What encryption actually is, in plain words.

I’ve read the word “encrypted” on more apps than I can count, and most of the time it tells you almost nothing. Here’s what it really means, the way I’d explain it to a friend.
Every app you use will tell you your data is encrypted. It’s on the login screen, the pricing page, the little padlock in the corner of the browser. And because it’s on everything, it’s stopped meaning much. I’ve spent more time on that one word than I’d care to admit, building a notes app where it actually has to be true, so here’s how I think about it. No maths. No padlock pictures.
Underneath, encryption is an old and simple idea. You take a message, turn it into nonsense nobody can read, and make sure only the right person can turn it back. That’s the lot. Everything after that is detail about how good the nonsense is, and who’s allowed to undo it.
The whole thing in one sentence
Encryption takes something readable and mixes it into a mess that means nothing on its own. A matching key turns the mess back into the original. No key, and the mess stays a mess.
The readable version is called plain-text. The mixed version is called cipher-text. That’s the entire vocabulary you need to know. Encryption turns plain-text into cipher-text, decryption is turning it back.
A note is just text until you scramble it
Say you’ve got a note on your phone, “dentist Thursday, 3pm”. Stored as it is, anyone who gets at the file reads it straight off. A thief with your unlocked phone. An app you handed too many permissions to. A company keeping a copy on its servers. All of them see “dentist Thursday, 3pm”.
Encrypt it and that same note might sit on the disk as 9f2ac1b0e7..., a run of characters that means nothing. The appointment is still in there, in the sense that the right key brings it back, but on its own it tells a snoop nothing. Not the time, not the day, not that it was ever about a dentist.
People reach for a padlock to explain this and I’ve never liked it. A padlock just stops you getting to the thing. Encryption changes the thing itself. I think of a letter written in a private alphabet. Someone can steal it, hold it to the light, photograph every page, and they’ve still got gibberish, right up until they’ve got the one thing that turns it back into words.
The secret is the key, not the method
Here’s the bit that trips people up. The method used to do the scrambling is usually public. Anyone can go and read exactly how modern encryption works. The recipes are published, picked apart by academics, hammered on for years, and the good ones get trusted precisely because so many clever people have tried and failed to break them.
If the method is public, what keeps your note private. The key. A key is just a secret value, in practice a very long number, that drives the scrambling and is the only thing that reverses it. Same method, different key, and you get a completely different locked-up result.
This is the part I’d tattoo on people if they’d let me. A system is only as private as the answer to one question, who’s got the key. If you’ve got it and nobody else can, the note is yours. If the company has a copy too, then “encrypted” is true and also nearly beside the point, because the people running the thing can read your note whenever they fancy. That question, who holds the key, is what the whole next part of this series is about.
Two flavours you meet every day
You don’t need the maths, but there are two shapes of this worth telling apart, because you bump into both all the time.
The simple kind uses the same key to lock and to unlock. It’s fast, and it’s usually how the notes and files on your own device are kept safe. The catch is obvious, the second you say it out loud. Everyone who needs to read the message, needs that key, so you’ve got to keep it somewhere safe and be careful who you hand it to.
The cleverer kind uses a pair. One half is a lock you can hand out to the whole world. The other half is a key you never share with anyone. Anyone can use your public lock to seal something up for you. Only your private key opens it. That’s the trick that lets two strangers who’ve never met send something secret across the open internet, and it’s what sits behind the padlock in your browser and behind proper encrypted messaging.
Most real setups use both. A public-key is used to agree a shared secret, then the single shared-key method for the actual data. You don’t need to keep track of which is which. Just know that encryption is a collection of related tools, not one single thing.
What “encrypted” doesn’t promise
Because the word gets used as a marketing badge, it’s worth knowing where it stops. Encryption is strong. It’s also a lot narrower than the adverts make out.
It hides what the note says. It doesn’t always hide that a note exists, how big it is, or when you wrote it. That can still leak unless the system is built to cover it too.
It’s only ever as good as the key and who’s holding it. Perfect scrambling with a key the company also keeps is a locked door with a spare under the mat.
And it can’t protect a note while you’re looking at it. On your screen, unlocked, it’s plain text again. Encryption guards your stuff sitting on a disk or moving across a wire, not the moment it’s open in front of you.
None of that is a reason to distrust encryption. It’s a reason to read the claim carefully. “Encrypted?” is the start of the question, not the end of it.
Why any of this matters for your notes
It comes down to one test when you’re picking where your private writing lives. Not “is it encrypted”, which nearly everyone can now say and mean. “Who holds the key.”
When a notes app encrypts your writing with a key only you hold, and the company keeps nothing that can open it, that’s the setup people call zero-knowledge. When the company holds the key as well, your notes are encrypted and also readable by them, which is why a flat “we encrypt your data” tells you far less than it sounds like it does. I pulled that exact thread for one company in can Apple read your notes, and watched a whole country walk into the same question when the UK lost Advanced Data Protection.
If you want the short definitions in one place, the glossary keeps them, and if you’re weighing up apps, the comparison pages line them up on this one point, who holds the key.
That’s the heart of the next part. The method is public, the key is everything, so the whole game is who’s allowed to hold it. We’ll get into that next.
Join the list and we’ll tell you the day Catchlight is ready, with extra time on the free trial.
Early joiners get 30 days free, instead of 14, when we launch, and that’s all we’ll email you about.


