Flasky Notes is an end-to-end-encrypted (E2EE) note-taking app built with a Flask backend, featuring Obsidian sync, todos/events, AI chat (Ollama), and a rich markdown editor with [[wiki-link]] support. The server never sees plaintext note content — all encryption/decryption happens client-side via Web Crypto.
Simple, fast, and bloat-free noting with a clean interface. Your notes are encrypted on your device before they ever touch the server.
Every user is encrypted. There is no non-encrypted mode. The server is a ciphertext store with auth — it never sees plaintext note titles, content, properties, category names, todo/event content, attachment bytes, or AI chat messages.
Key hierarchy: password → PBKDF2 (600k iterations, SHA-256, salt=username) → master key → HKDF → auth_key (bcrypt-hashed server-side) + KEK (wraps the symmetric key). The symmetric key is AES-256-GCM. A recovery key wraps the same symmetric key as an escape hatch if the password is lost.
Ciphertext format: base64(0x01 || IV[12] || ciphertext || GCM-tag[16]).
- Rich markdown editor (CodeMirror 6) with live preview, syntax highlighting, and
[[wiki-link]]/![[embed]]rendering - File explorer sidebar with drag-drop note organization, folders (categories), and icons
- Right panel with outline, backlinks, outbound links, properties, todos, events, and quick-settings widgets (toggle visibility per user)
- Auto-save with one-step revert to previous version
- Todos and events with due dates, reminders, and archive
- Note templates with per-folder default templates
- Attachments (stored as encrypted blobs)
- Client-side search (server can't read ciphertext to search)
- AI chat (Ollama) with SSE streaming, conversation history, and note-context inclusion
- Obsidian sync via a standalone sync client
- Export to decrypted or encrypted .zip
- Dark mode, adjustable font size/family, responsive mobile layout
- Dynamic UI settings — new preferences added via a registry with no database migration
- Ctrl + s: Save Note
- Ctrl + k: Search Notes
- Ctrl + b: Toggle Sidebar
- Ctrl + e: Toggle Edit/Preview
- Ctrl + Shift + O: Toggle Right Panel
- Ctrl + /: Keyboard Shortcuts
Flasky Notes supports two-way syncing with an Obsidian vault via flasky-notes-sync, a standalone Python CLI that runs on the machine with your Obsidian vault. Encryption is mandatory — the sync client always derives keys from your password and encrypts/decrypts locally.
Enable sync in /settings, generate an API token, and follow the setup instructions in the sync repo. Folders map to categories, attachments sync alongside notes, and conflicts are flagged for web-based resolution.
There are two ways you can deploy Flasky Notes:
- Install Docker if you do not have it installed already
- Attain a copy of the repo
- Copy the contents of the
.env.examplefile and save it to a file named.envin the root directory, alongside the rest of the files - Open a terminal at the root directory and run:
docker compose up --build
You should have Flasky Notes running. Use Ctrl+C to stop. Run docker compose up again to restart.
Add -d to run in the background: docker compose up -d --build
docker compose stop (running instance) or docker compose down (remove instance)
python3 -m venv venv
source venv/bin/activate # Linux
# venv\Scripts\activate # Windowspip install -r requirements.txtFor local development:
python serve_local.pyFor production:
gunicorn --bind YOUR.SERVER.IP.ADDR wsgi:app| Variable | Required | Default | Description |
|---|---|---|---|
DATABASE_URI |
No | sqlite:///db.sqlite3 |
SQLAlchemy database URI |
SECRET_KEY |
Yes | — | Flask secret key for sessions |
FLASK_ENV |
No | production |
Flask environment |
LOG_LEVEL |
No | WARNING |
Logging level |
RECAPTCHA_SITE_KEY |
No | — | reCAPTCHA v2/v3 site key |
RECAPTCHA_SECRET_KEY |
No | — | reCAPTCHA v2/v3 secret key |
See .env.example.
Flasky Notes has been tested primarily on Ubuntu using a Firefox browser, but should be compatible with all devices and operating systems that can run a browser that is up-to-date.
Flasky Notes is an open source project from Mehonal, licensed under MIT license. Mehonal reserves the right to change the license of future releases of Flasky Notes.
Third-party library licenses can be found in static/vendor/LICENSES.md.
- Python & Flask — Backend framework
- SQLite & SQLAlchemy — Database and ORM
- Alembic — Database migrations
- Flask-Talisman — Security headers (CSP)
- bcrypt — auth_key hashing
- marshmallow & flask-smorest — Request validation + OpenAPI
- cryptography — E2EE (sync client + tests)
- Gunicorn — Production server
- Bootstrap — CSS framework (auth/settings pages)
- CodeMirror 6 — Text editor
- marked.js — Markdown rendering
- highlight.js — Syntax highlighting
- DOMPurify — HTML sanitization
- Docker — Containerization
- esbuild — JS bundling (CodeMirror)