Notesnook
End-to-end encrypted, open-source note-taking where your data stays yours — even from the server.
Notesnook is a fully open-source, end-to-end encrypted note-taking app that guarantees zero-knowledge privacy by encrypting all data on-device using XChaCha20-Poly1305 and Argon2 before it ever leaves your device. Built as a TypeScript monorepo, it delivers a consistent experience across web, desktop (Electron), Android, and iOS (React Native) clients, all sharing the same @notesnook/core engine and @notesnook/crypto encryption layer.
What sets Notesnook apart from privacy-first alternatives is its architectural honesty: the entire SQLite database is encrypted at the file level using better-sqlite3-multiple-ciphers, meaning even a stolen device backup or database snapshot is unreadable without your master key. The companion Vericrypt tool lets users mathematically verify that their data is encrypted before it reaches Notesnook’s servers — a level of transparency rare in any notes application.
The self-hostable sync server, built on ASP.NET Core with SignalR for real-time communication, means you can run the entire Notesnook stack on your own infrastructure. The rich Tiptap-based editor supports math formulas, code blocks with syntax highlighting, audio attachment playback, bidirectional note linking, tables, task lists, and embeds — all maintained as first-party extensions. For teams evaluating migration, the built-in importer handles Evernote ENEX files, Markdown, plain text, and several other formats.
What You Get
- Full database-level encryption with better-sqlite3-multiple-ciphers - The entire SQLite database on disk is encrypted, not just individual notes, so stolen backups or filesystem snapshots are unreadable without your master key.
- Verifiable encryption via Vericrypt - An open-source companion tool that lets you mathematically confirm your notes are encrypted before they reach any server, providing auditable proof of zero-knowledge claims.
- Self-hostable sync server - Run the complete backend on your own infrastructure using the open-source ASP.NET Core server with SignalR real-time sync, eliminating dependency on Notesnook’s cloud.
- Rich Tiptap editor with first-party extensions - A ProseMirror-based editor with math formula rendering, syntax-highlighted code blocks, audio attachment playback, bidirectional note linking, tables, task lists, and social embeds — all maintained in-repo.
- App vault for extra-sensitive notes - Lock individual notes behind a secondary password beyond your account password, adding a second encryption layer for your most sensitive content.
- Cross-platform sync with shared core engine - Web, desktop, and mobile clients all share the same
@notesnook/corelibrary, ensuring consistent behavior and encryption across all five platforms. - Web Clipper browser extension - Save web pages and articles directly into Notesnook with a browser extension that strips trackers and preserves article formatting.
- Import from Evernote, Markdown, and more - Migrate notes from Evernote (ENEX), Bear, Joplin, Markdown files, and plain text via the built-in importer tool.
- Notebooks, tags, reminders, and shortcuts - Full organizational system with nested notebooks, color-coded tags, scheduled reminders, and keyboard shortcuts for power users.
Common Use Cases
- Protecting journalist source notes - A reporter stores interview notes, encrypted documents, and source contact details in a vault-locked notebook, confident that even a device seizure cannot expose the data without their password.
- Private knowledge base for software engineers - A developer builds an interconnected knowledge graph using bidirectional note links, storing encrypted code snippets, architecture decisions, and debugging notes that sync across their work laptop and phone.
- Secure personal diary and journaling - Someone uses Notesnook as a daily journal, knowing the app-level lock and full database encryption prevent household members or cloud operators from reading personal entries.
- Self-hosted team notes for privacy-sensitive organizations - A legal firm or healthcare team deploys the Notesnook sync server on their own infrastructure, giving employees encrypted note sync without any data leaving their network.
- Academic research note management - A PhD student organizes encrypted research notes, citations, and annotated sources across notebooks, using the web clipper to save reference articles and the importer to consolidate notes from other apps.
- Replacing Evernote with full data ownership - A user migrating away from Evernote imports their entire ENEX library into Notesnook and immediately gains end-to-end encryption with no subscription required for basic sync.
Under The Hood
Architecture
Notesnook’s monorepo cleanly separates concerns into distinct layers: consumer applications (web, desktop, mobile), shared library packages, and server infrastructure. The @notesnook/core package houses all business logic through a Database class built on a custom Kysely fork, providing a type-safe SQL abstraction that runs identically across Node.js and browser environments using different SQLite backends. Sync logic is encapsulated in a dedicated subsystem with a Mutex-guarded Collector/Merger pattern that ensures deterministic conflict resolution when multiple clients modify the same note. The @notesnook/crypto package wraps libsodium via a custom WASM/Node bridge with lazy initialization, keeping the cryptographic layer surgically decoupled from both storage and transport. This architectural discipline means identical business logic runs on five platforms with zero duplication.
Tech Stack
TypeScript covers the overwhelming majority of the codebase in a yarn-managed monorepo using Volta for Node.js version pinning. React powers web and desktop UIs while React Native drives Android and iOS clients. The rich text editor is built on Tiptap 2 (ProseMirror-based) with an extensive set of first-party custom extensions. Electron wraps the web application for desktop deployment. The database layer uses better-sqlite3-multiple-ciphers for encrypted SQLite on desktop and Node.js, with an IndexedDB-backed virtual filesystem for the browser. Real-time sync uses Microsoft SignalR (WebSocket hub protocol) against an ASP.NET Core backend. electron-trpc provides type-safe IPC between Electron’s main and renderer processes without schema duplication. Cryptographic primitives come from libsodium via @notesnook/sodium, supporting XChaCha20-Poly1305 encryption and Argon2 key derivation. Build tooling uses tsup and tsdown.
Code Quality
The project employs a dual-layer testing strategy: Vitest for unit and integration tests in @notesnook/core covering notes, attachments, trash, tags, migrations, and full-text search triggers, and Playwright for comprehensive end-to-end tests of the web application covering user authentication, editor behavior, backups, sync, keyboard navigation, checkout, and search. ESLint is configured with react-hooks, license-header, and detox plugins, enforcing consistent code style and GPL-3.0 license compliance on every source file. TypeScript runs in strict mode throughout. Error handling in the sync layer is thorough, with mutex guards preventing concurrent sync corruption and explicit structured logging for diagnostics. The CONTRIBUTING.md outlines commit guidelines, style requirements, and PR processes in detail.
What Makes It Unique
The most technically distinctive aspect is the database-level encryption strategy: better-sqlite3-multiple-ciphers encrypts the entire SQLite file at rest, meaning filesystem snapshots, cloud backups, or stolen devices expose nothing without the master key — a guaranty that note-content-only encryption cannot match. The Vericrypt companion tool allows users to mathematically verify that data is encrypted before reaching any server, providing auditable proof that zero-knowledge claims are not merely marketing. The editor package maintains a notably large set of Tiptap extensions as first-party code rather than relying on the community ecosystem, ensuring long-term maintenance control over features like math rendering, audio playback, and bidirectional linking. The electron-trpc IPC bridge creates fully type-safe communication between Electron processes without the schema overhead of traditional IPC approaches.
Self-Hosting
Notesnook is licensed under the GNU General Public License v3.0 (GPL-3.0), a strong copyleft license. In plain terms, this means you can use, modify, and self-host Notesnook freely, including for commercial internal use. However, if you distribute a modified version — for example, shipping a customized Notesnook client to customers — your modifications must also be released under GPL-3.0. For organizations running Notesnook purely as an internal tool on their own servers, the copyleft requirements typically do not apply since you are not distributing software externally.
Running Notesnook yourself means operating both the ASP.NET Core sync server and the client applications, which requires meaningful infrastructure knowledge. The sync server needs persistent hosting, SSL termination, a database, and reliable connectivity for SignalR WebSocket connections. The server codebase is open-source but the self-hosting documentation is still maturing, so teams should expect to invest time in initial setup and ongoing maintenance including upgrades, backups, and monitoring. There is no official Kubernetes helm chart or one-click deploy path in the main repository, meaning ops work falls squarely on your team.
Compared to Notesnook’s managed cloud offering, self-hosting gives you complete data sovereignty — your notes never touch Notesnook’s infrastructure — but you give up managed upgrades, uptime guarantees, and direct support from the Streetwriters team. The managed tier includes a Pro subscription with additional storage, priority sync, and customer support SLAs. Self-hosters get full feature parity in the client applications but must handle capacity planning, disaster recovery, and staying current with server releases independently.
Related Apps
Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0AFFiNE
Productivity · Project Management · Note Taking
Write, draw, and plan in one infinite canvas — the open-source alternative to Notion and Miro that keeps your data yours.
AFFiNE
OtherTraefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.