Share an Encrypted Web Memo with a Code and Password — Full Guide

(Updated: July 17, 2026 ) online notepad encrypted web memo share code AES-GCM Privnote alternative privacy webdev

TL;DR: Kawa’s online notepad is an online notepad share code workflow — not a paste link. You get a 3-character code + password, browser AES-GCM encryption, up to 10 images, no account, no overwrite, and auto-delete after 7 days. Think delivery tray, not notebook app.

If you have ever searched for encrypted web memo, share without account, or a Privnote alternative that supports screenshots and multi-day re-reads, this is the operational guide — threat model first, then every click.


What problem does this solve?

People arrive with different keywords — “online notepad share code”, “browser AES-GCM memo”, “password memo sharing” — but the job is the same:

Move text or screenshots to another person or device right now, without making them sign up, without leaving plaintext in chat history forever.

Pasting into Slack, email, or Teams

Fastest option. Also the messiest:

  • Plaintext persists in message logs, exports, and search indexes long after the incident is closed.
  • Forwarding and screenshots spread content to people who were never in the thread.
  • Chat image compression can blur error text you needed support to read.
  • Attachment limits block large log excerpts or multiple screenshots.

An encrypted web memo encrypts before upload and requires two factors to read: a short share code (which memo on the server) and a password (how to decrypt). Send them on different channels so one leaked message does not expose both.

Google Keep, Notion, and “real” notes apps

Excellent for long-lived knowledge — sync, labels, collaboration, search. Poor fit when:

  • The recipient has no Google account and you do not want to explain sharing settings on a call.
  • You want throwaway content that should not live in a vendor’s infrastructure as readable notes indefinitely.

Kawa’s memo is account-free, 7-day TTL, append-only — a delivery tray, not a wiki.

One link is minimal friction. The URL is often the secret:

  • Links sit in chat logs and ticket systems forever.
  • Misconfigured visibility (public when you meant private) is a recurring incident class.
  • Referer headers and access logs can leak tokens.
  • Many hosts store plaintext or keys the operator can read.

Kawa does not mint a public memo URL. The server holds ciphertext indexed by a 3-character code; decryption requires the password. A guessed or leaked code alone is useless against a strong password.

PatternYou sendBest for
Chat/email pastePlaintext or attachmentNon-sensitive, ultra-short, already inside a trusted boundary
Keep / NotionAccount + share settingsLong-term notes, co-editing, search
URL paste (aNotepad, etc.)https://... per memoOne link, optional public/private toggle
Code + password (Kawa)3-char code + passwordNo signup, short TTL, encryption, multi-screenshot handoff
Privnote-styleOne-time URLRead-once secrets, no re-read needed

Services like TheSecureNote and textdrop.sh sit in the same design space: browser crypto, minimal trust in the server, explicit threat modeling. textdrop.sh often puts the key in the URL fragment (#...) for zero-knowledge delivery; Kawa splits index (code) and key (password) so neither channel alone unlocks the memo — closer to how security teams already split “ticket ID” and “unlock phrase.”


End-to-end flow

Creator                          Recipient
───────                          ─────────
1. Open online notepad           1. Open same page
2. Type text (+ optional images) 2. Find "Have a share code?" at top
3. Set password                  3. Enter 3-char code + password
4. Turnstile → Encrypt & Save    4. Click Load → decrypt in browser
5. Copy 3-char code (e.g. K7M)   5. Copy text / save images locally
6. Send code + password separately (within 7 days)

The copy button copies only the code. Password travels by voice, SMS, second chat, or another app — not bundled in the same message if you can avoid it.


Creator walkthrough (numbered)

Open the online notepad. Three banners at the top state the limits: 7-day auto-delete, 10 images, 100,000 characters. Internalize those before pasting production data.

Step 1 — Enter memo body

Type or paste into the text area. Maximum 100,000 characters — fine for code snippets, config lists, meeting drafts, log excerpts, curl one-liners. Rich text (bold, colors from Word) is not preserved; paste through a plain editor if formatting looks broken.

While you edit, a local draft may persist in localStorage on the same browser — that is pre-cloud only. The character counter (e.g. 0 / 100,000) shows headroom.

Step 2 — Attach images (optional)

Up to 10 files: JPEG, PNG, GIF, WebP.

  1. Drag and drop onto the drop zone
  2. File picker (multi-select)
  3. Paste from clipboard — screenshot then Ctrl+V (Cmd+V on Mac)

Thumbnails appear in a grid; remove extras with the delete control on each thumb.

Before encryption, the tool compresses:

  • Long edge capped at 2560px
  • JPEG / WebP re-encoded around 80% quality
  • Then encrypted, then uploaded

For support handoffs, crop to the relevant UI chrome before paste — readable beats pretty.

Step 3 — Set protection password

1–20 characters, required. Recipient must type the exact same string.

Avoid 1234, password, or reusing the share code. Short but random alphanumeric + symbols beats a long dictionary phrase. Offline guessing against stolen ciphertext is still possible with weak passwords — encryption is not a shield you can lean on alone.

Empty password → “Please enter a password” and save blocked.

Step 4 — Turnstile and save

Complete Cloudflare Turnstile (bot friction), then Encrypt and Save to Cloud.

In the browser, in order:

  1. Bundle text + image blobs
  2. Derive key with PBKDF2 from password + random salt
  3. AES-GCM encrypt
  4. POST ciphertext only over HTTPS

Success → green completion screen with 3-character alphanumeric code (e.g. K7M). Case matters (the UI may uppercase input for readability).

Step 5 — Deliver code and password

Share code viaPassword via
Slack DMPhone / voice
Email bodySMS
Chat AChat B (different service)

Do not put both in one line if you can split them — one log row should not capture the full unlock set.

Creator constraints worth tattooing on your team wiki

  • No overwrite — typo? New memo, new code, tell recipient “X9Z replaces A1B.”
  • 7-day TTL — not archival storage.
  • No share URL — there is no “open this memo link” concept.

Page layout (first visit)

One page hosts load and create:

AreaLocationRole
Limit bannersTop7-day / 10 images / 100k chars
Load sectionUpperCode + password → Load
ComposeMiddleText, images, password
Turnstile + saveLowerBot check, encrypt upload
Success screenAfter saveCode display, copy, new memo

After save, the compose form hides — normal. Create new memo returns to compose mode.

Versioning without overwrite

Treat each save as a version:

  1. v1 → code A1B
  2. Fix typo → v2 → code X9Z, message “A1B is stale”
  3. Thread codes in Slack so you know which version was read

No merge conflicts because there is no merge — only immutable drops.


Recipient walkthrough (numbered)

Same page as the creator. No separate “viewer URL.”

Step 1 — Find the load section

Top of page: “Have a share code?” above the compose form — visible immediately, no hunting.

Step 2 — Enter share code

Three characters, e.g. A7B. No extra spaces.

Step 3 — Enter password

The string the sender gave you separately.

Step 4 — Load

Browser fetches ciphertext, decrypts locally. Success shows full text and image thumbnails.

Failure messages you may see:

  • “Memo data not found” — wrong code, typo, or expired (>7 days)
  • “Decryption failed” — wrong password or corrupted payload

Server copy vanishes at 7 days. If you need it longer:

  • Text — select all, copy to Keep, Notion, or a file
  • Images — right-click save (desktop) or long-press (mobile)

“Same code works again” is only true inside the window.

Recipient checklist

  1. Code is exactly 3 characters
  2. Password matches sender (case, full/half width, no trailing space)
  3. Within 7 days of save
  4. Corporate proxy / ad blocker not killing Turnstile or API
  5. After read, copied what you need locally

Browser AES-GCM — for readers who are not cryptographers

Marketing says “encrypted” for everything from TLS to base64 theater. Here is what Kawa actually does, in plain language.

Why not send plaintext over HTTPS?

HTTPS protects in transit. If the server stores plaintext, operators, cloud admins, and DB thieves read your memo. Kawa’s rule: server sees ciphertext only. The password participates in key derivation inside the browser and is not stored as plaintext on the server — which is why forgotten passwords are unrecoverable.

AES-GCM in one metaphor

  • AES — strong symmetric lock (same key encrypts and decrypts)
  • GCM mode — confidentiality plus integrity: flip one bit, decryption fails (tamper-evident)
  • Password — combination dial
  • Share codewarehouse shelf label (finds the box; does not open it)

PBKDF2 key derivation

Humans type short passwords; AES-256 needs a 256-bit key. PBKDF2 mixes password + random salt with 100,000 iterations to derive a key.

  • Different salt per memo → same password → different keys
  • Raises cost of offline guessing slightly (still: use strong passwords)

What gets stored (conceptually)

Payload shape is roughly salt : IV : ciphertext (Base64). IV is random per encryption — identical plaintext → different ciphertext each save.

The UI states that without the password, admins cannot decrypt. Support cannot “reset and peek.” That is intentional.

Three common misconceptions

1. “HTTPS means the server cannot read my memo.”
HTTPS protects the wire. Client-side encryption protects at rest on someone else’s disk.

2. “Encrypted means I can use a weak password.”
Attackers can download ciphertext and guess offline. Crypto helps; entropy helps more.

3. “Auto-delete proves nobody read it.”
Delete limits future reads and server-side exposure. Anyone who decrypted and copied within 7 days still has a copy — recipient hygiene matters.

One line for engineers

Web Crypto API: PBKDF2 (SHA-256, 100k iter) → AES-GCM 256-bit. Text and image blobs encrypt the same way. Fastest audit path: Network tab on save, not reading minified source.


URL share vs code + password vs Privnote

AspectURL paste (aNotepad, etc.)Kawa (code + password)Privnote / burn-after-read
You sendOne https:// link3-char code + passwordOne-time link
Link leakOften enough to readPassword still requiredUsually one read then gone
Operator decryptOften possible (plaintext DB)Not with password aloneVaries by implementation
Re-readUntil deletedAnytime within 7 daysTypically once
ImagesProduct-dependentUp to 10, encryptedUsually text-first
OverwriteMany allow editNo — new codeNo — new note
AccountUsually noneNoneNone

Pick Privnote (or OneTimeSecret) when the secret should die on first view and nobody needs to re-open it Tuesday.

Pick Kawa when the same person may re-read for several days, you want encrypted screenshots, and you prefer splitting code vs password over putting the key in the URL fragment (textdrop.sh style).

Broader product comparison: share a memo without accounts and /en/vs/memo/.


Image workflow (field scenarios)

Scenario A — Error screens to support

  1. Reproduce on PC; Win+Shift+S / Cmd+Shift+4 screenshot
  2. Paste repro steps + Ctrl+V images into memo
  3. Add Network tab / console shots (≤10 total)
  4. Random password; save
  5. Code in Slack ticket; password on phone
  6. Support reads on mobile, pinch-zoom

Scenario B — PC → your phone (no email self-forward)

Same tool, same code+password — see PC ↔ smartphone handoff (JA) for a Japanese walkthrough of the cross-device flow. Fewer plaintext copies in mail servers than emailing yourself; no Google account unlike Keep.

Scenario C — Using all 10 image slots

Trim whitespace before attach; smaller ciphertext → faster load. The notepad compresses automatically, but cropped signal beats full-screen noise.

Image failure modes

  • >10 images — remove old thumbs or split into two memos
  • HEIC from iPhone — convert to JPEG/PNG first
  • Huge animated GIF — prefer static frames or shorter clip

Failure modes (10+) and fixes

1. Password never sent (most common)

Symptom: Recipient has code only → Decryption failed
Fix: Send password on second channel. Sender forgot password → unrecoverable; recreate memo.

2. Share code typo (O vs 0, I vs l)

Symptom: Memo data not found
Fix: Exactly three chars; use copy button; read aloud “K-as-in-kilo, 7, M-as-in-mike.”

3. Opened after 7 days

Symptom: Worked before, now not found
Fix: By design. Copy locally before expiry. See why memos delete after 7 days (JA).

4. Wanted to overwrite

Symptom: Same code cannot update
Fix: New memo, new code, notify recipient which code is current.

5. Turnstile will not complete

Symptom: Save disabled or Turnstile error
Fix: Disable ad/privacy blockers temporarily; try Chrome/Firefox/Safari; check corporate firewall on challenges.cloudflare.com.

6. Storage quota exhausted

Symptom: Temporary save failure message
Fix: Retry later; reduce images or text length. Platform-wide limit — not always user-fixable.

7. Password “looks right” but fails

Symptom: Decryption failed despite agreement
Fix: Trailing spaces; full-width vs half-width; IME full-width alphanumerics; use password manager generated strings.

8. Private browsing lost draft

Symptom: Closed tab before cloud save — content gone
Fix: Draft autosave targets normal mode; backup long text to a file before save.

9. Mobile paste image unsupported

Symptom: Cannot Ctrl+V screenshot on phone browser
Fix: Use file picker from camera roll; or create on PC, load-only on phone.

10. Fetch / network error

Symptom: Generic load failure
Fix: Reload; re-enter credentials; check VPN/firewall blocking API endpoints; retry later.

11. Word paste looks like garbage

Symptom: HTML tags or mojibake
Fix: Paste through plain Notepad/TextEdit first.

12. Sender and recipient different time zones around day 7

Symptom: Edge confusion on “last day”
Fix: Treat expiry as server-side 7×24h from save, not calendar sympathy — copy early.


Browser compatibility

Requires Web Crypto API (modern browsers).

EnvironmentNotes
Chrome / Edge (current)Recommended; DevTools steps below
Firefox (current)Fully supported
Safari iOS / macOS (current)Supported; private mode may not persist drafts
Internet ExplorerUnsupported
IE mode in EdgeOpen in normal Edge

JavaScript required. Strict Tor / blocking setups may fail Turnstile.


Security do / don’t

Do

  • Use for short-lived, disposable secrets (staging API keys, temp tokens)
  • Rotate anything shared once the recipient confirms
  • Split code and password across channels
  • Prefer 12+ random characters when possible (20 char max)
  • Have recipients copy out within 7 days
  • Verify ciphertext yourself in DevTools once (below) — r/webdev PSA: trust but verify

Don’t

  • Store production DB master passwords here
  • Paste PCI / government ID class data
  • Put code and password in one chat line
  • Screenshot the password itself into the memo
  • Treat encryption as archival — TTL is 7 days
  • Rely on test / 12345678 because “it’s encrypted”

Password memo sharing complements human handoff; it does not replace 1Password, Bitwarden, Vault, or AWS Secrets Manager.


Seven-day auto-delete — what it means operationally

Success and load UIs remind you: this memo deletes in 7 days. Not a bug — product boundary.

For users:

  • Explicit “do not use as permanent storage” signal
  • Reduces forgotten server-side blobs becoming long-tail leak surface
  • Caps ciphertext lifetime even if you lose track of what you shared
RoleAction
SenderKeep your own copy if you need audit trail — server copy expires
RecipientCopy text / save images before day 8
BothNo restore after deletion — design, not oversight

Need permanence → migrate to Keep, Notion, or your wiki. Deeper rationale: 7-day auto-delete design (JA).


DevTools verification — prove plaintext never leaves

Chrome / Edge / Firefox: F12 → Network. This is the same class of check you’d run on textdrop.sh or any “client-side encrypted” claim.

Save side

  1. Open Network; enable Preserve log
  2. Compose test string e.g. this is a encryption test memo
  3. Set password; Encrypt and Save
  4. Select the POST to the save API
  5. Inspect Payload / Request body

Expect:

  • Your test sentence not present as readable plaintext
  • Long Base64 or encryptedData-style fields
  • memoId = your 3-char code (index only, not the decryption key)
  • No password field in JSON

Conceptual example (values change every save):

encryptedData: "AbCdEf...very long Base64...=="
memoId: "K7M"
(password field absent)

Load side

Response body stays encrypted; plaintext appears in the DOM after JavaScript decrypts — order of observation: Network shows cipher → then UI shows plain.

Application tab — localStorage draft

Application → Local Storage may show plaintext draft before cloud save. That is local-only pre-upload state. After save, server holds ciphertext; compare before/after to understand the pipeline.

Use this once in onboarding — screenshot for security lunch-and-learn beats slides about “we use AES.”


Use-case quick hits

Developer — staging API key for contractor
Disposable key in memo; strong password; code in Slack, password in Signal; revoke key after QA; memo ages out in ≤7 days.

Support — customer log excerpt
Ask customer to send code and password in two emails; paste into internal wiki; do not re-share memo code externally.

Personal — long URL to phone
One line in memo beats mail-to-self clutter.

Infra — maintenance command cheat sheet for tonight only
Commands live in memo during window; canonical runbook lives in Notion without secrets after cutover.

Design — five wireframes + bullet feedback
Encrypted images + text; client needs no account.

Research — experiment params colleagues re-read for 3 days
Privnote wrong tool (single read). New parameter set → new code; track versions in email subject exp-20260717-v2.


Team playbooks (small groups)

  1. Two-channel rule — code in team channel, password in DM or voice. Never one message.
  2. Disposable secrets only — production creds in Vault; staging in memo.
  3. Version codes — v2 supersedes v1; announce stale codes.
  4. Seven-day hygiene — weekly “still need this?” or copy to Notion.
  5. Quarterly demo — new hires watch Network tab during a dummy save.

FAQ (prose)

Do I need an account?
No. Open browser → compose or load. That is the share without account pitch.

Can two people read the same memo?
Yes, anyone with code + password within 7 days, unlimited reads. No simultaneous editing — read-only handoff.

Can attackers brute-force the 3-character code?
Space is small; password is the real gate. Strong password + Turnstile on save reduces automated scraping. Do not use this for nation-state secrets — use proper secret stores.

Is HTTPS alone insufficient?
For server operator trust, yes. HTTPS does not stop the host from reading plaintext at rest. Browser AES-GCM addresses storage on someone else’s server.

How is this different from “we won’t read your data” in a privacy policy?
Policy is goodwill. Math + client-side crypto is enforceable ignorance — operators lack the key material.

Privnote or Kawa?
One view then burn → Privnote. Multi-day re-read + images + split code/password → Kawa.

aNotepad with password-protected URL?
URL is still the address; implementation may allow operator recovery. Kawa avoids public URLs and encrypts before upload by default.

Encoding issues?
UTF-8 plain text. Word soup → paste plain first.

Is this a Privnote alternative for everything?
No. It is a Privnote alternative when you need encrypted web memo behavior with multi-day TTL and screenshots, not burn-on-read semantics.


Checklists

Creator

  • Content ≤100k chars, ≤10 images
  • Strong password set
  • Encrypted save → code copied
  • Code and password on separate channels
  • Updates = new memo, not overwrite

Recipient

  • Load section at page top
  • Code + password entered
  • Saved locally before day 7

Security

  • No immortal production secrets
  • Rotate shared credentials after use
  • Optional: DevTools ciphertext check done once

TopicArticle
Memo site comparison (11 services)オンラインメモ帳の選び方 (JA)
PC → phone handoffPCとスマホでメモを共有 (JA)
7-day deletion design7日自動削除の理由 (JA)
English comparison / threat modelShare without accounts
Head-to-head vs aNotepad / NotePal/en/vs/memo/
This guide in Japanese共有コード・暗号化・使い方 (JA)

Next step: Open the online notepad, save a dummy two-line memo, load it in a private window, and spend sixty seconds in the Network tab. You will feel how online notepad share code + browser AES-GCM differs from dropping a paste URL in #general — without risking real credentials on the first try.