0xAA - Random notes on security

One-time Notes

Always wanted to have my own version of Privnote to be sure of how the data is handled on the server… Finally, here it is.


  • connection is secured by HTTPS
  • note is encrypted on the client side with Triplesec (Salsa20 + AES + Twofish) with randomly generated key - the server doesn’t know what’s inside
  • due to heavy crypto, it will take >$100k to break a single note
  • upon successful submission, a URL type of {token}#{key} is generated
  • direct access of the generated URL will show the decrypted note (using the {key})
  • for security purposes, you may want to send the link without the key, so the receiver will have to enter the key manually to decrypt your message
  • there is only one shot - once the URL is accessed, the note is permanently deleted from the server. Additionally, notes auto-expire in 72 hours after creation.

Hope you’ll find it useful.