June 15, 2026 · 8 min read · Deepbluework Team
Secure, Shareable Notes for Business Teams
Whether you are a freelancer, a small agency, or a growing startup, at some point you need to share something sensitive: a set of credentials for a client portal, a draft contract before it is signed, a confidential meeting summary, or an API key with a new team member.
The usual options — email, Slack, Google Docs — feel convenient but leave a paper trail on servers you do not control, servers that could be subpoenaed, breached, or simply scanned for advertising signals. Deepbluework Notes was built for exactly this gap: a note-taking tool where the server never sees your content, paired with a one-click secure share link that anyone can open in a browser.
What "end-to-end encrypted" actually means
The phrase gets overused. In the context of Deepbluework Notes it means something precise:
- Your note is encrypted in your browser before it is sent to the server.
- The server stores only ciphertext — scrambled bytes that are mathematically useless without the decryption key.
- The decryption key never leaves your device in plaintext. It is wrapped (itself encrypted) by a key derived from your login session or, for password-protected notes, from a password you choose.
- When you — or anyone you share with — opens a note, it is decrypted inside the browser. The server delivers bytes; the browser does the math.
The practical consequence: even if Deepbluework's database were ever exposed, an attacker would find encrypted blobs with no way to read them.
The two protection levels
Standard notes (protected by your account)
When you create a note without setting a password, it is encrypted with your Note Encryption Key (NEK) — a randomly generated symmetric key that is itself stored encrypted in your personal vault on the server. The vault key is derived from your login session credentials, which means:
- Notes are automatically unlocked when you log in.
- No extra password to remember.
- Only your account can decrypt them.
This is ideal for personal notes, work-in-progress drafts, task lists, and anything that lives purely within your workspace.
Password-protected notes (shareable)
When you set a password on a note, a separate encryption key is derived from that password using a KDF (key derivation function). The note content is re-encrypted under this password-derived key. This is the level required to generate a share link, because:
- The password is never sent to the server — only the encrypted result.
- Anyone with the share link and the password can open and read the note in their browser.
- Anyone with only the link — or only the password — gets nothing.
You send the link via email or chat, and the password via a separate channel (a quick call, SMS, or Signal message). The two pieces together unlock the note; neither is useful alone.
Sharing a note step by step
1. Write and protect your note
Open the Notes section in Deepbluework, create a new note, and write your content. When you are ready to share, set a protection level of Password and choose a strong passphrase.
Tip: Use a memorable phrase rather than a random string — the person receiving it needs to type it in. Something like
orange-bridge-tuesdayis both strong and easy to communicate verbally.
2. Generate a share link
Once the note is password-protected, the share button creates a unique, one-time-use-style link:
https://app.deepbluework.com/share/note/<token>
The token is 32 cryptographically random bytes encoded as a URL-safe string. It is unguessable. You can generate multiple links for the same note (e.g., one per recipient) and revoke any of them individually without affecting the others.
3. Send link and password separately
Share the URL through your normal channel (email, chat). Share the password through a different channel — a phone call works well. This two-channel approach means that compromising either channel alone is not enough.
4. Recipient opens the link
The recipient visits the URL in any modern browser — no account required, no app to install. They see a clean unlock screen:
- Enter the password you gave them.
- Click View note.
- The browser fetches the encrypted bundle from the server and decrypts it locally.
The footer of the decrypted view reads: "Decrypted in your browser. Deepbluework never sees the password or contents."
5. Revoke when done
When the note is no longer needed by the recipient, go back to your note's share settings and revoke the link. The token becomes invalid immediately; the encrypted bundle is no longer served for that token. Your note itself is unaffected.
Practical use cases
Client credentials hand-off
You provision a new client portal account and need to send the username and password securely. Create a note, write the credentials, protect it with a passphrase, generate a share link, send the link by email and call the client to read the passphrase over the phone. The credentials are delivered without ever appearing in plain text in an email server log.
Confidential contract drafts
A draft contract ready for review contains commercially sensitive terms. Share a password-protected note with your counterpart before the formal document goes out. They can read it in their browser without needing a Google account, a DocuSign subscription, or access to your workspace.
Internal API keys and secrets
Onboarding a new developer who needs a staging API key? Rather than pasting it into Slack where it persists forever in message history, drop it in a password-protected note, share the link in Slack, and read the passphrase on the team call. After they add it to their environment, revoke the share link.
Sensitive meeting summaries
Board-level discussions, HR matters, or pre-announcement strategy sessions often result in notes that should not sit in a shared Google Doc. Keep them in your Deepbluework vault, and share specific summaries with named recipients via password-protected links that you can revoke once they have read them.
The vault: recovering your notes if needed
For standard (non-password) notes, your NEK is stored in an encrypted vault. The vault includes a recovery wrapping: a second encrypted copy of your key, protected by a recovery phrase generated when you set up the vault. Store that recovery phrase somewhere safe — a password manager, printed and locked away.
If you ever lose access to your account and need to recover your notes from a backup, the recovery key re-derives the NEK without needing your original session. This is a deliberate design: Deepbluework cannot help you recover keys (the server never held them in plaintext), but you can recover them yourself with the phrase you set up.
How this compares to common alternatives
| Approach | Server sees content | Shareable without account | Revocable |
|---|---|---|---|
| Email attachment | Yes | Yes | No |
| Google Docs | Yes | Yes (with link) | Yes |
| Slack message | Yes | No | No (persists in history) |
| 1Password Secure Notes | No | No | N/A |
| Deepbluework Notes | No | Yes (password link) | Yes |
The key differentiator is the combination: zero-knowledge storage and shareable with anyone via a link, without requiring the recipient to have an account.
A note on what Deepbluework can and cannot see
To be explicit:
Deepbluework can see:
- That a note exists (its ID, creation date, size of ciphertext)
- Which user account owns it
- Whether it is pinned, favourited, or has a colour label (these are stored in metadata, also encrypted)
Deepbluework cannot see:
- The title of any note
- The content of any note
- The password you set on a password-protected note
- The content accessed via a share link
This is the zero-knowledge model: the infrastructure processes your data but cannot read it.
Getting started with Notes in Deepbluework
Notes are included on all plans, including the free tier (one mailbox, forever free).
- Sign up for a free Deepbluework account →
- Log in to your workspace and open the Notes section from the sidebar.
- Create your first note — your vault is initialised automatically on first save.
- To share a note, switch its protection to Password, set a passphrase, and click the share icon to generate your link.
Summary
Deepbluework Notes gives business teams a secure place to store and share sensitive information without trusting a cloud provider with the contents. Notes are encrypted in the browser before they reach the server; the server stores only ciphertext. Password-protected notes can be shared with anyone via a revocable link — no account required to view. When you no longer need someone to have access, you revoke the link in one click.
If your current workflow for sharing credentials or confidential drafts involves pasting them into an email or a chat message, it is worth switching to a tool where the server cannot read what you write — and neither can anyone who intercepts a single channel.
Related articles
Ready to set up business email?
Deepbluework is a business email platform with IMAP/SMTP, calendar, and meetings on your domain. First mailbox free forever.
Get started →