Is the note really encrypted?

Yes. The note is encrypted with AES-256-GCM using a key derived from your passphrase via PBKDF2 (150,000 iterations of SHA-256). Only the ciphertext, salt, and IV are stored — the plaintext and passphrase are never persisted.

Can I share the link with someone else?

Not across devices. The ciphertext lives only in this browser's localStorage, so the link only works in the same browser. To share remotely you would still need to send the recipient the encrypted blob and passphrase separately.

What does self-destruct mean here?

When a note is successfully decrypted and revealed, its entry is removed from localStorage immediately. A second attempt to open the same link finds nothing and reports the note as already consumed.

What happens if I forget the passphrase?

The note is unrecoverable. There is no password reset and no copy of the plaintext anywhere — by design, a wrong passphrase simply fails AES-GCM authentication and the note cannot be read.

Does anything get sent to a server?

No. All key derivation, encryption, decryption, and storage happen in your browser using the built-in Web Crypto API. There are no network requests and no analytics on the note content.

Secure Note Self-Destruct (LocalStorage)

Encrypted notes that disappear after one read

This tool lets you stash a short secret — a password, a recovery phrase, a private message — encrypted with a passphrase only you know. The plaintext is never written to disk. Instead the note is encrypted in your browser and only the ciphertext is kept, under a random key, in localStorage. When the note is read back with the correct passphrase it is shown once and then deleted.

How it works

The encryption uses the browser’s built-in Web Crypto (SubtleCrypto) API:

A random 16-byte salt is generated and your passphrase is run through PBKDF2 with 150,000 iterations of SHA-256 to derive a 256-bit AES key. PBKDF2 makes brute-forcing a weak passphrase expensive.
A random 12-byte initialisation vector (IV) is generated and the note is encrypted with AES-GCM. GCM is authenticated encryption, so a wrong passphrase or any tampering fails verification rather than producing garbage.
The salt, IV, and ciphertext are concatenated, base64-encoded, and stored in localStorage under a random key id. The link you receive contains only that key id in its URL fragment — never the plaintext or passphrase.

To read: the stored blob is fetched by key id, the salt re-derives the key from the passphrase you type, and AES-GCM decrypts it. On success the entry is removed with localStorage.removeItem, so the note truly self-destructs.

Notes and limits

Because storage is per-browser, the link is for your own machine or a shared kiosk session — not a cross-internet secret-sharing service. For one-time secrets you want to send to another person, copy the decrypted text out manually after revealing it, and pick a passphrase you can communicate over a separate channel. Clearing browser data or using private/incognito windows will also wipe stored notes.