Client-Side Encryption in OmniCanvas: How to Keep Your Notes Truly Private

Free spatial notes
Put this workflow on an infinite canvas instead of another linear doc.
OmniCanvas runs in the browser, syncs with the Mac app, and starts free.
Why Note Encryption Matters
Most notetaking apps store your data in plaintext on their servers. That means the company, its employees, and anyone who breaches the server can read your notes. For personal journals, health records, financial planning, legal notes, or sensitive work documents, that is a real risk.
OmniCanvas takes a different approach. With client-side encryption, your notes are encrypted in your browser before they ever leave your device. The server only stores ciphertext — scrambled data that is meaningless without your password. Not even we can read your encrypted notes.
How It Works
The Encryption Standard
OmniCanvas uses AES-256-GCM, an industry-standard authenticated encryption algorithm used by banks, governments, and security professionals worldwide.
Here is what happens under the hood when you encrypt a note:
- Key derivation — Your password is run through PBKDF2-SHA256 with 600,000 iterations, producing a 256-bit encryption key. This process is intentionally slow to make brute-force attacks impractical.
- Encryption — Your note's content (canvas data, sticky notes, audio recordings, and OCR text) is encrypted using AES-256-GCM with a random initialization vector (IV).
- Storage — Only the ciphertext, salt, and IV are stored. Your password and encryption key are never sent to the server or stored anywhere on disk.
Zero-Knowledge Architecture
This is a zero-knowledge system. The encryption and decryption happen entirely in your browser using the Web Crypto API. The server never sees your password, your encryption key, or your plaintext data.
Even if someone gained full access to the OmniCanvas database, your encrypted notes would be unreadable without your password.
How to Encrypt a Note
Encrypting a note takes about five seconds:
- Find the note in your sidebar or note list
- Open the note's context menu (click the three-dot menu or right-click)
- Click Encrypt
- Enter a password (minimum 4 characters) and confirm it
- Click Encrypt Note
That is it. Your note is now encrypted. You will see a lock icon next to the note title in the sidebar and note list.
What Gets Encrypted
When you encrypt a note, the following data is encrypted:
- Canvas data — All drawings, shapes, text, and Excalidraw elements
- Sticky notes — All sticky note content and positions
- Audio recordings — Any voice memos attached to the note
- OCR text — Any handwriting recognition results
The note's title, tags, folder assignments, and timestamps remain unencrypted so you can still search, sort, and organize your notes without unlocking them.
Opening an Encrypted Note
When you click an encrypted note, OmniCanvas prompts you for the password. Enter it, and the note decrypts instantly in your browser.
To save you from re-entering the password every time, OmniCanvas caches the derived encryption key in memory for your current session. This means you can open, edit, and save the note freely until you close or reload the app. The cached key is never written to disk or sent anywhere.
Editing Encrypted Notes
Once you unlock an encrypted note, you can edit it normally. Every time you save, OmniCanvas automatically re-encrypts the updated content with a fresh IV before storing it. You do not need to do anything special — encryption is transparent once the note is unlocked.
Removing Encryption
If you decide a note no longer needs encryption:
- Open the note's context menu
- Click Remove Encryption
- Enter the password
- The note is decrypted and stored as plaintext going forward
Important: No Password Recovery
This is the most important thing to understand about client-side encryption: if you forget your password, your note cannot be recovered. There is no "forgot password" option. There is no backdoor. There is no support team that can decrypt it for you.
This is by design. If we could recover your data, it would mean we had access to your encryption key — which would defeat the purpose of zero-knowledge encryption.
Tips for Managing Encryption Passwords
- Use a password manager — Store your note encryption passwords in a dedicated password manager like 1Password, Bitwarden, or Apple Keychain
- Use strong, unique passwords — Each encrypted note can have its own password, so use different passwords for different sensitivity levels
- Do not use your account password — Your OmniCanvas login password and your note encryption passwords should be different
Encrypted Notes and Collaboration
Encrypted notes cannot be shared or used in real-time collaboration sessions. This is intentional — sharing an encrypted note would require sharing the encryption key, which would compromise the zero-knowledge model.
If you need to collaborate on a note, remove encryption first, collaborate, then re-encrypt when you are done.
When to Use Encryption
Encryption adds a small step (entering a password) to your workflow, so it makes sense to use it selectively for notes that genuinely need protection:
- Personal journals and diaries — Keep private thoughts private
- Financial planning — Budget spreadsheets, investment notes, tax planning
- Health and medical notes — Symptoms, medications, doctor visit notes
- Legal documents — Contracts, case notes, privileged communications
- Work confidential — Trade secrets, unreleased product plans, HR notes
- Passwords and credentials — Though a dedicated password manager is better for this
For everyday notes like meeting agendas or grocery lists, plaintext is fine.
Technical Details
| Parameter | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key derivation | PBKDF2-SHA256 |
| PBKDF2 iterations | 600,000 |
| Salt length | 128 bits (random per note) |
| IV length | 96 bits (random per save) |
| Implementation | Web Crypto API (browser-native) |
The entire encryption implementation is open and auditable in the client-side code. No proprietary or server-side cryptography is involved.
Getting Started
Client-side encryption is available now for all OmniCanvas users — free and paid. Open any note, click the menu, and choose Encrypt to get started. Your most sensitive notes deserve zero-knowledge protection. Because only ciphertext leaves your device, your encrypted notes stay private even with cloud sync enabled; new users can start with the beginner's tutorial.
Ready to try spatial notetaking?
OmniCanvas is a free infinite canvas app for notes, sketches, and ideas.
Try OmniCanvas FreeNo credit card — or explore the interactive demo first, no account needed.
Keep reading
How to Pin Notes for Quick Access in OmniCanvas
Use pinning to keep your most important notes at the top of every view. Strategies for what to pin, when to unpin, and combining pins with other organization methods.
TutorialsSetting Up Cloud Sync in OmniCanvas: Access Your Notes Everywhere
OmniCanvas cloud sync keeps your notes in sync across the desktop app and web. Learn how to set it up and get the most out of cross-device access.
TutorialsSmart Shapes: How AI Shape Recognition Makes Drawing Faster
OmniCanvas Smart Shapes uses AI to recognize your hand-drawn shapes and clean them up automatically. Learn how to use this feature for cleaner diagrams.