End-to-end encryption means your notes are encrypted before they leave your device.
Not even Knovya can read them. Not our engineers. Not a court order. No one but you.
Per-note encryption keys. PBKDF2 key derivation. 30-minute auto-lock. Your most sensitive
knowledge — strategy documents, financial plans, personal journals — fully protected.
Your encrypted notes are stored as ciphertext. We literally cannot read them — even if we wanted to.
Per-note encryption keys
Each encrypted note gets its own key. Compromising one note doesn't expose others. Isolation by design.
30-minute auto-lock
Leave your desk? Encrypted notes lock automatically. Return, enter your passphrase, continue working.
Your key, your control
Encryption keys are derived from your passphrase using PBKDF2. We never store or transmit your passphrase.
How It Works
From your brain to our servers — always protected
Follow a note's journey. See exactly where encryption happens and why your content is never exposed.
01You writeOn your device
02You lockPassphrase entered
03EncryptedBefore it leaves
04Stored safelyOn our servers
05You unlockBack on your device
Step 01: You write
Your note exists in plaintext only on your device. The editor works locally — you see and edit the real content.
PLAINTEXT — YOUR DEVICE
# Product Launch Strategy
Target: 2,000 signups in first week
Key insight: staggered rollout...
Decision: defer payment migration
Step 02: You lock
When you mark a note as encrypted, you set a passphrase. PBKDF2 derives a unique encryption key from it. The passphrase never leaves your device.
KEY DERIVATION
passphrase → PBKDF2 →
iterations: 100,000
salt: [unique per note]
→ derived_key: a7f3...9d2e
Step 03: Encrypted
The note content is encrypted with your derived key before being sent to our servers. What we store is ciphertext — meaningless without your key.
CIPHERTEXT
x9kF2mP...7nQwL3rT
Bv8sY1dK...mH4jR6eW
pL3nT7xQ...wK9fD2sA
← unreadable without your key
Step 04: Stored safely
Our servers store encrypted blobs. No employee, no admin panel, no database query can reveal the content. Even a full data breach exposes nothing readable.
OUR DATABASE
note_id: 7f3a9d2e
content: [ENCRYPTED BLOB]
readable: ✕
admin access: ✕
court order: still ✕
Step 05: You unlock
When you access the note, ciphertext is sent to your device. Your passphrase derives the key again. Decryption happens locally. Content never exists in plaintext on our servers.
DECRYPTED — YOUR DEVICE AGAIN
# Product Launch Strategy
Target: 2,000 signups in first week
← decrypted locally, never on server
Full Transparency
What Knovya can — and can't — see
What we can see
Metadata necessary for the service to function. We're transparent about this.
Note exists (encrypted blob in our DB)
Note size (approximate)
When it was last modified
Your account metadata (email, plan)
What we can never see
Encrypted with your key. Mathematically impossible for us to access.
Note content — title, body, anything
What you wrote about
Who or what is mentioned
Attachments inside encrypted notes
Search queries on encrypted content
Your encryption passphrase
Design Decision
Why per-note, not full-vault encryption
Most encrypted note apps take an all-or-nothing approach. Knovya lets you choose which notes
to encrypt — because not all knowledge needs the same protection level.
Full-vault encryption
Everything encrypted — even meeting notes about lunch
Can't search across encrypted content
AI features disabled entirely
One passphrase compromised = everything exposed
Slow — decrypt everything on every session
Knovya: per-note encryption
Encrypt only what needs protection — salary data, strategy docs, journals
Non-encrypted notes remain fully searchable with AI features
Each note has its own key — isolation by default
AI features work on non-encrypted notes, respect encrypted ones
Fast — only decrypt the note you're opening
What to Encrypt
Not everything needs encryption. But these do.
Financial planning
Revenue projections, pricing strategies, runway calculations. The numbers that shape your company — protected.
Strategy documents
Competitive analysis, M&A plans, market entry strategies. Knowledge your competitors would pay for.
Personal journals
Reflections, career plans, personal goals. Your inner thoughts deserve privacy — not just from others, but from surveillance.
Health & legal notes
Medical information, legal consultations, sensitive personal records. Some knowledge is nobody else's business.
Credentials & access
API keys, server configs, access procedures. Operational secrets that need encryption at rest.
Client confidential
NDA-protected information, client strategies, sensitive deliverables. Your professional duty to protect.
Comparison
Encryption that actually protects you
Feature
Notion
Obsidian
Mem
Knovya
Encryption type
At rest (server-side)
Vault (local files)
—
E2E per-note
Who holds the key
Notion
You (local)
Mem
You (PBKDF2)
Can the company read it
Yes
N/A (local)
Yes
No — mathematically impossible
Granularity
All or nothing
Full vault
—
Per-note choice
AI features on encrypted
N/A
N/A
N/A
Respected — not processed
Auto-lock
No
No
No
30 min timeout
Open Source Encryption
Verify it yourself
Our encryption implementation is open source. Every cryptographic operation — key derivation,
encryption, decryption — is available for public inspection. We don't ask you to trust our words.
We ask you to read our code.
Security researchers, cryptographers, and the community can audit every line.
If there's a flaw, it will be found — and that's exactly what we want.