A secure note-taking app built around envelope encryption. Each note is encrypted with a freshly generated AES-256 data-encryption key (DEK), and the DEK is itself encrypted with a per-user RSA master key held in Azure Key Vault (RSA-OAEP-256). Only ciphertext is stored at rest, and deleting a user also purges their master key from Key Vault — cryptographically shredding their notes.
- Generate a random AES-256 DEK and encrypt the note with it (AES-CBC, fresh IV)
- Encrypt the DEK with the user's master key in Azure Key Vault
- Persist
encryptedDEK:encryptedNote; decryption reverses the steps via Key Vault
| Directory | Contents |
|---|---|
client/ |
Svelte + TypeScript SPA — login and note CRUD |
server/ |
.NET Azure Functions API — JWT auth, envelope encryption, Azure Table Storage |
infrastructure/ |
Terraform for the Azure resources (Key Vault, storage, static site) |
Side project from 2023, no longer actively maintained.