Send selected text as an end-to-end encrypted PrivateNote link — without your AI assistant ever seeing the secret.
Encryption happens entirely inside the editor on your local machine using AES-256-GCM. Only ciphertext reaches the PrivateNote API. The decryption key lives only in the link's URL fragment.
Why use this instead of the AI agent?
If you ask an AI agent "send this secret as a PrivateNote", the AI provider's cloud servers read the secret to call the tool. With this extension, the secret never touches the AI at all:
Method
Who sees the plaintext?
AI agent + MCP
You + your AI provider's servers + your machine
This extension
You + your machine only
Features
Selection-based — highlight any text, right-click → "PrivateNote: Send Selection…"
Composer panel — open a dedicated webview to paste secrets that aren't in a file
All choices local — expiry, burn-after-reading, and title selection happen on your machine
Burn after reading by default — single-use links unless you explicitly opt out
Self-hosted ready — point at your own PrivateNote deployment via settings
Quick start
Install from the marketplace (search for PrivateNote)
Open any file, select some text (e.g. an API key, a password)
Right-click → PrivateNote: Send Selection as Encrypted Link
Pick an expiry (15 min / 1 h / 24 h / 7 d)
The link is copied to your clipboard
Or open the composer:
Cmd+Shift+P (Ctrl+Shift+P on Windows/Linux) → PrivateNote: Compose New Note…
How it works
You select text
↓
Extension reads selection (locally, in-process)
↓
Generate AES-256-GCM key (locally, never leaves machine)
↓
Encrypt content with AAD binding (locally)
↓
POST ciphertext + IV + AAD → PrivateNote API
↓
← note ID
Build URL: privatenote.ai/note/{id}#{key}
└──┬──┘
key in fragment, never transmitted
↓
Copy URL to your clipboard
Settings
Setting
Default
Description
privatenote.apiBaseUrl
https://privatenote.ai
API host (change for self-hosting)
privatenote.webOrigin
https://privatenote.ai
Origin used in shareable links
privatenote.defaultExpiresIn
24h
Default expiry duration
privatenote.defaultBurnAfterReading
true
Default to single-use links
Threat model
What the extension protects:
The PrivateNote server never sees your plaintext
Anyone intercepting traffic to privatenote.ai cannot decrypt
The note self-destructs after the first view (default)
Your AI assistant is not involved — the secret stays on your machine
What it does not protect:
A compromised local machine (the plaintext exists in memory during encryption)
The recipient's environment (once they open the link, they have the text)
Network observers seeing that a note was created (timing/size metadata)
Screenshots — once read, the recipient can save the content
Limitations
Password-protected notes are not supported in v1 (single-key encryption only)
