against:

How to Tell Which Kind Your Notes App Uses

You usually do not have to read a whitepaper. Three signs tell you the vendor holds the key, which means it is encryption at rest, not end-to-end:

  1. It can reset your access. If you forget your password and the app emails you a reset link and your notes come back, the vendor could decrypt them all along.
  2. It syncs across devices with no separate passphrase. If a new phone shows your notes after a normal login, the server decrypted and re-sent them.
  3. It searches or previews your notes on the server. Server-side search and notification previews require the server to read plaintext.

End-to-end apps say so plainly, ask you to set a passphrase the company never sees, and warn you that lost keys mean lost data. A fully offline app sidesteps the whole question: with no server copy, there is nothing for anyone to read remotely.

Your Notes Are a Goldmine

Most people don't think of their notes app as sensitive. It's not a banking app. It's not email. But look at what actually ends up in there:

This is some of the most valuable data on your phone. And for most people, it's sitting in an app with zero encryption.

What Can Go Wrong

Your phone gets stolen. If your notes aren't encrypted, anyone who gets past your lock screen has everything. Lock screens can be bypassed. Encryption can't.

Your cloud account gets breached. If your notes sync to the cloud, they're only as secure as your account password. One phishing email, one reused password from a data breach, and your notes are exposed.

Someone borrows your phone. You hand it to a friend to show them a photo. They swipe into your notes app. Maybe intentionally, maybe not. If there's no PIN lock, everything's visible.

An app has too many permissions. Some apps request broad storage access. If your notes are stored as plain text, other apps could potentially access them.

What Encryption Actually Does

AES-256 encryption scrambles your data so it's unreadable without the correct key. Even if someone gets physical access to your phone's storage. Pulls the files directly, they see garbled data, not your notes.

The critical detail: where is the encryption key stored?

If the key lives on a company's server, they can decrypt your data whenever they want. If the key lives on your device in a hardware-secured area (like the Android Keystore), only your phone can decrypt it. No one else holds a copy.

That's the difference between "we encrypt your data" and actual privacy.

What to Look For in a Notes App

If privacy matters to you, here's the baseline:

  1. AES-256 encryption at rest. Notes are encrypted on the device, not just during transfer
  2. Device-only key storage, the encryption key stays on your phone, ideally in a hardware-backed keystore
  3. No cloud requirement. If there's no server, there's nothing to breach
  4. No account required. No email or phone number means no identity tied to your data
  5. PIN lock or biometric lock, a second barrier before anyone can open the app

Anything less, and you're betting that nothing will ever go wrong.

How Scrib Handles This

I built Scrib to meet every one of those requirements. Here's how it works:

Two layers of encryption. Every note is automatically AES-256 encrypted the moment it's saved, that's the base layer, always on, no setup required. On top of that, you can toggle per-note encryption for your most sensitive notes, adding a second layer of AES-256 protection.

The encryption key is generated on your phone and stored in the Android Keystore, a hardware-backed secure area that other apps can't access. Scrib never connects to the internet. There is no server. No sync. No networking code in the app at all.

You can also set a PIN lock for the whole app and move sensitive notes into a Private Vault, a separate, hidden space only accessible with your PIN.

Zero data collected. No account needed. Just encrypted notes on your device.

Common Questions

Is encryption at rest enough?

It depends on who you are protecting against. Encryption at rest stops a thief who steals your device and a stranger who finds a dropped phone, because the stored files are scrambled without the key. It does not stop the vendor, because in most cloud apps the vendor holds the key and can decrypt your notes to read them, hand them to a court, or expose them in a breach of their systems. If you want the vendor locked out too, you need end-to-end encryption, where only you hold the key.

How do I know if my notes app is end-to-end encrypted?

Check who can reset your access. If the app can recover your notes after you forget your password, or read them to show you ads, or sync them across devices without ever asking you to set a separate passphrase, the vendor holds the key and it is not end-to-end. True end-to-end apps say so plainly, tie decryption to a passphrase or device key only you control, and warn that they cannot recover your data if you lose that key. An app that stores nothing in the cloud, like a fully offline notes app, sidesteps the question because there is no server copy to read.

Does Google Keep have end-to-end encryption?

No. Google Keep encrypts notes in transit and at rest on Google's servers, but Google holds the key, so Google can read your notes, surface them to other Google services, and produce them in response to a legal request. That is encryption at rest, not end-to-end encryption. If you want notes Google cannot read, you need an app where the key never leaves your device.

Keep Reading

Try Scrib Free

Get it on Google Play

AES-256 encrypted. No ads. No tracking. No account.

Get Scrib Free