$cat encrypted-notes-app.md

Encrypted Notes App: How to Keep Cloud Markdown Truly Private

12 min readby MDflowview as .md
An emerald padlock shield fused with a stack of markdown document cards — some sealed and dissolving into encrypted cipher blocks, others left open — floating above a cloud server on a dark terminal-grid background

Picking an encrypted notes app used to be a niche decision for the security-obsessed. In 2026 it is a mainstream one, because the notes you keep online are no longer just yours to read — they are the context you hand to AI agents, the drafts you sync across devices, and the secrets you would never want surfacing in a breach disclosure. The question is no longer should your notes be encrypted, but which app keeps your cloud markdown truly private without making it useless.

This is a decision-stage guide. If you want the deep mechanics of how client-side encryption works, we wrote a full explainer on client-side encryption. Here, the goal is narrower and more practical: what to look for, how the leading private-notes tools actually compare, and how to set up a workspace where the notes you want secret stay server-blind while the rest stays useful.

TL;DR — A truly private notes app encrypts your content on your device before upload, so the provider stores only ciphertext (this is "zero-knowledge" or client-side encryption). The strong options in 2026 are Standard Notes, Notesnook, Joplin, and Obsidian — but most encrypt everything, which locks AI agents out entirely. MDflow takes a different line: per-document AES-256 encryption in your browser, free on every plan, with an open-source command-line tool so you can decrypt your notes locally and never get locked in — and everything you don't encrypt stays readable by your AI agents.

What "truly private" actually means

A notes app is truly private only when the provider cannot read your notes even if it wanted to. That is a higher bar than most apps clear, and the marketing rarely makes the difference obvious. Three terms matter:

  • Encryption at rest — the provider encrypts your data on its disks but holds the keys. This protects against a stolen hard drive. It does not protect against a database breach, a rogue insider, or a subpoena, because the provider can decrypt your content at will. Most mainstream note apps stop here.
  • Client-side (end-to-end) encryption — your device encrypts the note before it is uploaded, and decrypts it after download. The server only ever handles ciphertext. This is the bar "truly private" requires.
  • Zero-knowledge — the result of doing client-side encryption properly: the provider has zero knowledge of your keys or your plaintext. There is simply no readable copy on the server to leak.

There is one honest ceiling worth stating up front, because vendors rarely do: in a web app, the same server that stores your ciphertext also delivers the JavaScript that encrypts it, so browser-based client-side encryption is strongest as a defense against a breach of stored data — a leaked database, a stolen backup, an over-retentive log. That is the threat that actually befalls people, and it is the one zero-knowledge encryption removes completely. (Native apps and open-source, auditable clients raise that ceiling.)

What to look for in an encrypted notes app

Before comparing products, know your checklist. A genuinely private notes app should tick most of these:

  1. Client-side / zero-knowledge encryption, not just "encrypted at rest." Look for the explicit claim that the provider never sees your plaintext or your keys.
  2. A named, modern cipher. AES-256-GCM or XChaCha20-Poly1305 for the content, and a slow key-derivation function (PBKDF2 with a high iteration count, or Argon2/scrypt) so your password is expensive to brute-force.
  3. Open, portable format. Can you get your notes out as plain files if the company disappears? Markdown-native beats a proprietary database with a lossy "export" button.
  4. No-recovery honesty. True zero-knowledge means the provider cannot reset your password — so a real one will warn you there is no recovery. An app that can email you your notes back is not zero-knowledge.
  5. Cross-device access without you running a server, if convenience matters.
  6. A clear stance on AI/agent access — because, as we'll see, encryption and agent-readability are mutually exclusive per note. The best tools let you decide document by document.

The encrypted notes app landscape in 2026

Here is an honest map of the strong options, and where each one fits. All of these do real client-side encryption — the differences are in scope, format, and whether AI can still use your notes.

AppEncryptionMarkdownHosted / self-hostGranularityAI-agent access
Standard NotesE2EE by default (XChaCha20-Poly1305)Paid plan onlyHosted or self-hostEverything encryptedNone (all ciphertext)
NotesnookZero-knowledge by defaultYesHosted or self-hostEverything encryptedNone (all ciphertext)
JoplinOptional E2EE syncNativeBring-your-own syncEverything (if E2EE on)Local only
ObsidianLocal vault; paid E2EE SyncNative (files on disk)Local-firstWhole vaultLocal plugins only
MDflowOptional client-side AES-256NativeHostedPer-documentUnencrypted docs, via MCP + API

A few notes on each:

  • Standard Notes is the veteran privacy-first choice. Everything — notes, tags, metadata — is end-to-end encrypted by default, on unlimited devices, free. The catch for markdown people: the free plan is plain-text only; markdown and rich editors require the paid Productivity plan. Because everything is encrypted, no external AI agent can read any of it.
  • Notesnook is the modern open-source contender: zero-knowledge by default, markdown support, a clean interface, and self-hostable. Same structural tradeoff — encrypt-everything means no agent can read your notes over the network.
  • Joplin is the power-user's open-source pick: markdown-native, with optional end-to-end encrypted sync where you choose the target (Nextcloud, WebDAV, S3, local). Maximum control, more setup, and its AI/agent story is local plugins rather than a hosted API.
  • Obsidian isn't an "encrypted app" per se — it's a local-first markdown vault on your own disk (private by default because nothing leaves your machine). Add the paid Obsidian Sync for end-to-end encrypted cross-device sync. Agent access is community plugins running locally, which the ChatGPT web app and your phone can't reach.

The pattern is clear: every strong encrypted notes app encrypts all or nothing. That is exactly right if your only goal is secrecy — and exactly wrong the moment you want an AI agent to use your notes.

The gap: encryption vs. AI-readability

Here is the tension almost every encrypted notes app leaves unresolved. An AI agent can only use what the server can read. If your notes are zero-knowledge encrypted, the server sees ciphertext, so ChatGPT, Claude, Cursor, or Codex — connecting over an API or a Model Context Protocol (MCP) server — see ciphertext too. Encryption and agent access are, correctly, mutually exclusive per note.

Most apps force this as a global switch: turn encryption on and lock your agents out of everything, or leave it off and hand the provider your plaintext. But that's a false choice. The right unit of decision is the individual document:

  • Your API keys, health records, legal drafts, and private journal → encrypt them; no one, not even your own agents, should read them.
  • Your project notes, research, meeting summaries, and reference docs → leave them readable, so your AI can retrieve them as context.

The best setup lets you draw that line document by document. That is the wedge MDflow was built around.

How MDflow keeps your cloud markdown truly private

MDflow is a hosted markdown workspace where the documents you want private never reach the server as plaintext — while the documents you want agents to use stay fully readable. Here is how to actually do it, and why it stays portable.

Encrypt a document in your browser (30 seconds)

  1. Open any document in the MDflow editor.
  2. Choose Encrypt, and set a password. Save that password in a password manager — there is no recovery.
  3. MDflow encrypts the document's markdown body in your browser with AES-256-GCM, using a 256-bit key derived from your password via PBKDF2-HMAC-SHA-256 at 600,000 iterations (OWASP's current recommendation). Every save uses a fresh random IV.
  4. Only the ciphertext travels to the server, stored as a self-describing marker:
mdflow-enc:v1:5oF3a2t...long-base64url-blob...kQ

The server treats it as an opaque string — it never receives your password and never sees your text. Your document title and folder names stay readable so you can still organize and find your files; only the body is encrypted. Unlock once per device and the derived key (not the password) is cached until you hit Lock.

You're not locked in: decrypt locally with mdflow-crypt

This is the part that separates "trust us" from truly private. MDflow's encryption format is open and documented, and there's a zero-dependency, open-source command-line tool — mdflow-crypt — that does the exact same crypto on your own machine. Your plaintext and password never leave your computer, and never go to a server or an AI model:

# Decrypt an exported mdflow-enc:v1 file locally → notes_decrypted.md
npx mdflow-crypt decrypt notes.md

# Encrypt locally, then paste the result into MDflow → notes_encrypted.md
npx mdflow-crypt encrypt notes.md

It uses the identical scheme — PBKDF2-HMAC-SHA256 (600k iterations) → AES-256-GCM — so a note encrypted in the browser opens on your laptop and vice versa. If MDflow ever vanished tomorrow, you could still read every encrypted note you own with an MIT-licensed tool that fits in one file. That is what "no lock-in" should mean.

The deliberate line between private and agent-ready

Because an encrypted document is unreadable to the server, MDflow excludes it from search and returns it only as opaque ciphertext through the HTTP API and the MCP server. Everything you leave unencrypted stays fully agent-ready: MDflow's folders, folder descriptions, and the mdflow_get_context tool make that context easy for ChatGPT, Claude, Cursor, and Codex to retrieve and write back. You decide where the line falls, one document at a time — the choice the all-or-nothing apps don't give you.

And notably, encryption is free. It's on every MDflow plan, not gated behind Pro — alongside public and private sharing, collections, comments, and automatic version history.

Where MDflow is headed

This is direction, not a dated commitment, but the shape of our thinking on privacy:

  • More metadata protected over time. Body-only encryption is the honest start; extending protection to more fields is a direction we care about — and one we'd rather under-promise than overstate.
  • Encrypted sharing that stays server-blind. Today you can share an encrypted document behind a password gate that decrypts in the reader's browser; making that flow smoother is on the list.
  • One-click OAuth for agents. Connecting an agent today means creating a Personal Access Token; native OAuth for the ChatGPT app and Claude.ai on the web is on the way, so your unencrypted context connects with a single authorize-and-go.

The bottom line

A truly private notes app is one where the provider only ever holds ciphertext — that's the difference between "we encrypt your data" (they hold the keys) and zero-knowledge (only you do). Standard Notes, Notesnook, Joplin, and Obsidian all clear that bar for pure secrecy, and any of them is a fine choice if you never want an AI to touch your notes.

MDflow is for the increasingly common case in between: you want some notes truly private and some notes readable by your agents, on one hosted markdown workspace, with the freedom to walk away — per-document AES-256 encryption in your browser, free on every plan, and an open-source mdflow-crypt tool so your encrypted notes are yours to decrypt anywhere.

Start free · Connect an AI agent · Read the API docs

Frequently asked questions

What is the best encrypted notes app in 2026?

There is no single best — it depends on your priority. Standard Notes and Notesnook are strong zero-knowledge choices that encrypt everything by default. Joplin is best if you want open-source with your own sync target. Obsidian suits local-first users who add paid end-to-end encrypted Sync. MDflow fits people who want per-document encryption on a hosted markdown workspace that AI agents can also read — you choose which notes are encrypted and which stay agent-readable, and it is free on every plan.

What does zero-knowledge mean for a notes app?

Zero-knowledge means the provider has zero knowledge of your keys or your plaintext. Your notes are encrypted on your own device before upload, so the server only ever stores ciphertext it cannot read. Even a database breach, a rogue insider, or a legal demand cannot reveal content the provider never held in readable form. It is the result of client-side (end-to-end) encryption.

Can I keep cloud notes private without self-hosting?

Yes. Client-side encryption lets you keep the convenience of a hosted cloud app while the provider stores only ciphertext. You get close to self-hosted-grade secrecy — no server to patch, back up, or secure — because the plaintext never leaves your device. For the documents that matter, you draw the privacy line without becoming your own sysadmin.

Are encrypted notes readable by AI like ChatGPT or Claude?

No, and that is the point. If a note is encrypted client-side, the server only sees ciphertext, so an AI agent connected through an API or MCP server cannot read it either. This is why all-or-nothing encryption conflicts with AI workflows. MDflow makes encryption per-document: encrypt the secrets you want no one (including your agents) to read, and leave the context you want agents to use unencrypted.

How does MDflow keep markdown notes private?

MDflow encrypts a document's markdown body in your browser with AES-256-GCM, using a key derived from your password with PBKDF2-HMAC-SHA-256 at 600,000 iterations. The server only ever stores ciphertext (mdflow-enc:v1:…) and never sees your text or password. You can also decrypt any encrypted document locally with the open-source mdflow-crypt command-line tool, so you are never locked in. Encryption is free on every plan, and there is no recovery — save your password in a password manager.

Further reading