WhisperNote™ is a portable encrypted message container. WhisperNote is free, simple to use, open source and compatible with most modern devices such as computers, tablets and phones.


Try a Sample

Use now

Download WhisperNote




Get the source from GitHub

Quick Facts
  • Free
  • Portable - use it on any modern web browser
  • AES 256 - very strong encryption
  • File based - no reliance on Internet availability or continuity of service
  • Tiny - everything you need is less than 70kb of data
  • No installation - just use it, no need to install anything
  • Open Source - see how it works or contribute to the project
  • Responsive Design - adapts to your device's screen size
Take it anywhere

WhisperNote is a self contained HTML file so you can take it anywhere. Save it to your hard drive, USB stick, Google Drive, SkyDrive, Dropbox or even store it on your phone. You own the data so you keep it and accesses it however is convenient for you! The software and your data all reside in the single HTML file.


The file size of WhisperNote is limited by your browser because all the file operations have to be performed in memory. Our testing shows that anything up to 10Mb works well. To store the file in HTML document it needs to be base64 encoded, with the side effect of increased file size. If you are storing a 6Mb file the WhisperNote file might be around 8Mb in size.

Open Source

WhisperNote is open source, so that others can check what it's doing, how it does it and perhaps contribute to it. We hope that it will help motivate improvement of JavaScript based application security. With Web2.0, more and more software we use every day is written in JavaScript, however at present there is no standard way to verify that this software has not been modified.

WhisperNote makes use of the following open source projects:

WhisperNote uses AES 256 bit encryption to store your data. This is a very strong form of encryption, the same used by banks to protect money and security organisations to protect national secrets. WhisperNote uses the Stanford Javascript Crypto Libray (SJCL) implementation of this encryption standard.

WhisperNote uses your browser as the execution environment, the same browser you most likely use to access your online bank accounts. With WhisperNote, your data is not saved onto a server on the Internet; it’s saved to the device you are using. Once saved locally, you can transfer the file to your other devices.

There are no "back doors" to your content in WhisperNote once it is encrypted. This means that if you lose your main password, your data can not be recovered.

If you intend to use WhisperNote to send data to others you will need to ensure that you exchange the password over a different channel to the note. For example, if you are emailing a WhisperNote to someone, call them to tell them the password.

Unlike the vast majority of applications, WhisperNote bundles both application software and user data into a single file. The application part of the file consists of the HTML user interface and JavaScript software, the user data part consists of an encrypted data store. This is done to achieve maximum portability.

WhisperNote, like other security applications, has known weak points. It is important that you understand these so that you can make an educated choice on whether WhisperNote meets your security requirements.

  • Because there is currently no effective way to perform JavaScript code signing it is not possible for your browser to determine whether a WhisperNote application has been modified maliciously. This gives rise to a variety of attacks known as Man In The Middle (MITM). WhisperNote is susceptible to these every time it is transferred over an insecure channel like email or if you download it via HTTP from a third party. However, if you source WhisperNote from our server over HTTPS or you verify the original file using the signatures provided you can be assured that it has not been modified in transit.
  • JavaScript cryptography is considerably less mature than direct operating system runtime environments. The SJCL library, although tested extensively, may not perform as well as other technical alternatives.
  • The browser you use could be susceptible to side channel attacks or could leak information through a design fault, nevertheless Internet banking relies on the very same browser to protect access to your money. Similar problems are also found in other runtime environments and establishing a 100% trusted environment is nearly impossible on modern day devices, especially when you are connected to the Internet.

The checksums are provided to help verify the authenticity of new copies of WhisperNote downloaded. When you download WhisperNote directly from Consunet, it is served over a secure HTTPS connection. This means that you do not have to perform further authenticity checks, however when you download from a third party, you should verify that the files have not been modified by using the signatures provided.

The checksums provided are MD5 and SHA256. To calculate a checksum of your WhisperNote copy, use one of the following applications for your operating system.

  • linux terminal> md5sum WhisperNote.html
  • linux terminal> sha256sum WhisperNote.html
  • osx terminal> md5 WhisperNote.html
  • osx terminal> shasum -a 256 WhisperNote.html
  • windows: install Microsoft's PsFCIV tool

Once you start using WhisperNote, the original signatures will no longer match since you add your data to the file, you can however use our Validator service to check files you are unsure about. If you do not want to send your encrypted data to our Validator service, you should make use of the import function from a trusted copy of WhisperNote. This retrieves only the encrypted data from an untrusted copy of WhisperNote and validates it using the AES 256 encryption.

Create your note
  1. Just type or cut and paste the text content you want to encrypt in the Message area.
  2. You can optionally select a single file from your device to be included with your note. This file should be less than 10Mb in size
  3. Once you're done editing your note, at the bottom of the screen type in a password to protect the note contents.
  4. Optionally, provide a hint for yourself, but don't make it obvious.
  5. Hit the Encrypt button. This will encrypt the note and package everything neatly into a single HTML file. You can save it to your local disc or perhaps a cloud service.
Share your note
  1. Due to technical limitations of current browsers, if you send a WhiperNote through email (or other insecure channel) the recipient needs do one of three things to read it securely:
    • Download a new WhiperNote and Import your note into theirs.
    • Use the Consunet Validator service to check that the note has not been maliciously modified in transit.
    • Temporarily disconnect from the Internet when they are reading the note.
  2. When sharing the password you should use a different channel to the one you sent your note through (i.e. call the recipient over the phone).
Problem Reporting

If you find any problems or have suggestions for WhisperNote, please report them using our public GitHub repository.

Example use 1

Carol is collaborating with an international company on a new business proposal. During the fast paced negotiations there is an urgent need to provide some sensitive company information by email. Carol is concerned about sending this type information via unencrypted email but hasn't purchased an encryption certificate yet. Carol also isn't sure what operating system the recipient is using. To prevent business interruption Carol uses a WisperNote to create an encrypted HTML file that includes the sensitive information and a frank assessment of its strategic value. Carol emails this WhisperNote file and provides the password over the phone. The recipient uses the Validator to ensure that it has not been tampered with in transit. To prevent loss of this password Carol saves it using EveryPass password manager.

Example use 2

Drew has a collection of food recipes that have been a well kept family secret for generations. Drew would like to privately share these with the other family members over the Internet but doesn't trust Facebook to not use them for marketing purposes. Drew creates a WhisperNote for each of the recipes and uploads them to a DropBox account. Not all family members use DropBox so Drew creates a public link for the encrypted WhisperNote files containing the recipes. Now only the family members with the WhisperNote password can access the recipes, however they can do so from their smart phones, tablets, smart TVs as well as Windows, Linux and Mac computers. They can also store the WhisperNote files on their own devices so that they can access them without needing the Internet.