Penkeep is a WYSIWYG markdown editor with first-class comments and per-file encryption. Lock the sensitive note in place — threat-model.emd sits right next to your plaintext, unreadable to every agent, sync client and backup daemon that isn't you with the passphrase.
Prompt-injection guards, model firewalls, agent sandboxes — the whole industry is hardening the LLM. Meanwhile the thing the agent actually reads and writes — your documents — sits in plaintext on your disk, readable by every process, sync client and backup that touches the folder.
Penkeep flips one file at a time. The repo stays plain and agent-readable; the sensitive note becomes an .emd that opens only with your passphrase.
No vault to set up, no account to create, no key to manage on a server. Just you and a passphrase.
Open any .md and write in true WYSIWYG markdown — comment inline, drop in math, diagrams and code like any other note.
Hit lock, type a passphrase. Penkeep derives a key with Argon2id and rewrites the file as an encrypted .emd in place — comments and all.⌘ L
Double-click and it asks for the passphrase — on any Mac, Linux box or Windows PC. Nothing device-specific is baked in; the passphrase alone is the key.
Not a crypto container bolted onto a text box — a markdown editor people actually want to write in, where any file can go dark with one click.
TipTap 3 / ProseMirror. Markdown stays the source of truth on disk — round-trip fidelity is a hard invariant.
No cloud, no account, no telemetry. Your multi-root workspaces, files and every setting live on disk under ~/.penkeep — nothing ever leaves your machine.
KaTeX math, Mermaid diagrams, code with language selection, wiki-links, tags, snippets and templates.
Lock one file, not a whole vault. .emd lives next to .md in the same folder, no separate store.
Share an encrypted file with several people or agents — each unlocks with their own key, no shared passphrase. Every edit and comment is signed, so authorship traces to a real identity.
Encrypt, decrypt and inspect from the terminal — pipe to grep/less. Headless and scriptable, so CI, servers and LLM agents can unlock just what you allow and write back encrypted — no plaintext left behind.
Google-Docs-style inline threads that persist as plain markdown — the marker survives any renderer, thread data lives beside the file.
Every save snapshots locally with diffs and one-click restore — or back your history with git, kept locally or pushed to GitHub. Your call.
The file on disk is the source of truth. When a teammate's sync, another app, or an agent changes it, Penkeep sees it instantly — reloading clean files and flagging conflicts before you overwrite.
Captured from Penkeep running on macOS — everything below is local, on disk, no cloud in sight.

Every save is snapshotted locally with a full diff — restore any point in seconds, deduplicated by content hash, and switchable to your git log. Snapshots are turned off for encrypted .emd files by design, so nothing plaintext ever hits disk.

True WYSIWYG markdown with the outline a keystroke away, tabs, tags and a multi-root file tree. A fast native app first — the lock is just always within reach.
Standard, audited algorithms orchestrated in Rust — no home-rolled crypto. Every parameter is documented, and we publish exactly what's protected and what isn't.
No server, no account, no key escrow. The passphrase alone opens any file, any device, any OS.
Lost passphrase = lost file. No backdoor, no second credential — a deliberate reduction of attack surface.
Chained header-MAC then AEAD. "Frankenstein" attacks — header from one file, body from another — fail closed before a byte is decrypted.
Thread data is bundled inside the .emd body — commenting on a secret never leaks it to Finder, git or Dropbox.
We don't oversell it. The threat model is published, not spun — including the residue limits of decrypted text in memory. Read exactly what Phase 1 protects →
No account. A license key unlocks Penkeep on up to three devices you own.
📱 iOS coming Q4 2026 — the .emd format is byte-identical on every platform, so your encrypted notes open on the phone with the same passphrase.