User Guide

Reference documentation for every feature

Guide navigation

Privacy & Encryption

OikoNotes provides client-side encryption for sensitive content. You can redact individual words or entire blocks. All encryption happens in your browser — the server never sees your password or decrypted content.

Setting Up a Master Password

You must set up a master password before any encryption features work. Navigate to Settings → Privacy to create one.

Warning: Your master password cannot be recovered. If you forget it, any encrypted content is permanently lost. Choose a strong password you can remember — minimum 8 characters.

Inline Redaction

Wrap sensitive text in double pipes to redact it inline. No spaces are allowed directly after the opening || or before the closing ||.

Syntax: ||secret text||

Example: The password is ||my-secret-123||

This renders as a black REDACTED bar in the preview. Multiple inline redactions per line are supported.

Block Redaction

Use :::private on its own line, followed by your content, then ::: on its own line to close the block.

:::private
This entire section is private.
It can span multiple lines.
:::

This renders as a striped REDACTED block in the preview. You can also insert a block redaction via the /redacted slash command in the block editor.

How Encryption Works

  • AES-256-GCM authenticated encryption
  • Key derived from your master password via Argon2id
  • Encryption/decryption happens entirely in your browser (WASM)
  • Server stores only the encrypted ciphertext
  • A verification token confirms password correctness without revealing the password

Unlocking and Viewing Private Content

When viewing a note with private content, you will see REDACTED markers in place of the encrypted text.

  • Click the Declassify button in the editor to reveal content
  • You will be prompted for your master password if not already unlocked
  • Once unlocked, all private content across notes is accessible until auto-lock

Auto-Lock and Inactivity

After unlocking, a timer bar appears at the top of the page. The timer resets on any user activity (mouse movement, typing, clicking, scrolling).

  • After the configured period of inactivity (default 5 minutes), content automatically re-locks
  • The encryption key is cleared from memory on lock
  • You can lock manually by clicking Lock now in the timer bar
  • Timeout is configurable in Settings → Privacy (1 to 60 minutes)

Important Warnings

  • Your master password is never stored — only a verification token derived from it
  • If you forget your password, encrypted content cannot be recovered
  • Always keep a secure backup of your password
  • The encryption key exists only in browser memory while unlocked