════════════════════════════════════════════════════════════════════════════════
The ruttor was the most guarded document in maritime history. Portuguese pilots carried handwritten notebooks containing routes, soundings, tidal patterns, coastal approaches, and safe harbors built from years of their own voyages. The Portuguese crown treated these notebooks as state secrets: possession of a ruttor by a foreigner was a capital offense. When Francis Drake captured a Portuguese pilot off the Cape of Good Hope, the ruttor he found aboard changed the course of English navigation entirely.
The standing order for every pilot whose ship was about to be taken was absolute: the ruttor goes overboard before they board. You could lose the ship. You could not lose what was written down.
RUTTOR applies the same doctrine to digital field notes. What you write here does not leave this machine unencrypted. It does not sync to any cloud. It does not touch any server you did not build. When the device is locked, the notes are locked. When you invoke the burn command, they are gone the way a ruttor is gone after a quarter mile of saltwater: completely and permanently.
Everything you write somewhere becomes evidence of something.
Standard notepad applications were not built for operators. Apple Notes syncs to iCloud and is accessible to anyone with your Apple ID. Notion stores your content on their servers and acknowledges this in their terms. Obsidian with sync is Obsidian without privacy. Even local-only editors write draft buffers, autosave files, and recovery states that can be extracted from a filesystem image without ever touching your app.
RUTTOR was built on a different assumption: that some notes cannot be allowed to surface, and that the operator controls exactly when and how they are destroyed.
Every note is encrypted individually with AES-256-GCM before it touches the filesystem. The key lives in memory for the duration of an active session and is zeroed on lock, focus loss, or screen lock. There is no sync, no telemetry, no update check, and no network request of any kind. RUTTOR does not know your name. It does not know what you write. It cannot be compelled to produce what it was never designed to store.
The burn command does not move notes to Trash. It applies cryptographic erasure to the individual note, section, or entire notebook and overwrites the storage location. What is burned cannot be recovered.
Write what you need to write. Keep it as long as you need to keep it. Burn it when the voyage is over.
────────────────────────────────────────────────────────────────────────────────
PROTOCOL 01 - PLAINTEXT EXPOSURE
THREAT ▸ Notes written in standard applications are stored in plaintext and synced to third-party servers you did not authorize. Device backups, cloud access, and legal process can expose their contents.
RUTTOR encrypts every note individually before it touches the filesystem. No sync, no cloud, no server. If a backup or forensic image is taken while the session is locked, the notes are encrypted ciphertext. The key no longer exists in memory.
PROTOCOL 02 - DEVICE SEIZURE
THREAT ▸ A seized or inspected device exposes everything in the standard notes ecosystem. Standard disk encryption protects at rest but anything accessible through the notes app is immediately readable upon unlock.
RUTTOR locks the moment the screen locks or the app loses focus. The key is zeroed. Active session data does not persist. Forensic access to the device does not grant access to note contents without the passphrase and an active session.
PROTOCOL 03 - BURN BEFORE HANDOVER
THREAT ▸ An operator needs to destroy a specific note or section before handing over the device, crossing a border, or ending an operation. Standard deletion is forensically reversible.
The burn command applies cryptographic erasure to the target and immediately overwrites the storage location. Individual notes, sections, or the entire notebook can be burned in seconds from the command bar. The operation is irreversible and leaves no forensic artifact of the note content.
────────────────────────────────────────────────────────────────────────────────
NIST CERTIFIED — THE SAME STACK FEDERAL AGENCIES ARE CURRENTLY SCRAMBLING TO ADOPT
STANDARDCERTIFICATIONCLASSIFICATIONOPERATIONAL DETAIL
AES-256-GCMPer-Note EncryptionNOTE-LEVEL ISOLATIONEach note is encrypted with AES-256-GCM using a key derived per session from the master passphrase. The key exists only in volatile memory. It is never written to disk. It is zeroed immediately on any lock event. Notes at rest are encrypted ciphertext with no plaintext representation on the filesystem.
Argon2id128 MiB Memory CostFIPS-ALIGNED KDFKey derivation uses Argon2id with a 128 MiB memory cost, consistent with the DJL cryptographic stack. This ensures that offline brute-force attacks against the master passphrase are computationally expensive regardless of attacker hardware.
BLAKE3 IntegrityPer-Note SignaturesTAMPER DETECTIONEvery note carries a BLAKE3 signature computed at write time. On open, RUTTOR verifies the signature. Any modification made to note storage outside the application is detected and flagged before the note is rendered.
No Temp File WritesIn-Memory CompositionZERO PLAINTEXT ON DISKAll editing, composition, and preview operations run entirely in memory. Nothing is staged to a temp directory, OS swap, or autosave buffer. The only disk write is the final encrypted commit when a note is saved.
No Network AccessFully OfflineAIR-GAP SAFERUTTOR requests zero network permissions at the OS level. It makes no telemetry calls, no update checks, and has no sync architecture to disable. The application is structurally incapable of transmitting note contents.
────────────────────────────────────────────────────────────────────────────────
Per-note AES-256-GCM encryption: each note encrypted separately before touching the filesystem; key derived from master passphrase via Argon2id; zeroed from memory on any lock event
Instant lock: automatically locks on screen lock, app focus loss, lid close, or manual trigger; key overwritten immediately; no delay, no grace period
Burn command: cryptographic erasure plus storage overwrite for a single note, a section, or the entire notebook; invoked from the command bar; irreversible; bypasses Trash entirely
Zero-sync architecture: no iCloud, no Dropbox, no LAN sync, no servers of any kind; RUTTOR requests no network permissions and makes no outbound connections
Markdown rendering: write in plain text, view fully rendered; supports headers, tables, nested lists, code blocks, task lists, inline code, and strikethrough
Folder and section organization: notebooks organized into named sections with configurable ordering and per-section color coding
Secure full-text search: encrypted search index; query terms are never written to the filesystem or stored outside the active session
Quick-capture hotkey: global shortcut opens a minimal compose window from any app; note is encrypted before the window closes
Export with passphrase: export any section as an encrypted archive; the passphrase is set at export time and required for decryption; RUTTOR is not required to decrypt
Tamper detection: BLAKE3 signature on each note entry; any modification made outside RUTTOR is flagged with a warning on next open
DMS integration: optionally link to DJL Dead Man's Switch; if DMS fires, RUTTOR automatically burns the entire notebook before shutdown
────────────────────────────────────────────────────────────────────────────────
⚠ Single-operator license. Burn operations are irreversible; verify targets before execution. No recovery mechanism exists for burned notes. Not for redistribution. Export archives require the passphrase set at export time; RUTTOR cannot recover a lost export passphrase.
════════════════════════════════════════════════════════════════════════════════
ACQUISITION_COST: $29.99 USD
SECURE PAYMENT VIA STRIPE · INSTANT DIGITAL DELIVERY · VERIFIED PRIVATEERS ONLY