1. Snoq - local-only and encrypted at rest (that's ours)
Full disclosure: Snoq is our app. It takes the strictest interpretation of "private notes": a free, native Windows app where notes are AES-256 encrypted on your machine and simply never leave it. No account, no server, no telemetry - there's nothing to breach because nothing is uploaded. The honest trade-offs: Windows only, and no sync between devices - by design. If your threat model is "I don't want my notes on anyone's server, period", this is the simplest way to get there. If you need your notes on your phone, pick a cloud-E2EE option below.
2. Standard Notes - the cloud E2EE veteran
Around since 2016, open source, independently audited, and uncompromising about encryption. The free tier is plain text only; the rich editors, files and nested tags sit in the paid plan. If you want encrypted sync across every platform and are willing to subscribe for comfort, it's the safe, boring, good choice. Head-to-head: Snoq vs Standard Notes.
3. Notesnook - the friendlier E2EE challenger
Also open source, also zero-knowledge sync, with a more generous free editor than Standard Notes - which is exactly why "Standard Notes vs Notesnook" is such a common debate (short answer: Notesnook for a nicer free experience, Standard Notes for the longer audit trail; Snoq if you'd rather skip sync entirely). A strong pick for cross-device encrypted notes.
4. Joplin - open-source markdown with optional E2EE
A beloved open-source project: notes live locally in markdown, and encryption applies end-to-end when you enable sync through Joplin Cloud, Dropbox or your own server. One nuance often missed: notes at rest on your device aren't encrypted by default - the E2EE is a sync feature. Immensely capable, mildly technical. Head-to-head: Snoq vs Joplin.
5. Obsidian - private by locality, not by encryption
Obsidian's privacy story is different: your notes are plain markdown files on your disk - not encrypted by the app, but never uploaded either (unless you add sync, where the official service does offer E2EE). If what you want is a personal knowledge base with links, graphs and a huge plugin ecosystem, it's superb; just be clear that "local" and "encrypted" aren't the same promise. Comparison: Snoq vs Obsidian.
6. CryptPad - encrypted collaboration in the browser
A different animal: a web-based, end-to-end encrypted office suite (docs, sheets, kanban - and notes) built for collaboration. Nothing to install, works everywhere, genuinely zero-knowledge. As a personal notes app it's heavier than the rest of this list; as an encrypted shared workspace it's unmatched among free tools. Comparison: Snoq vs CryptPad.
7. Turtl - the cautionary tale
Turtl deserves its mention: an early, honest attempt at E2EE notes with a devoted following. But development has effectively stalled for years, and recommending an unmaintained security product is something we won't do. If you're a Turtl user looking for a maintained home, see Snoq vs Turtl.
How to choose in 30 seconds
- Notes must never touch a server → Snoq (Windows) or Obsidian without sync
- Encrypted sync across devices → Notesnook (nicer free tier) or Standard Notes (longest track record)
- Open-source markdown + control → Joplin
- Encrypted collaboration → CryptPad
Common questions
What's the most private notes app?
Strictly: a local-only app, because no encryption scheme protects data better than never transmitting it. That's Snoq's model (encrypted at rest, nothing uploaded). Among sync apps, Standard Notes and Notesnook are the strongest, since the server only stores ciphertext.
Standard Notes vs Notesnook vs Joplin - which one?
Notesnook if you want the best free E2EE-sync experience; Standard Notes if audits and longevity matter most and you'll pay for the editors; Joplin if you want open-source markdown and are comfortable configuring your own sync. All three are legitimate - the differences are comfort and philosophy, not security scandals.
Is an encrypted notes app enough if my device is compromised?
No app on this list protects notes on a machine an attacker fully controls - encryption at rest protects lost or stolen devices and server breaches, not live malware. Full-disk encryption plus any app here covers the realistic cases.