Standard Notes

End-to-end encrypted notes and files — private by design, built to last, and fully self-hostable.

6.5Kstars
539forks
GNU AGPLv3
TypeScript

Standard Notes is an open-source, end-to-end encrypted note-taking application built for journalists, legal professionals, and privacy-conscious individuals who need a durable, trustworthy place to capture their most sensitive work. Unlike mainstream cloud note services, Standard Notes encrypts all content on the client device before it ever leaves — meaning neither the service provider nor any third party can read your notes, even in the event of a data breach or legal compulsion.

The app operates across web, desktop (macOS, Windows, Linux via Electron), and mobile (iOS, Android via React Native) from a single TypeScript monorepo, with all platforms sharing core cryptographic and domain logic through shared packages. The sync layer is server-agnostic: users can connect to the official hosted server, run their own self-hosted server, or switch between them at any time — all without losing data.

Beyond raw note-taking, Standard Notes supports encrypted file storage, shared vaults with asymmetric cryptographic invitations, a plugin/extension ecosystem for additional editors and tools, and an integrated blogging platform called Listed that lets users publish directly from their encrypted notes to a public-facing newsletter and blog. The combination of longevity focus, audited cryptography, and extensibility makes it a strong choice for professionals who need to own their data for years or decades.

What You Get

  • Client-side end-to-end encryption — All notes, files, and tags are encrypted on-device using versioned cryptographic protocols (AES-256-GCM + PBKDF2/Argon2) before any data leaves your machine; the sync server stores only ciphertext.
  • Cross-platform sync on unlimited devices — A single account syncs seamlessly across web, macOS, Windows, Linux, iOS, and Android with no device caps on any plan tier.
  • Self-hosting in a few commands — Clone the repo, run yarn build:web, and serve the static output with any web server; pair it with the open-source sync server to run the full stack on your own infrastructure.
  • Encrypted shared vaults — Collaborate on notes and files inside shared vaults where membership is managed via asymmetric cryptographic invitations, so the server never holds vault keys.
  • Secure encrypted file storage — Attach PDFs, images, and documents to notes with the same zero-knowledge encryption applied to text content, stored in chunked encrypted blobs.
  • Listed blogging platform — Publish blog posts and automated email newsletters directly from Standard Notes to a public Listed.to page without exposing your identity or server credentials.
  • Extension and plugin ecosystem — Install community-built editors (rich text, code, task lists, spreadsheets) and tools through the official plugin documentation; developers can publish their own extensions.
  • Offline-first with automatic backups — Notes are cached locally and synced when connectivity is restored; the desktop app supports automatic local encrypted backup exports.

Common Use Cases

  • Confidential journalism and source notes — A reporter stores interview transcripts, source identities, and sensitive leads in encrypted notes, confident that server compromise or legal demands cannot expose the content.
  • Legal document and case management — An attorney keeps case notes, contract drafts, and privileged client communications in encrypted notes synced across office workstation and mobile, with offline access guaranteed.
  • Long-term personal knowledge base — A researcher builds a permanent archive of reading notes, citations, and drafts over decades, relying on Standard Notes’ longevity commitment and open storage format.
  • Team collaboration on sensitive documents — A small team shares encrypted vaults containing internal strategy documents and meeting notes, with cryptographic membership control that excludes even the hosting provider.
  • Private newsletter publishing — A writer composes essays inside encrypted notes, then publishes them directly to a Listed newsletter with email delivery — without maintaining a separate CMS.
  • Self-hosted privacy-first productivity stack — A developer or sysadmin runs the full Standard Notes stack on a private VPS to keep organizational note data entirely on-premises and off third-party infrastructure.

Under The Hood

Architecture Standard Notes is organized as a Yarn-workspace monorepo comprising over 20 packages, each scoped to a discrete domain: models for item types and payload shapes, encryption for versioned cryptographic operators, services for application business logic, snjs as the unified JavaScript SDK that wires all services together, and web/desktop/mobile for platform-specific shells. The services package itself is structured around a clean use-case pattern — every user-facing capability is expressed as an explicit named use case class implementing a UseCaseInterface, making intent readable without tracing call stacks. Dependency injection is handled through a centralized Dependencies.ts manifest in snjs, which constructs and connects every service at application startup. This architecture means cryptographic concerns are fully isolated in encryption and sncrypto, UI concerns live in the platform shells, and the domain logic in services can be tested without a browser or native runtime.

Tech Stack The codebase is written entirely in TypeScript 5.x with strict mode enforced across all packages. The web application uses React as its UI layer, bundled with Webpack, while the desktop shell wraps the web app in Electron for native distribution on macOS, Windows, and Linux. The mobile app is built with React Native and shares core domain logic from snjs through the shared package graph. Cryptography is implemented in sncrypto-web (WebCrypto API) and sncrypto-common (shared primitives), supporting AES-256-GCM encryption, PBKDF2 and Argon2id for key derivation, and X25519/Ed25519 asymmetric key pairs for vault collaboration. The build system uses Lerna Lite for versioned releases with conventional-commits-driven changelogs and automated npm publishing via GitHub Actions CI pipelines.

Code Quality The repository contains extensive test coverage across unit and integration scenarios — over 130 spec files spread through snjs, services, encryption, and models. The services package uses mock interfaces extensively, enabling pure unit tests for complex flows like challenge validation, key recovery, and vault invitation without requiring live network or storage. TypeScript strict mode, coupled with discriminated union types and runtime type guards, provides strong compile-time and runtime safety guarantees. ESLint with @typescript-eslint recommended rules and Prettier formatting are enforced uniformly. GitHub Actions run linting, tests, and a CodeQL security analysis on every pull request, with separate release workflows for web, desktop, mobile, and clipper packages.

What Makes It Unique Standard Notes implements a layered, versioned encryption protocol (currently Protocol 004) where the server is designed to be fully untrusted: root keys are derived entirely client-side from user credentials using Argon2id, items keys are encrypted with the root key and stored on the server as opaque ciphertext, and shared vaults use asymmetric X25519 key exchange so vault membership changes never require the server to know vault keys. The asymmetric messaging system (AsymmetricMessageService) allows contacts to exchange cryptographically signed, encrypted messages for vault invitations and trusted contact verification — all without a central authority. Item-level signature validation (ValidateItemSigner) enables verifiable authorship of notes, so shared vault members can confirm a note was authored by a specific cryptographic identity. This zero-knowledge, server-agnostic design — where the server acts purely as an encrypted blob relay — is rare among consumer note-taking applications and more commonly found in enterprise security products.

Self-Hosting

Standard Notes is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). This is a strong copyleft license: you can use, modify, and redistribute the software freely, including for commercial purposes, but any modifications you deploy as a network service must also be released under AGPL-3.0. For most self-hosters running an internal instance for their own organization, this distinction is academic — you are not distributing the software. However, if you plan to build a product or service on top of Standard Notes and offer it to external customers, you would need to open-source your modifications or negotiate a commercial license with the Standard Notes team.

Running Standard Notes yourself requires two components: the static web app (built from this monorepo with yarn build:web) and a separate sync server (maintained in a different repository). The sync server is a Node.js application that stores encrypted payloads in a relational database and requires a reverse proxy (nginx or Caddy) for TLS termination. File storage adds an S3-compatible object store. Operationally, you are responsible for database backups, server uptime, TLS certificate renewal, and applying upstream server updates — none of which are automated for self-hosters. The mobile apps on iOS and Android connect to whatever server URL you configure, so you retain full control over where data is stored.

Compared to the hosted Standard Notes service (standardnotes.com), self-hosters give up the managed upgrade path, official support channels, and any high-availability or CDN infrastructure that the cloud service provides. The hosted service offers a paid Pro plan that unlocks additional editors, themes, and cloud file storage with guaranteed uptime SLAs. Self-hosted instances can run all open-source features without restriction, but premium extensions that depend on server-side features (such as automated backups to cloud providers or certain premium editors distributed through the hosted extension registry) may not be available or may require additional configuration.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search