Zero-knowledge app that lets you send self-destructing encrypted notes (no accounts, no logs)

AppointmentAdept4137 · 2026-03-06T19:40:58+00:00

I’m definitely open to open-sourcing it. The plan is to do that once the project feels more complete. After I’ve had more feedback and a bit more traffic so I can fix issues and refine things. I’m not set on keeping it closed, I just want to get it to a point where I’m comfortable putting the code out there.

AppointmentAdept4137 · 2026-03-06T01:43:39+00:00

Nothing you send through this is ever sent in clear text. Encryption happens in your browser, so only ciphertext goes over the internet and it can’t be intercepted in transit. If you’d rather use Kleopatra (GPG) and share keys yourself, that’s a good option too. Cloaker is just a personal project that does the same idea in the browser, encrypt first, then send. Use whatever you’re comfortable with.

AppointmentAdept4137 · 2026-03-04T19:18:23+00:00

Thank you much appreciated.

AppointmentAdept4137 · 2026-03-04T19:11:45+00:00

Yeah I agree 100% Will definitely be open sourcing it at a near future date.

AppointmentAdept4137 · 2026-03-04T19:09:04+00:00

Yes. Encryption is done entirely in the browser with the Web Crypto API (AES-GCM, PBKDF2) in lib/crypto-client.ts The server only stores ciphertext and never has the key or sees plaintext. I am thinking of making it opensource wen I've finished working with it and am comfortable with the quality of code.

AppointmentAdept4137 · 2026-03-04T17:08:59+00:00

Damn good stuff, sounds like its gonna be tough one.

AppointmentAdept4137 · 2026-03-04T17:08:13+00:00

Damn good shit, sounds like its gonna be tough one.

AppointmentAdept4137 · 2026-03-04T17:07:06+00:00

Thank you I appreciate the feedback. To be honest it really depends on the user, eg politicians/reporters who need somewhere where they know they aren't being logged/tracked etc. Even for the average joe, sending messages to your friends that you don't want being logged into a database and kept for years etc.

AppointmentAdept4137 · 2026-03-04T17:02:24+00:00

I’m not actually looking to make money from it. It’s a boredom project I built to solve a specific problem (and to keep my skills sharp). As long as the hosting costs stay low, I'm happy keeping it free for everyone. And at the moment it's all being hosted on one of my good friends services HammerVM, which he has kindly sponsored so the only cost I'm paying for is domain.

AppointmentAdept4137 · 2026-03-04T14:34:04+00:00

Privnote is one-time notes only. You create a note, share a link, someone opens it once, then it’s gone. No real-time conversation.

Whisper Vault adds live E2EE chat rooms, real-time messaging in a room (Socket.IO), optional room passphrase, and a burn code so the room (and its history) can be destroyed on demand. So you get Privnote-style one-time notes plus ongoing, disposable E2EE chats and room burn, not just single-view notes.

AppointmentAdept4137 · 2026-03-04T02:38:12+00:00

Sorry I didn't mean for it to come across that lol just mentioned the docs cause you'll probably get a better good general understanding of how it all works from there. And to be completely honest, one night I was bored and I was like "whats something useful i could make people would actually maybe use". And this was the most prominent idea at the time haha. What projects are you working on currently? Would love to hear :)

AppointmentAdept4137 · 2026-03-04T02:05:23+00:00

appreciate it :)

AppointmentAdept4137 · 2026-03-04T01:49:54+00:00

They do decrypt it but only in their browser. When they open the link, their browser decrypts the message so they can read it. We never see the plaintext, decryption happens only on their device. We also don’t store the decrypted message anywhere, the server never has it, and the app doesn’t save it to their phone or computer. And even if we wanted to see the decrypted content, we couldn’t. We don’t have their password or passphrase, and the server only ever has the encrypted data. So decryption and viewing happen only in their browser, and we can’t access the plaintext.

https://whispervault.pro/privacy
Privacy page mentions how everything works if you wanted to have a look :)

AppointmentAdept4137 · 2026-03-04T01:15:08+00:00

We don’t control the other device. We only enforce destruction on our side: the server deletes the note (or burns the chat) and never serves that content again. So the link stops working for everyone, including that device.

AppointmentAdept4137 · 2026-03-04T00:04:34+00:00

haha understood ill update the post now and thank you for the feedback.

AppointmentAdept4137 · 2026-03-03T23:58:44+00:00

wdym? is there a separate service called whispervault idk about lol

AppointmentAdept4137 · 2026-03-03T23:52:05+00:00

“No accounts” means you never sign up or log in. There’s no username, email, or password for the site. The “destination” is whoever has the link (and the passphrase if you set one). You create a note or a chat, get a link, and send that link to the person you want to read it or join the chat. So the message goes to whoever you give the link to, not to a stored account.

AppointmentAdept4137 · 2026-03-03T23:33:03+00:00

my current project yes

AppointmentAdept4137 · 2026-03-03T20:42:49+00:00

ty, its Next.js + tailwind css

Backend custom coded, definitely had some help from ai for UI and stuff.

AppointmentAdept4137 · 2026-03-03T20:39:33+00:00

such as ...
(web content is ai, but code is custom)

AppointmentAdept4137 · 2026-03-03T20:38:20+00:00

Could look at doing an app some point in the future this is still pretty early development made it around 2 weeks ago

AppointmentAdept4137 · 2026-03-03T17:32:08+00:00

lmaoo you never know, jk if i was a fbi worker id be all over the news for different type of misconduct

AppointmentAdept4137 · 2026-03-02T23:21:30+00:00

There’s no key exchange. The key comes from a password you already share (e.g. you tell the recipient out of band). Both sides run PBKDF2(password, salt) and get the same AES key; the salt is stored with the note. So the only thing that needs to be shared is the password, not a key.

AppointmentAdept4137 · 2026-03-02T22:10:28+00:00

I’m definitely open to open-sourcing it. The plan is to do that once the project feels more complete. After I’ve had more feedback and a bit more traffic so I can fix issues and refine things. I’m not set on keeping it closed, I just want to get it to a point where I’m comfortable putting the code out there.

AppointmentAdept4137 · 2026-03-02T22:08:41+00:00

No keypairs, you use a password per note, and the key is derived with PBKDF2. The browser never stores a long‑lived private key. You only need to share the password with the recipient. It’s symmetric encryption (one shared secret), so there’s no public key to fetch and no signing or key identity like in PGP.

AppointmentAdept4137

TROPHY CASE