Advanced Data Protection is an iCloud setting introduced in iOS 16.2 (December 2022). When enabled, iCloud Backup, Notes, Photos, Reminders, Safari bookmarks, Wallet passes, and other categories switch from Apple-managed keys to user-held keys — meaning Apple, served with a subpoena, can only hand over ciphertext.

ADP is off by default. Turning it on requires a recovery contact or a printed recovery key, because Apple deliberately discards its ability to reset your account. Email, Calendar, and Contacts stay Apple-managed for interoperability reasons and remain outside the ADP boundary.

AES-128 is the 128-bit-key variant of the Advanced Encryption Standard, the block cipher ratified by NIST in 2001 (FIPS-197). It performs ten rounds of substitution and permutation on 128-bit blocks of plaintext and is still considered cryptographically unbroken for most threat models.

Most consumer apps use AES-256 instead of AES-128 — not because AES-128 is weak, but because the larger key size gives a comfortable margin against future cryptanalysis and against the theoretical key-recovery speedup that a sufficiently large quantum computer would offer via Grover's algorithm.

AES-256 is the 256-bit-key variant of the Advanced Encryption Standard. It runs fourteen rounds on 128-bit blocks and is the cipher used by iOS file-system encryption, iCloud at-rest encryption, and virtually every reputable encrypted-notes app — including Secure Notes.

The 256-bit key gives a key space of 2^256, large enough that brute-forcing it would require more energy than the observable universe contains. AES-256 is approved by the U.S. NSA for Top Secret information under Suite B / CNSA. Its security depends entirely on how the key is derived and stored, not on the cipher itself.

AES-256-GCM combines the AES block cipher with Galois/Counter Mode, an authenticated-encryption construction. Each encryption produces both a ciphertext and an authentication tag; decryption fails loudly if the ciphertext has been tampered with or if the wrong key is used.

GCM is the mode used by TLS 1.3, the iOS Data Protection class, and Secure Notes itself. It requires a unique nonce per message — reusing a nonce with the same key destroys the integrity guarantee, which is why every modern implementation derives a fresh nonce per write.

AEAD stands for Authenticated Encryption with Associated Data. It is a class of ciphers — AES-GCM and ChaCha20-Poly1305 are the two dominant examples — that produce a ciphertext and an integrity tag together, and let you bind that tag to extra context (the “associated data”) that travels in the clear but must not be tampered with.

Modern encrypted-notes apps use AEAD by default. The alternative — encrypting with AES-CBC and then computing an HMAC separately — is error-prone and has historically led to padding-oracle attacks. AEAD eliminates that whole class of bugs by making integrity inseparable from confidentiality.

Before First Unlock (BFU) is the state your iPhone is in between a cold boot and the first successful passcode entry. In BFU, the keys that unwrap your file-system encryption are not yet in memory, so iOS literally cannot decrypt most of your data — and neither can any extraction tool plugged into the Lightning or USB-C port.

After you enter the passcode once, the device transitions to AFU (After First Unlock). From that point on, even when locked, iOS keeps a number of decryption keys live in RAM for biometric unlock and background tasks. Forensic tooling like Cellebrite is dramatically more effective against AFU devices, which is why turning your iPhone off — not just locking it — before a border crossing is the well-known privacy move.

A biometric template is the numerical feature vector your phone derives from a face scan or fingerprint read. It is not a photo and not a print; it is a one-way projection optimized for matching. On Apple devices, the template lives only inside the Secure Enclave and is never exposed to iOS, to apps, or to Apple's servers.

Templates are device-bound and salted, so the template generated on your iPhone is useless on any other device — and useless to any attacker who somehow extracted it. This is why every well-designed biometric system is described as “authenticate, don't store.”

BIP-39 defines a way to encode a cryptographic seed as a sequence of dictionary words — typically twelve or twenty-four — drawn from a fixed wordlist of 2,048 entries. Each word carries 11 bits of entropy, so a 12-word phrase encodes 132 bits (128 bits of seed plus 4 bits of checksum).

BIP-39 was written for Bitcoin wallets but the format is now used wherever apps need a human-transcribable backup: hardware wallets, password managers, and Secure Notes' 12-word recovery seed. The wordlist is deliberately built so that the first four letters of each word are unique, which makes handwritten transcription forgiving of bad penmanship.

A brute-force attack is exhaustive key search: enumerate every possible key, try each one against the ciphertext, stop when the plaintext looks valid. For AES-256, the search space is 2^256 keys — roughly 10^77 — which is why direct brute-forcing the cipher is not a realistic threat.

The realistic version of brute-forcing is attacking the password rather than the key. A weak passphrase can be guessed offline using GPU clusters or specialized hardware, which is why modern apps run passwords through a slow key-derivation function (PBKDF2, scrypt, or Argon2) before they ever touch the cipher.

Cipher Block Chaining (CBC) is one of the original AES operating modes. Each block of plaintext is XORed with the previous ciphertext block before being encrypted, so identical plaintext blocks produce different ciphertext blocks — solving the obvious weakness of ECB mode.

CBC is no longer recommended on its own because it does not provide integrity. Used naively, CBC mode is vulnerable to padding-oracle attacks (POODLE, BEAST). Modern apps either use authenticated modes like GCM instead, or carefully combine CBC with an HMAC under the encrypt-then-MAC discipline.

Ciphertext is what comes out of an encryption function. It is the scrambled, indistinguishable-from-random bytes that result from running plaintext through a cipher with a key. Without the key, ciphertext should be statistically indistinguishable from random noise.

The whole point of end-to-end encrypted note apps is that the bytes sitting on iCloud, on the publisher's servers, and crossing the network are always ciphertext. The plaintext only exists momentarily, in RAM on your device, while you're reading or editing the note.

CloudKit is the framework Apple gives third-party developers to read and write data into a user's iCloud account. It exposes two databases per app: a public one shared across users, and a private one scoped to a single Apple ID. Secure Notes uses the private database exclusively.

Crucially, CloudKit does not encrypt your data in a way Apple cannot see — by default, Apple holds the keys. End-to-end encryption on top of CloudKit is the developer's job: encrypt on-device before writing, decrypt on-device after reading. That is the architecture Secure Notes runs.

A cold-boot attack exploits the fact that DRAM contents persist for seconds to minutes after power is removed, especially if the chips are cooled. Decryption keys that were live in memory can sometimes be recovered by quickly transplanting the RAM into an attacker's machine.

iPhones are largely immune. The Secure Enclave never exposes the master key to main RAM, and the volatile keys that do live in RAM are wiped on lock for the most sensitive Data Protection classes. The realistic cold-boot scenario is now a laptop, not a phone — and even there, modern OSes lock memory aggressively when the lid closes.

A cryptographic hash function takes input of arbitrary length and produces a fixed-length output — the digest — such that the same input always produces the same digest, but the digest reveals nothing useful about the input. SHA-256 produces a 256-bit digest; SHA-512 produces a 512-bit one.

Hashes are everywhere in encrypted apps: they're used inside HMAC for integrity, inside HKDF and PBKDF2 for key derivation, inside Merkle trees for sync, and inside the signature verification that proves an iOS app hasn't been tampered with since Apple signed it.

End-to-end encryption means the encryption and decryption both happen on user-controlled endpoints, never on a server in the middle. The server stores and forwards opaque ciphertext but never holds the keys that would decrypt it.

E2EE is the only form of encryption that survives a server breach. If the publisher is hacked, if a government compels disclosure, if an employee goes rogue — none of it leaks your plaintext, because the plaintext never lived on the server. Secure Notes is E2EE by default. Apple Notes is E2EE only when Advanced Data Protection is turned on.

Entropy quantifies unpredictability. A coin flip has one bit of entropy. A six-sided die roll has about 2.58 bits. A random 256-bit key has 256 bits of entropy, assuming the random number generator did its job.

Entropy is the input that makes encryption work. A 256-bit key derived from a four-digit PIN has at most ~13 bits of entropy, not 256 — which is why a slow KDF and a strong password matter more than the cipher's nominal key size. BIP-39 12-word seeds have 128 bits of entropy, which is well past any practical brute-force horizon.

FIPS-197 is Federal Information Processing Standard 197, the 2001 NIST publication that formally defined the Advanced Encryption Standard. It specifies AES-128, AES-192, and AES-256, all using the Rijndael algorithm selected after a five-year open competition.

FIPS-197 is the standard you'll see referenced in compliance documents (FedRAMP, FIPS 140-3, CNSA). Apple's CryptoKit is FIPS-validated. So is Secure Notes' underlying CommonCrypto stack. The standard hasn't been amended since adoption — the algorithm has not needed it.

GCM is an AES operating mode that combines counter-mode encryption with a Galois-field MAC. The result is authenticated encryption: every ciphertext comes with a 128-bit tag that decryption verifies before returning any plaintext.

GCM is fast, parallelizable, and widely supported in hardware (Intel AES-NI, ARM Crypto Extensions). It is the default mode for TLS 1.3 cipher suites and for iOS CryptoKit's symmetric APIs. Its only sharp edge is nonce reuse — every encryption must use a unique nonce per key, or the integrity guarantee collapses.

HKDF (RFC 5869) is a key-derivation function used to expand and split key material. Given a master secret, HKDF lets you derive any number of subkeys for distinct purposes — one for AES, one for HMAC, one per file — without those subkeys being correlatable to each other or to the master.

HKDF is used in TLS 1.3, Signal, and inside Apple's Data Protection. It's the right tool when you already have high-entropy input. For low-entropy input like a user password, you reach for PBKDF2, scrypt, or Argon2 first, then HKDF to split that output into specific keys.

iCloud Keychain is Apple's password manager, built into every Apple device. It stores passwords, passkeys, Wi-Fi credentials, and credit cards, and syncs them between devices that share an Apple ID. Crucially, iCloud Keychain has been end-to-end encrypted since long before Advanced Data Protection — it does not need ADP to be E2EE.

The keys derive from your device passcodes plus an iCloud Security Code, with recovery handled by a constellation of HSM-backed escrow servers Apple cannot read. For most users it's a good default; Secure Notes complements it for free-form text and voice that doesn't fit the password-manager schema.

An initialization vector is a public, per-message value mixed into the start of an encryption operation. Its job is to ensure that encrypting the same plaintext twice — with the same key — produces two different ciphertexts.

For CBC mode, the IV must be unpredictable. For CTR and GCM modes, the IV (often called a nonce there) must be unique per key but does not need to be unpredictable. Reusing an IV is one of the classic implementation failures — it has broken WEP, broken stream ciphers, and broken every implementer who learned the hard way that “random” and “unique” are not the same word.

A key derivation function takes weak, low-entropy input (a passphrase) and stretches it into a high-entropy cryptographic key. The defining property is that the function is intentionally slow — milliseconds on legitimate hardware, slow enough that an attacker running billions of guesses on a GPU farm hits a wall.

PBKDF2 is the older standard, configured by iteration count. Argon2 is the newer winner, tunable by time, memory, and parallelism. Both serve the same purpose: make password cracking quadratically more expensive than it would otherwise be. Secure Notes uses PBKDF2 with 100,000+ iterations of SHA-256.

Legacy Contact is an Apple ID feature that lets you designate one or more people who, after your death, can request access to your account data by presenting a death certificate and an access key you generated for them. It applies to most iCloud data — photos, files, mail, contacts, notes.

Legacy Contact does not bypass end-to-end encryption. Categories protected by Advanced Data Protection — including E2EE Notes content — cannot be unlocked by a Legacy Contact unless they had separate access to your passphrase or recovery key during your lifetime. This is the cost of zero-knowledge architecture, and the right answer is to plan inheritance explicitly.

The master password is the human-memorable secret a user types to unlock an encrypted vault. Behind the scenes, the app runs it through a KDF to derive an AES key; that key decrypts the rest of the system. The master password itself is never stored on disk.

Master-password strength dominates the security of the whole stack. A 256-bit AES key derived from “password1” gives you the security of “password1.” The right discipline is a long, novel passphrase — four random words from a dictionary clears 50 bits of entropy and is well into the “not realistically guessable” range.

A MAC is a cryptographic tag computed over a message with a secret key. The recipient — who also knows the key — can recompute the tag and verify it matches, proving both authenticity (the sender knew the key) and integrity (nothing in transit was changed).

HMAC, built on top of a hash function like SHA-256, is the canonical MAC. Authenticated-encryption modes like AES-GCM include a MAC implicitly via their authentication tag, which is why those modes are now preferred over the older encrypt-then-MAC patterns.

Nonce stands for “number used once.” In modern AEAD ciphers like AES-GCM and ChaCha20-Poly1305, the nonce is a per-message value (typically 96 or 192 bits) that combines with the key to produce a unique keystream for that message.

Nonce uniqueness is non-negotiable. Reusing a nonce with the same key in GCM mode catastrophically destroys both confidentiality and integrity — it leaks the XOR of the two plaintexts and lets attackers forge tags. Implementations either use a counter or pick from a large enough random space (XChaCha20's 192-bit nonce is sized exactly for this) to make reuse statistically impossible.

PBKDF2 (RFC 8018) is a key derivation function that applies a pseudorandom function — typically HMAC-SHA-256 — to the password and salt, iterated many thousands of times. The iteration count is the cost knob: higher means slower, which means more expensive to brute-force.

PBKDF2 is what most Apple platforms, 1Password's older formats, and Secure Notes use under the hood. Newer designs prefer Argon2id, which adds memory-hardness to defeat GPU and ASIC attackers more effectively. Both are valid choices in 2026; PBKDF2 with a high iteration count is still well above the threshold for consumer threat models.

Plaintext is data in the clear — the words you typed, the audio you recorded, the file you imported, before any encryption has been applied. Plaintext is the form information takes inside your head and inside your app's UI; it must not be the form it takes anywhere else.

A secure-by-design note app's job is to minimize the lifetime of plaintext. It exists in RAM while you're editing, gets re-encrypted on save, and never lands on disk or on iCloud in plaintext form. Memory pressure, app suspension, and background snapshots are all places where plaintext can leak if the app is sloppy.

Quantum-resistant (or post-quantum) cryptography refers to algorithms believed to remain secure even against an adversary with a large-scale quantum computer. Shor's algorithm breaks RSA and elliptic-curve cryptography in polynomial time; Grover's algorithm halves the effective key length of symmetric ciphers.

For symmetric primitives like AES-256, the practical impact is modest: AES-256 against Grover gives 128 bits of effective security, still well past brute-force reach. Public-key cryptography is the harder problem, and NIST finalized its first post-quantum standards (Kyber, Dilithium) in 2024 — Apple has begun rolling out PQ3 in iMessage on top of them.

A recovery seed is a sequence of words — typically from the BIP-39 wordlist — that encodes the entropy needed to regenerate your encryption key. If you lose your master password, the seed is the only thing standing between you and permanent data loss.

Secure Notes generates a 12-word seed once, at vault creation, and never stores it on its servers or in your iCloud. The user is responsible for writing it down or printing it and keeping it somewhere durable. This is the cost of zero-knowledge: no one can reset what no one but you can read.

The Secure Enclave is a hardware-isolated coprocessor inside every Apple Silicon chip — A-series, M-series, S-series. It runs its own micro-OS, has its own boot ROM, and holds keys that the main CPU literally cannot read. Biometric templates, the device's UID key, and Apple Pay tokens all live here.

The Enclave is what makes Face ID and Touch ID safe to use as a key-derivation factor. The biometric comparison happens inside the Enclave; iOS just gets a yes-or-no signal back. No process on the device, not even the kernel, can extract the underlying secret material.

SHA-256 is a member of the SHA-2 family standardized by NIST in 2001. It takes input of arbitrary length and outputs a 256-bit digest. As of 2026 there is no known attack faster than brute force, and brute-forcing a 256-bit hash is comfortably outside the realm of physical possibility.

SHA-256 is the hash used by Bitcoin's proof-of-work, by Apple's code signing, by the TLS certificate ecosystem, and inside HMAC and PBKDF2 in Secure Notes' key derivation. It is the boring, reliable choice — exactly what you want in a hash function.

Symmetric encryption uses one shared key for both encryption and decryption. AES, ChaCha20, and 3DES are all symmetric ciphers. The shared-key requirement makes symmetric crypto fast and efficient — orders of magnitude faster than public-key crypto — but it forces a key-distribution problem when more than one party is involved.

For a single-user encrypted notes app, that key-distribution problem largely disappears: the key lives only on your devices, derived locally from your password. Symmetric AES-256 is the right tool here, and it's what every reputable encrypted-notes app uses for the bulk encryption of content.

TrueDepth is the front camera array on Face ID iPhones and iPads. It pairs a flood illuminator, a dot projector that paints ~30,000 invisible infrared dots on your face, and an IR camera that reads them back to build a depth map.

The depth map plus the IR image feed into a neural network running inside the Secure Enclave, which compares the result against your enrolled template. The whole pipeline never exposes a raw image to iOS, never sends it off-device, and adapts continuously to changes in your appearance.

XChaCha20-Poly1305 is an authenticated-encryption cipher that combines the XChaCha20 stream cipher with the Poly1305 MAC. The X variant extends the nonce to 192 bits, which lets you safely generate nonces at random without ever worrying about reuse.

It's the cipher of choice for libraries like libsodium and for cross-platform encrypted apps that can't rely on AES hardware acceleration. Some encrypted-notes apps prefer it to AES-GCM for exactly that reason — it's competitive on Apple Silicon and significantly faster on older Android chips.

Zero-knowledge architecture means the service operator has structurally no ability to read user data. Keys are derived on-device from secrets the operator never sees; data is encrypted on-device before upload; recovery paths are designed so that even an internal compromise yields only ciphertext.

Zero-knowledge is stronger than “we promise we don't look.” A well-designed zero-knowledge app can be subpoenaed, breached, or sold and the user's data remains private — because there is no decryption capability on the server side to compel, breach, or transfer. Secure Notes is zero-knowledge by construction.