Skip to content
AppVault

FILE 10 / NOTES — SCOPE

AppVault encrypts files, not free-form text. On purpose.

The one piece of text AppVault produces is the 12-word recovery phrase shown during onboarding — and that lives on paper, not in the app. Free-form encrypted notes are not part of v1, and we are in no hurry to ship them poorly.

UPDATED · 2026-05-20 · REVIEWED BY APPVAULT

The scope a small product can defend

Every privacy product fails in the same direction: it tries to be everything, the attack surface grows, and a sharp edge somewhere lets the whole thing down. AppVault v1 deliberately limits itself to a single primitive — an encrypted container for files you import — and refuses to grow that scope until each existing primitive has been audited and matured.

Free-form text notes look small from the outside. From the inside, they are not. A text-note feature wants to grow: rich text, autofill into other apps, browser extensions, structured fields, search across notes, sharing one note without the rest, OCR pulling text out of photos. Each of those is a new attack surface. Each one needs its own cryptographic story. Each one is a place where a single bug turns the vault into a leak. We are not in a hurry to add all of that for a feature only some users want.

The piece of text that AppVault does care about

There is one piece of text that matters: the BIP-39 12-word recovery phrase. AppVault generates this phrase during onboarding using the standard English BIP-39 wordlist (the same wordlist used by Bitcoin wallets, with a checksum word that catches typos). The phrase is shown to you once, on a single screen, and asked to be written down. It is then used internally to derive the master key that wraps your per-file AES-256-GCM keys.

The recovery phrase is the survival mechanism for device loss, theft, or a forgotten pattern. It is never uploaded anywhere by AppVault. It is not stored inside the vault. It is not stored anywhere in the app once you have written it down. It exists in exactly two places: briefly in memory on your device while you read it, and on whatever paper you wrote it on.

Where to put short secrets that are not the recovery phrase

What would change our mind about adding notes

A future version of AppVault might add encrypted notes — but only if we can ship them with a deliberately narrow scope: short plain text, the same AES-256-GCM wrapping as files, no autofill, no browser integration, no form-field detection, no cross-account sharing. If that ever ships, it will be a feature in the same shape as the rest of the app: small, sharp, and limited to one job.

QUESTIONS WE HEAR

About text, secrets, and the recovery phrase.

  1. 01 Can I store text notes inside AppVault?
    Not in version 1. AppVault encrypts photos, videos, and documents you import from the Photos library or the Files app. Free-form text notes are not part of the v1 feature set. The one piece of text AppVault generates and asks you to keep safe is the BIP-39 12-word recovery phrase shown during onboarding — write it down on paper, store it offline.
  2. 02 What should I use for short secrets instead?
    For passwords, autofill, browser extensions, and the everyday flow, use a real password manager — 1Password, Bitwarden, or Apple iCloud Keychain. Each of those is purpose-built for short structured secrets and integrates with iOS autofill in ways a small indie vault should not try to imitate. For one-off offline notes (a passport number, a single 2FA backup code, the AppVault recovery phrase itself), write them on paper and store them in a fireproof box or a safe-deposit box. Paper, kept offline, is a surprisingly strong threat-model improvement over any digital alternative.
  3. 03 Will encrypted notes come in a future version?
    It is on the long-term feature wishlist, not the short-term roadmap. We will only ship encrypted notes if we can do it without expanding AppVault's attack surface — and that means resisting the urge to add autofill, browser extensions, and form detection, which is where note features tend to grow into half-baked password managers. If we ship it, expect a deliberately narrow scope.
  4. 04 Where do I store the recovery phrase?
    On paper. Offline. Ideally in two physical locations (home + safe-deposit box, or home + trusted family member). Do not store the recovery phrase in Apple Notes, in a screenshot, in a cloud-synced note app, or as a photo in any app — including AppVault itself, which would create a cyclic dependency where the phrase that recovers the vault lives inside the vault.

GET STARTED

Seal the vault.

Free to download. The free tier holds one file. Premium removes the limit — Weekly from $3.99 or Yearly from $29.99 with a 7-day free trial.