All Features

Privacy isn't a feature. It's the architecture.

Your password creates an unbreakable key on your device. Every note, task, and file gets its own lock. Even we can't read your data — by design.

Two-tier key architecture with ChaCha20-Poly1305 and Argon2id. Per-document keys, automatic memory zeroization, and zero-knowledge design. Your password derives your master key locally — we never see either.

Your Password
Argon2id KDF key derivation
Master Key
Doc Key
Doc Key
Doc Key
Encrypted ChaCha20-Poly1305
Encrypted ChaCha20-Poly1305
Encrypted ChaCha20-Poly1305
Local Storage
P2P Sync end-to-end encrypted

Zero-knowledge, by design

Your password creates a master key on your device. That master key protects a separate lock for every note, task, and file. We never see your password or your keys. If you change your password, your data doesn't need to be re-encrypted. If you share a document, only that document's key is shared — nothing else.

PrivStack uses zero-knowledge encryption with a two-tier key architecture. Your password derives a master key via Argon2id (19 MiB memory, 2 iterations per OWASP 2023). The master key encrypts per-document keys — not the documents directly. This means password changes re-wrap keys without re-encrypting all data, and sharing a document means sharing just that key, not your master key.

"Trust us" isn't security

Most "encrypted" apps hold the keys to your data. They promise not to look, but they can. One rogue employee, one government request, one data breach — and your privacy is gone.

What You Get

  • ChaCha20-Poly1305 authenticated encryption (256-bit keys)
  • Argon2id memory-hard key derivation (OWASP 2023 recommended parameters)
  • Two-tier architecture: master key wraps per-document keys
  • Per-document random encryption keys with unique 96-bit nonces
  • Automatic key zeroization (Zeroize trait clears memory on drop)
  • Password change re-wraps keys without re-encrypting content
  • Entity keys can be selectively shared for collaboration
  • Zero-knowledge architecture — no server-side decryption possible
  • BLAKE3 for fast integrity checks
  • OS CSPRNG for all random generation
  • Source-available crypto — audit every line on GitHub
  • Transparent plugin encryption — all plugin data encrypted uniformly
  • Military-grade encryption trusted by governments and security experts
  • Your password is turned into an unbreakable key
  • Your password protects a master key, which protects each document separately
  • Every note, task, and file has its own lock
  • Keys are automatically wiped from memory when not in use
  • Change your password without re-encrypting everything
  • Share a document by sharing just its key — your master key stays secret
  • We literally cannot decrypt your data — even if forced to
  • Data integrity is verified every time you access it
  • All randomness comes from your device's secure hardware
  • All encryption code is public — verify everything on GitHub
  • Plugin data is encrypted the same way as everything else

Explore Features

Notes Tasks Calendar Journal Encrypted Files Code Snippets RSS Reader Contacts & CRM Knowledge Graph P2P Sync Cloud Sync Encryption Budget & Finance Email Habits Duncan AI Assistant Cross-Platform Command Palettes Cross-Linking Workspaces Data & SQL

Ready to get started?

Try PrivStack free for 7 days. Your data stays on your devices.

Download Free View Pricing
End-to-end encrypted Works offline No account required