How do I lock notes on iPhone?

Install Secure Notes, open a note, and tap the lock icon. Choose a passcode or enable Face ID / Touch ID. You can lock individual notes or entire folders in seconds, with AES-256 end-to-end encryption that Apple cannot read.

Which secure notes app syncs with iCloud?

Secure Notes syncs encrypted notes across iPhone and iPad through iCloud. Content is encrypted on-device with AES-256 before it touches iCloud, so the ciphertext is unreadable to Apple — full E2EE regardless of Advanced Data Protection.

Is Apple Notes end-to-end encrypted in 2026?

Apple Notes is only end-to-end encrypted when Advanced Data Protection is enabled on iCloud (iOS 16.2+). Locked notes use a device-derived password but, by default, iCloud copies are encrypted with Apple-managed keys. Secure Notes is E2EE by default with user-held keys plus a 12-word recovery seed.

What is the best secure notes app for iPhone?

The strongest options on iPhone in 2026 are Secure Notes, Standard Notes, and Notesnook — all offer true end-to-end encryption. Secure Notes is the most iOS-native, with Face ID, per-folder passwords, AES-256, encrypted iCloud sync, and a 12-word recovery seed.

How do I password-protect a note on iPhone?

In Secure Notes, open a note, tap the lock icon, and either use your master password or set a unique password for that note. Face ID and Touch ID act as convenience unlocks. A 12-word recovery seed restores access if you forget the password.

Can I store passwords in Secure Notes?

Yes. Secure Notes is purpose-built for sensitive content — passwords, recovery codes, medical records, private journals — protected by AES-256 end-to-end encryption, biometric unlock, and per-note or per-folder passwords.

Is Secure Notes free on the App Store?

Yes. Secure Notes is free to download and includes all core security features: AES-256 encryption, Face ID, iCloud sync, and the 12-word recovery seed. An optional in-app PRO tier unlocks unlimited secure folders and premium themes.

Zero-Knowledge Encryption, Explained Without the Marketing Speak

Quick answer: Zero-knowledge encryption explained without the marketing layer: the service holds ciphertext and only ciphertext. Your password becomes a key on your device, that key encrypts your data on your device, and the key never leaves your device. The provider could not read your content if they wanted to — and that property is verifiable. Every privacy app claims it. Many are lying.

What “zero knowledge” actually means

The phrase “zero-knowledge” was borrowed (loosely, some cryptographers would say abused) from zero-knowledge proofs — a beautiful subfield of cryptography where you can prove you know something without revealing it. In product marketing the term has settled on a simpler meaning: the server has no usable knowledge of your plaintext. They host bytes that look like noise.

The mechanism is mundane. Your password feeds into a key derivation function — PBKDF2 with 100,000+ iterations, or Argon2id — producing a symmetric key. That key encrypts your notes with AES-256 (or XChaCha20-Poly1305) on your device. The ciphertext, an IV, and an authentication tag get uploaded. The server stores three blobs. It does not store the password, the key, or anything derivable from them. When you sign in on another device, the same password rederives the same key, and decryption happens locally.

That is zero-knowledge. The server is a dumb mailbox. The cryptography happens on your device, twice — once to encrypt, once to decrypt.

How to verify a zero-knowledge claim

Every notes app marketing page says “zero-knowledge.” Most are bending the term. Here are the six tells — three things real zero-knowledge apps cannot do, and three things they always do.

Signal	Real zero-knowledge	Fake claim
Password reset	Recovery seed phrase only	'Email me a reset link' option
Web preview	Requires password entry to decrypt locally	Notes visible after a magic-link login
Cipher disclosure	Named: AES-256-GCM, XChaCha20-Poly1305, etc.	'Bank-grade' / 'military-grade' / 'state-of-the-art'
Key derivation	PBKDF2 or Argon2 with iteration count	Not mentioned
Audit	Third-party security audit published	'Audited internally' or no mention
Source	Open-source crypto layer or whitepaper	Closed source, no whitepaper

The single sharpest test: email-based password reset. If the provider can email you a link to reset your master password and decrypt your data, they hold a key somewhere. That key is the entire game. A real zero-knowledge app replaces password reset with a recovery seed — typically a 12- or 24-word BIP-39 phrase generated at signup that you, and only you, hold.

Second-sharpest test: a web reader that shows your notes after a magic-link login. If you can read your data without entering the master password, the server decrypted it, which means the server had the key.

The tradeoffs nobody mentions

Zero-knowledge is not free. The price is paid in friction. Vendors burying the tradeoffs is part of why “zero-knowledge” has become a marketing word. The honest list:

No password reset. Forget the password, lose the seed, and the data is gone. Permanently. No customer support call rescues it. This is the trade.
No web preview, or a clunky one. Decryption has to happen in your browser, which means a heavy crypto layer in JavaScript or no web access at all. Most zero-knowledge apps just skip the web entirely.
Harder collaboration. Sharing a note with someone means re-encrypting it under a key both parties can derive. Doable with public-key crypto, but most apps treat shared content as a separate, weaker tier.
Slower onboarding. You have to write down a 12-word seed. People don't. They lose it. Then they lose their data and blame the app.
Search is harder. Server-side search across encrypted content is an unsolved problem unless you accept leakage. So search happens on-device, after decryption, which limits how big your library can grow before it gets slow.

If a vendor is candid about these tradeoffs on their privacy page, they are probably telling the truth about the rest. If everything is presented as upside, be suspicious.

Zero-knowledge in notes apps specifically

For a notes app the property is single-user, which simplifies everything — no key exchange between users, no shared-document negotiation. The right zero-knowledge posture for a notes app on iPhone has four pieces:

Client-side key derivation. Master password → KDF → AES-256 key on your iPhone. Server sees nothing.
Per-note or per-folder sub-keys. So the master key encrypts a keychain of sub-keys, and you can lock individual folders with separate passwords. This is what Secure Notes on iOS does.
Biometric unwrap, not biometric bypass. Face ID should release a Secure Enclave-wrapped copy of the master key — not bypass the encryption. The cipher is the same; Face ID just gates access to the key.
Recovery seed at signup. A 12-word phrase you write down. Theonly backup. If the app offers an alternative recovery path, it is not zero-knowledge.

Red flags in a notes app privacy page: vague language about “encrypted on our servers,” promises of customer-support-assisted recovery, no named cipher, no KDF iteration count, and no third-party audit. If the app does not say “client-side” explicitly, it probably isn't. Compare what you read on a privacy page to the table above, and most claims fall apart in under a minute.

Frequently asked: zero-knowledge encryption

What does zero-knowledge encryption mean?

Zero-knowledge means the service provider has zero ability to read your data — their servers store ciphertext only, and the encryption key is derived from your password on your device. Even if the provider wanted to read your content, or was compelled by law to, they could not. The term is borrowed loosely from zero-knowledge proofs in cryptography; in product marketing it has come to mean 'client-side encryption with user-held keys.'

How can I tell if an app is really zero-knowledge?

Four tells. First, does the app offer email-based password reset? If yes, not zero-knowledge — they have a recovery path that bypasses your key. Second, can you view your data in a web reader without entering your password? If yes, not zero-knowledge. Third, do they publish a security whitepaper naming cipher, KDF, and iteration count? Fourth, has a third party audited the crypto? Real zero-knowledge apps answer all four cleanly.

Is iCloud zero-knowledge?

Only partially, and only with Advanced Data Protection turned on. Default iCloud is encrypted at rest with Apple-managed keys — not zero-knowledge. With ADP on, 23 data categories including Notes and Photos flip to end-to-end encrypted with user-held keys, which qualifies as zero-knowledge. Mail, Contacts, and Calendar remain Apple-readable even under ADP.

Why can't zero-knowledge apps reset my password?

Because they literally cannot. Your password is the input to the key derivation function that produces the encryption key. They never store your password — only a hash of it, if anything — and they never store the key. If you forget the password, there is nothing for them to look up. The fix is a recovery seed (a high-entropy backup credential) generated at signup and kept by you offline.

Is zero-knowledge the same as end-to-end encryption?

Closely related but not identical. End-to-end encryption is about message paths: encrypted on the sender's device, decrypted on the recipient's device, with the server passing ciphertext through. Zero-knowledge is about storage: the server holds your data without holding the key. A notes app is a single-user case where both labels usually apply. A chat app is E2EE; a backup service is more often described as zero-knowledge.

Which notes apps are actually zero-knowledge?

Secure Notes, Standard Notes, and Notesnook are the credible zero-knowledge notes apps for iPhone in 2026. All three derive keys client-side and offer recovery via user-held seed phrases — no email-based password reset. Apple Notes is zero-knowledge only under ADP and only for the body of locked notes by default. Bear and most general-purpose note apps are not zero-knowledge.

Zero-Knowledge Encryption, Explained Without the Marketing Speak

What “zero knowledge” actually means

How to verify a zero-knowledge claim

The tradeoffs nobody mentions

Zero-knowledge in notes apps specifically

Frequently asked: zero-knowledge encryption

Related guides

Private note-taking, properly

Best encrypted notes apps for iPhone

What AES-256 actually means

Your notes,
locked for good.

Zero-Knowledge Encryption, Explained Without the Marketing Speak

What “zero knowledge” actually means

How to verify a zero-knowledge claim

The tradeoffs nobody mentions

Zero-knowledge in notes apps specifically

Frequently asked: zero-knowledge encryption

Related guides

Private note-taking, properly

Best encrypted notes apps for iPhone

What AES-256 actually means

Your notes,locked for good.

Your notes,
locked for good.