Client-Side Encryption in OmniCanvas: How to Keep Your Notes Truly Private

Why Note Encryption Matters

Most notetaking apps store your data in plaintext on their servers. That means the company, its employees, and anyone who breaches the server can read your notes. For personal journals, health records, financial planning, legal notes, or sensitive work documents, that is a real risk.

OmniCanvas takes a different approach. With client-side encryption, your notes are encrypted in your browser before they ever leave your device. The server only stores ciphertext — scrambled data that is meaningless without your password. Not even we can read your encrypted notes.

How It Works

The Encryption Standard

OmniCanvas uses AES-256-GCM, an industry-standard authenticated encryption algorithm used by banks, governments, and security professionals worldwide.

Here is what happens under the hood when you encrypt a note:

1. Key derivation — Your password is run through PBKDF2-SHA256 with 600,000 iterations, producing a 256-bit encryption key. This process is intentionally slow to make brute-force attacks impractical.
2. Encryption — Your note's content (canvas data, sticky notes, audio recordings, and OCR text) is encrypted using AES-256-GCM with a random initialization vector (IV).
3. Storage — Only the ciphertext, salt, and IV are stored. Your password and encryption key are never sent to the server or stored anywhere on disk.

Zero-Knowledge Architecture

This is a zero-knowledge system. The encryption and decryption happen entirely in your browser using the Web Crypto API. The server never sees your password, your encryption key, or your plaintext data.

Even if someone gained full access to the OmniCanvas database, your encrypted notes would be unreadable without your password.

How to Encrypt a Note

Encrypting a note takes about five seconds:

1. Find the note in your sidebar or note list
2. Open the note's context menu (click the three-dot menu or right-click)
3. Click **Encrypt**
4. Enter a password (minimum 4 characters) and confirm it
5. Click **Encrypt Note**

That is it. Your note is now encrypted. You will see a lock icon next to the note title in the sidebar and note list.

What Gets Encrypted

When you encrypt a note, the following data is encrypted:

• Canvas data — All drawings, shapes, text, and Excalidraw elements
• Sticky notes — All sticky note content and positions
• Audio recordings — Any voice memos attached to the note
• OCR text — Any handwriting recognition results

The note's title, tags, folder assignments, and timestamps remain unencrypted so you can still search, sort, and organize your notes without unlocking them.

Opening an Encrypted Note

When you click an encrypted note, OmniCanvas prompts you for the password. Enter it, and the note decrypts instantly in your browser.

To save you from re-entering the password every time, OmniCanvas caches the derived encryption key in memory for your current session. This means you can open, edit, and save the note freely until you close or reload the app. The cached key is never written to disk or sent anywhere.

Editing Encrypted Notes

Once you unlock an encrypted note, you can edit it normally. Every time you save, OmniCanvas automatically re-encrypts the updated content with a fresh IV before storing it. You do not need to do anything special — encryption is transparent once the note is unlocked.

Removing Encryption

If you decide a note no longer needs encryption:

1. Open the note's context menu
2. Click **Remove Encryption**
3. Enter the password
4. The note is decrypted and stored as plaintext going forward

Important: No Password Recovery

This is the most important thing to understand about client-side encryption: if you forget your password, your note cannot be recovered. There is no "forgot password" option. There is no backdoor. There is no support team that can decrypt it for you.

This is by design. If we could recover your data, it would mean we had access to your encryption key — which would defeat the purpose of zero-knowledge encryption.

Tips for Managing Encryption Passwords

• Use a password manager — Store your note encryption passwords in a dedicated password manager like 1Password, Bitwarden, or Apple Keychain
• Use strong, unique passwords — Each encrypted note can have its own password, so use different passwords for different sensitivity levels
• Do not use your account password — Your OmniCanvas login password and your note encryption passwords should be different

Encrypted Notes and Collaboration

Encrypted notes cannot be shared or used in real-time collaboration sessions. This is intentional — sharing an encrypted note would require sharing the encryption key, which would compromise the zero-knowledge model.

If you need to collaborate on a note, remove encryption first, collaborate, then re-encrypt when you are done.

When to Use Encryption

Encryption adds a small step (entering a password) to your workflow, so it makes sense to use it selectively for notes that genuinely need protection:

• Personal journals and diaries — Keep private thoughts private
• Financial planning — Budget spreadsheets, investment notes, tax planning
• Health and medical notes — Symptoms, medications, doctor visit notes
• Legal documents — Contracts, case notes, privileged communications
• Work confidential — Trade secrets, unreleased product plans, HR notes
• Passwords and credentials — Though a dedicated password manager is better for this

For everyday notes like meeting agendas or grocery lists, plaintext is fine.

Technical Details

|-----------|-------|

The entire encryption implementation is open and auditable in the client-side code. No proprietary or server-side cryptography is involved.

Getting Started

Client-side encryption is available now for all OmniCanvas users — free and paid. Open any note, click the menu, and choose Encrypt to get started. Your most sensitive notes deserve zero-knowledge protection.