Is OneNote Safe? Microsoft Holds the Keys

By · · 8 min read

OneNote might be the most capable free notes app ever shipped: infinite canvas, handwriting, full Office integration, apps on every platform. None of that answers the question people actually type into Google, which is whether the things you write in it stay between you and the page.

The honest answer has two halves. The default half looks like every other big-vendor notes app: Microsoft holds the keys. The other half, password-protected sections, is a genuinely encrypted feature most users have never opened. Where the line sits decides whether OneNote is safe for what you keep in it.

Full disclosure: I build Scrib, an encrypted notes app for Android, and Scrib Desktop, an open source encrypted editor for Windows. I will keep this factual anyway, including the part where OneNote's protected sections are better than most of its competition.

Where Your Notebooks Actually Live

Modern OneNote is a cloud application. Personal notebooks are stored in OneDrive; work and school notebooks live in SharePoint or Teams. The apps keep cached copies so you can write offline, but the copy of record sits on Microsoft's servers. Local-only notebooks are a legacy feature of the old OneNote 2016 desktop app, and Microsoft has been steering everyone to cloud notebooks for years.

That storage is encrypted in transit (TLS) and encrypted at rest in Microsoft's datacenters. Both are real protections against network snooping and stolen disks. Neither protects you from the vendor, because Microsoft holds the decryption keys. This is the same encryption-at-rest pattern we covered in the encryption-at-rest explainer, and it has the same three consequences:

Add the usual account math: anyone who takes over your Microsoft account gets your notebooks from any browser, no phone required. If that password is reused anywhere, your notes are as strong as the weakest site that leaked it.

The Exception: Password-Protected Sections

Here is the feature that separates OneNote from Google Keep, which has no note lock at all. Right-click a section, choose "Password Protect This Section", and OneNote encrypts that section's content with a key derived from your password. This is client-relevant encryption, not a cosmetic prompt:

And the limits, because they decide whether the feature fits your use:

OneNote vs the Alternatives, on Privacy Only

Privacy question OneNote Google Keep Scrib Desktop
End-to-end encrypted? Only protected sections No Yes, per encrypted file
Who holds the key Microsoft (you, for protected sections) Google You
Account required Microsoft Google None
Note/section lock Yes, real encryption No Yes, plus lock-in-place
Cloud copy exists Yes (OneDrive/SharePoint) Yes No, local files only
Open source No No Yes, GPL-3.0

How to Lock OneNote Down (If You Stay)

  1. Turn on two-factor authentication for your Microsoft account. The realistic threat to your notebooks is account takeover, not Microsoft.
  2. Put sensitive material in a password-protected section, with a password you do not use anywhere else, and accept that forgetting it means losing the content.
  3. Set sections to re-lock quickly (File, Options, Advanced, Passwords in the desktop app).
  4. Keep credentials out entirely. Passwords belong in a password manager such as Bitwarden, not in any notes app, locked or otherwise.
  5. Audit what is already there. Years of OneNote accumulate scans of IDs, tax notes, and medical details. Anything you would not email to support belongs in an encrypted local file, not a cloud notebook.

Verdict

For coursework, meeting notes, projects, and anything you would share anyway: OneNote is excellent and free, and none of this page should scare you off it. Secure the account and carry on.

For genuinely private content: OneNote is safer than Keep or Samsung Notes because password-protected sections exist, but the protection is manual, partial (sections only, names visible), and wrapped inside a cloud account that remains the real attack surface. If the private material is the point, keep it out of the cloud entirely: on a Windows machine that means a locally encrypted file, which is exactly what Scrib Desktop does for free, with the source code public. On Android, Scrib encrypts every note on-device with no account at all.

Common Questions

Is OneNote end-to-end encrypted?

No. OneNote notebooks are encrypted in transit and at rest on Microsoft's servers, but Microsoft holds the decryption keys. The one exception is a password-protected section, which is encrypted with a key derived from your password so that the section content is unreadable without it.

Can Microsoft read my OneNote notebooks?

Technically yes, for everything outside password-protected sections. Consumer notebooks live in OneDrive, where Microsoft holds the keys, can respond to valid legal requests, and applies automated scanning to stored content for policy violations under its services agreement. Password-protected sections are encrypted with your password and are the exception.

Are OneNote password-protected sections secure?

They are the strongest privacy feature OneNote has. Protected sections are genuinely encrypted using your password, locked sections are excluded from search, and Microsoft cannot reset the password if you forget it, which means the content is unrecoverable without it. Limits: protection works per section only, not per notebook or per page, and section names stay visible.

Is OneNote safe for passwords or sensitive documents?

Not as normal notes. Anything outside a password-protected section is readable by whoever controls your Microsoft account and, technically, by Microsoft. For credentials use a dedicated password manager. For sensitive text on a Windows PC, a locally encrypted file that never syncs is the stronger option.

Can I use OneNote without the cloud?

Mostly no. Modern OneNote is built around notebooks stored in OneDrive or SharePoint, and offline access works from cached copies that sync when you reconnect. Local-only notebooks are a legacy feature of the older OneNote 2016 desktop app, not the current versions. If local-only is the requirement, use an editor designed for local files.

Keep Reading

Scrib Desktop for Windows

A free, open source editor that encrypts files with AES-256 on your machine. No account, no cloud, no telemetry. Extract the zip and run.

Download for Windows →

Also on Android: Scrib, free on Google Play.

Get Scrib Free