OneNote Section Encryption — Reference
TL;DR — OneNote allows password-protecting individual sections (not the whole notebook). Each protected section is independently encrypted with AES-128 using a SHA-1-based KDF. Recovery feasibility is similar to other Office password schemes — it depends on the complexity of the chosen password rather than the cipher.
How OneNote section protection works
OneNote organises content as Notebooks → Sections → Pages. Section protection (right-click section → Password Protect This Section) encrypts the section's content while leaving the notebook structure intact. Other sections remain accessible without the password.
The encrypted section uses AES-128 in CBC mode. The key is derived from the password through SHA-1 with multiple iterations. The encryption metadata is stored in the .one file format alongside the encrypted block.
When a section is locked, OneNote shows the section name in the navigation tree but displays a 'Password required' placeholder for the content. Authentication unlocks it for the current session.
Recovery characteristics
OneNote section recovery is fundamentally a password-search problem, similar to Office 2007+ documents. The cipher is sound; recovery feasibility depends on password complexity.
OneNote sections often have weaker passwords than file-open Office documents because users perceive the protection as casual (locking a section of personal notes) rather than as primary access control. This frequently makes recovery more feasible than equivalent Office file passwords.
OneNote 2013, 2016, 2019, 2021, and Microsoft 365 use the same encryption baseline. OneNote for Mac (deprecated) and OneNote for Windows 10 (separate from desktop OneNote) use compatible formats.
OneNote 2003 vs modern OneNote
OneNote 2003 used a much weaker encryption scheme — closer to Office 97-2003 binary format protection. Recovery for that generation is usually fast.
OneNote 2007 onwards moved to the modern AES-128 baseline. Most files in the wild today are this generation.
Notebook-wide considerations
OneNote does not protect entire notebooks at the encryption level — only sections. This means if you have a 50-section notebook with 5 protected sections, the other 45 sections are entirely unencrypted in the .one files. Sensitive information mixed across protected and unprotected sections leaks.
OneNote files synchronise to OneDrive or SharePoint. The encrypted sections remain encrypted in the cloud copy. Microsoft cannot decrypt customer-protected sections without the password.
Free check value for OneNote
Because OneNote section passwords are often relatively casual, the free check phase recovers many of them quickly. We honestly run the free check before any paid attempt and only proceed to paid if free didn't succeed.
If your OneNote section was protected with a manager-generated 14-character random password, recovery is unlikely to succeed and we'll tell you that early.
Frequently Asked Questions
Are entire OneNote notebooks encrypted?
Can I recover OneNote 2003 sections?
Will OneDrive sync after recovery?
What about OneNote for Web?
Is there a separate Hashcat mode for OneNote?
Does the free check apply to OneNote files?
Related references
Have a file in this category?
Start with a free analysis. The encryption type is detected in your browser, then a free check runs through fast techniques before any paid attempt. You only pay if a recovery actually works.
Run a free Office analysis