Secure Notes
Encrypted notes for sensitive info
An on-device store for the sensitive details you don’t want in the cloud, with typed items for logins, secure notes, payment cards, identities, and SSH keys, all sealed to Passport Prime.
Last updated Jun 2026

Your secure notes
Overview
A hardware-backed place to keep the sensitive details you don’t want in a cloud notes app: passport and driver’s-license numbers, card and bank details, insurance info, SSH keys, and anything else worth sealing. Items are typed (login, secure note, payment card, identity, SSH key), organized with folders, tags, favorites, and custom fields, and any record can be set to require a PIN before it is revealed.
A working prototype built on the KeyOS Seed Vault app pattern, running in the Foundation simulator today. It can import an unencrypted Bitwarden JSON export, with a review step that flags fuzzy duplicates and a summary of imported, skipped, and failed items. Screens shown are from the working prototype.
What it does
- Typed items (login, secure note, payment card, identity, SSH key) with folders, tags, favorites, and custom fields.
- Imports an unencrypted Bitwarden JSON export, with fuzzy duplicate detection and an import summary.
- Any record can require a PIN before it is revealed, via the KeyOS PIN flow.
- Builds on the KeyOS Seed Vault app pattern.
Technical breakdown
How the proof-of-concept is built, for developers evaluating the platform.
Sealed at rest
Items are held in the KeyOS Seed Vault app store and sealed to the device. The exact at-rest encryption guarantees, and whether an additional app-level encryption layer is needed on top of the KeyOS storage layer, are among the items still being confirmed for production.
Status
Runs in the Foundation simulator today, with the full Bitwarden import flow working. Export back to Bitwarden is not yet implemented, and the at-rest encryption guarantees are still being confirmed.
Dig into the source
README, architecture notes, and the wire protocol live in the repo.
