Utility · the vault

Encrypted notes, stored only on your device.

The notes app is where people keep the things they assume no one else will ever read — recovery phrases, account hints, passwords scribbled "just for now," the draft no one was meant to see. Most notes apps quietly sync every word to a cloud server you do not control. Helix takes the opposite approach: notes are encrypted and kept on your device, with no account and no server that can read them. Here's what "encrypted at rest" really means, why the default cloud notebook is a liability, and where the honest limits sit.

1. What encrypted secure notes are 2. What "encrypted at rest" actually means 3. On-device only: the design that removes the server 4. The threat it stops: the cloud notebook 5. What people actually keep in notes 6. Who needs on-device encrypted notes 7. How Helix does it 8. The honest limits

1. What encrypted secure notes are

A notes app, on the surface, is the simplest tool on your phone: a place to type and keep text. But what makes a notes app secure has almost nothing to do with how it looks and everything to do with two questions you rarely get to ask. First: when your note is sitting in storage, is it readable, or is it scrambled so that only your unlock can reveal it? Second: where does that storage live — on your device, or on a company's servers somewhere you cannot see?

Most popular notes apps answer those questions in the way that is convenient for the company, not the way that is safest for you. Your notes are stored on cloud servers so they can sync across your devices, and while the connection to those servers is encrypted in transit, the notes themselves often sit on the server in a form the provider can read. That means the contents of your notebook — every secret you assumed was private — are visible to the company, exposed in any breach, and producible under a legal demand.

Encrypted secure notes flip both answers. The notes are encrypted at rest, so what is stored is scrambled rather than readable, and in Helix's case they are stored only on your device, so there is no cloud copy at all. The difference is not cosmetic. It changes who can read your notes from "you, the provider, and anyone who breaches the provider" to "only someone who can unlock your device."

2. What "encrypted at rest" actually means

The phrase gets used loosely, so it is worth being precise. "Encryption in transit" protects data while it is moving across a network — it is the padlock in your browser, the reason a coffee-shop Wi-Fi snoop cannot read your traffic. "Encryption at rest" protects data while it is sitting still in storage. These are different protections solving different problems, and a service can have one without the other.

A note that is encrypted at rest is stored as ciphertext — scrambled bytes that are meaningless without the key. The key is derived from your unlock, not held by the app in plain view. So if someone copies the raw storage off your device — by pulling files from a backup, by accessing the storage chip, or by examining the device while it is locked — what they get is noise, not your words. They would need the key, and the key is bound to your unlock.

The critical detail is who holds the key. In a system where the provider can read your notes, the provider effectively holds a key. In a properly on-device design, the only thing that can produce the key is your unlock on your hardware. That is the line between "encrypted, but the company can still read it" and "encrypted, and only you can." Helix's notes sit firmly on the second side: encrypted at rest, with the key tied to your unlock and never escrowed to a server.

3. On-device only: the design that removes the server

Encryption at rest is necessary but not sufficient. A note can be encrypted at rest and still live on a cloud server — many "zero-knowledge" services work exactly that way, encrypting on your device before upload. That is a genuinely strong model. But it still means an encrypted copy of your notebook exists on someone else's infrastructure, which is a copy that can be subpoenaed, retained after you think you deleted it, or targeted in a harvest-now-style operation against the ciphertext.

Helix goes further and simply does not put the notes on a server at all. "On-device only" means the storage lives on your hardware and nowhere else. There is no upload step, no sync account, no remote backup quietly mirroring your notebook. The practical consequences are clean:

Nothing to subpoena. A company cannot hand over notes it never received. There is no server-side copy to demand.
Nothing to breach remotely. A break-in at a cloud provider cannot expose notes that were never stored there. The attack surface is your device, not a distant data center holding millions of users' notebooks.
No silent retention. When you delete a note on-device, you are not relying on a provider to honor a deletion request across its backups. The data was only ever in one place.

The trade-off, which we will be honest about below, is that the convenience of effortless multi-device sync is gone. That is the deliberate cost of removing the server from the picture, and for the things people actually keep in secure notes, it is usually the right cost to pay.

4. The threat it stops: the cloud notebook

The threat is mundane, which is exactly why it is dangerous. People treat the notes app as a private diary and pour sensitive material into it without a second thought — and then that material rides to a cloud server by default. The risk is not exotic; it is the steady accumulation of secrets in a place you do not control.

Consider what a single breach of a cloud notes provider would expose: not just your notes, but the notes of everyone using that service, all in one place, all readable if the provider holds the keys. Consider what a phished or reused password to your cloud account would hand over: full access to a notebook you have been filling for years. Consider what a legal demand to the provider would produce: a complete, dated copy of everything you ever wrote, regardless of whether you remember writing it.

Each of these is a consequence of the same structural choice — putting readable notes on someone else's server. On-device encrypted notes remove every one of them at once, not by being cleverer about the cloud but by declining to use it. There is no provider holding keys, no cloud account to phish, and no server-side archive to demand. The notebook exists in exactly one place, sealed, on the device in your hand.

It is worth dwelling on why the cloud notebook feels safe when it is not, because the illusion is what keeps people exposed. The notes app looks private. It is on your phone, behind your lock screen, with your name on the account. Nothing about the interface suggests that your words are also sitting on a server farm, readable by the provider, waiting in backups you cannot see. The privacy is implied by the experience and quietly contradicted by the architecture. People are not careless; they are reasonably trusting an interface that was designed to feel personal while behaving like a shared database. On-device storage makes the architecture match the feeling — the private-looking notebook is actually private.

The safest place for a secret is the one with the fewest copies. A cloud notebook multiplies copies of your most private writing across servers and backups you cannot see. An on-device vault keeps it to one.

5. What people actually keep in notes

It is easy to underrate this feature until you look honestly at what lives in a typical notes app. People use notes as an informal vault for exactly the things that should be best protected:

Recovery phrases and seed words, "temporarily" pasted in while setting up a wallet — and then never removed.
Passwords and PINs for accounts that do not fit neatly into a password manager.
Account numbers, policy details, and the answers to security questions.
Drafts of sensitive messages, half-finished and unsent.
Private medical, legal or financial details jotted down during a call.
The quiet, personal writing people would never want surfaced — and would never knowingly upload to a company's servers if asked directly.

The disconnect is stark: this is some of the most sensitive content a person produces, and it is routinely stored in the least intentional way possible. An encrypted, on-device notebook does not change your habits — you still jot things down the same way — but it changes the destination. The same scribbles that used to ride to a cloud server now stay sealed on your device.

This habit of using notes as an informal vault is not going away, and that is exactly why the destination matters more than the discipline. Telling people to stop putting seed phrases in notes has not worked and will not work, because the notes app is right there at the moment they need it. The realistic intervention is not to change the behavior but to make the behavior safe — to ensure that when someone inevitably jots down something sensitive, it lands somewhere encrypted and on-device rather than somewhere readable and remote. A tool that meets people where they already are beats one that demands they become more careful than humans tend to be.

6. Who needs on-device encrypted notes

The honest answer is "almost everyone keeps something in notes that they would not want exposed," but a few groups have a sharper stake:

Crypto holders. A seed phrase in a cloud notes app is the single most common way self-custodied funds are lost. Keeping recovery material in an on-device vault — alongside your self-custody wallet — removes the remote copy that drainers and breaches feed on.
Lawyers and their clients. Privileged scribbles — a case note, a settlement number, a name — do not stop being privileged because they were typed into a phone. A provider-readable cloud notebook is a standing discovery and breach risk.
Journalists. Source names, contact details and interview notes can be life-and-death secrets. The fewer copies and the fewer servers, the smaller the chance one of them is the one that leaks.
Anyone who is targeted. If a specific adversary is interested in you, your cloud accounts are an obvious place they will look. A notebook that was never uploaded is not on that map.
People who simply want their private writing to stay private. No special threat required — just the reasonable expectation that what you keep to yourself stays with you.

7. How Helix does it

Helix's notes are part of the vault, not a separate app, and they follow the same on-device rule as the rest of it. When you write a note, it is encrypted at rest with a key derived from your unlock and stored on your device's encrypted storage. There is no notes cloud, no separate account, and no sync toggle that ships your writing to a server — the storage simply never leaves the hardware in your hand.

Because the notebook lives inside the same vault as your other secrets, it inherits the same discipline. The note you jot, the codes from your built-in authenticator and your keys all sit behind the same unlock, protected by the same encryption, with the same answer to the question "who can read this?" — only someone who can unlock your device. And because none of it crosses a third party, there is nothing to subpoena, nothing to breach remotely, and no silent retention after you delete. The feature is deliberately unglamorous: a notebook that works the way you already expect, with the one change that the words you assumed were private actually are.

That consolidation has a quiet benefit of its own. The sensitive odds and ends that usually scatter across a phone — a code in one app, a phrase in another, a password in a third — tend to scatter precisely because no single place felt both convenient and safe. A vault that is convenient enough to use for the quick scribble, and safe by design, removes the temptation to stash secrets wherever was easiest in the moment. Fewer places holding sensitive material means fewer places that can leak it. The on-device notebook is not only safer than the cloud alternative; it gives the loose, sensitive fragments of your life one trustworthy home instead of a dozen risky ones.

8. The honest limits

On-device encrypted notes solve the cloud problem, and they introduce responsibilities that come with it. We will state them plainly:

Backup is your job. The price of "no cloud copy" is that there is no automatic remote backup to restore from if you lose or destroy the device. If a note matters, you must preserve it deliberately, following whatever backup path Helix provides. This is the conscious trade-off at the heart of on-device storage — convenience was what the cloud was selling.
Your unlock is the wall. Encryption at rest binds the notes to your unlock, which means a weak passcode or a device left open is the realistic way the notes get read — not a remote breach. The notebook is exactly as strong as the unlock guarding it.
Encryption at rest does not protect a running, unlocked device. Once you unlock and open a note, its contents are decrypted in memory so you can read them. Spyware that has fully compromised the device can read what is on your screen at that moment. That is a different problem, addressed by the device-level shield, and detection is a strong signal rather than a guarantee.
It is not a substitute for a dedicated password manager's full feature set. Secure notes are for the freeform, sensitive scribbles people actually keep — they are a safe place for what would otherwise land in a cloud notebook, not a claim to replace every credential-management workflow.

Within those boundaries, the goal is simple and defensible: let you keep the private things you already keep, encrypted at rest, in exactly one place — on the device you control.

The notes app is where people keep their most private writing and protect it the least. Encrypted, on-device-only notes change that with a single structural choice: no server ever holds a copy.

Get Helix — from $199/mo See every feature

$199/month Core · $499/month Operator · $999/month Sovereign — or 30% off paid annually.