← All notes

Security

Encryption You Don't Have to Think About

The best privacy feature is the one you never notice. If encryption gets in the way of writing — extra passwords, broken sync, notes you can't search — most people quietly turn it off. So the real design problem isn't how strong the encryption is. It's how invisible it can be while staying strong.

What happens before a note is saved

When you type in Markpad, your browser derives a key from your passphrase and encrypts the note with AES‑GCM before anything touches storage. The passphrase itself is never sent anywhere — it can't be, because Markpad never asks for it over the network. What gets stored is ciphertext: unreadable without the key that only you hold.

This has a blunt consequence worth stating plainly: if you forget your passphrase, there is no "forgot password" flow that recovers your notes. Markpad cannot read them either, so it has nothing to hand back. That tradeoff — no recovery, no exceptions — is what makes the privacy promise real instead of marketing.

A company that can read your notes "just in case" can also lose them, sell access to them, or be compelled to hand them over. One that can't do any of those things.

The rest is ordinary software: a Markdown editor, live preview, backlinks. None of it requires you to think about encryption while you're using it — which is exactly the point. The security work happens once, silently, on your device, so the writing can stay simple.

No noise. Unsubscribe anytime.

Ideas worth
keeping.

Get new notes from this blog in your inbox, alongside occasional updates about what we're building at Markpad.