diff --git a/src/public/app/services/protected_session_holder.js b/src/public/app/services/protected_session_holder.js
index fc041b51e..be2dfc500 100644
--- a/src/public/app/services/protected_session_holder.js
+++ b/src/public/app/services/protected_session_holder.js
@@ -1,5 +1,6 @@
 import utils from "./utils.js";
 import options from './options.js';
+import server from "./server.js";
 
 const PROTECTED_SESSION_ID_KEY = 'protectedSessionId';
 
@@ -23,11 +24,11 @@ function resetSessionCookie() {
     utils.setSessionCookie(PROTECTED_SESSION_ID_KEY, null);
 }
 
-function resetProtectedSession() {
+async function resetProtectedSession() {
     resetSessionCookie();
 
-    // most secure solution - guarantees nothing remained in memory
-    // since this expires because user doesn't use the app, it shouldn't be disruptive
+    await server.post("logout/protected");
+
     utils.reloadApp();
 }
 
diff --git a/src/routes/api/login.js b/src/routes/api/login.js
index 7a16566a9..159e43be1 100644
--- a/src/routes/api/login.js
+++ b/src/routes/api/login.js
@@ -78,6 +78,12 @@ function loginToProtectedSession(req) {
     };
 }
 
+function logoutFromProtectedSession() {
+    protectedSessionService.resetDataKey();
+
+    eventService.emit(eventService.LEAVE_PROTECTED_SESSION);
+}
+
 function token(req) {
     const username = req.body.username;
     const password = req.body.password;
@@ -101,5 +107,6 @@ function token(req) {
 module.exports = {
     loginSync,
     loginToProtectedSession,
+    logoutFromProtectedSession,
     token
 };
diff --git a/src/routes/routes.js b/src/routes/routes.js
index 006edfbe9..3a3e5e784 100644
--- a/src/routes/routes.js
+++ b/src/routes/routes.js
@@ -270,6 +270,8 @@ function register(app) {
     route(POST, '/api/login/sync', [], loginApiRoute.loginSync, apiResultHandler);
     // this is for entering protected mode so user has to be already logged-in (that's the reason we don't require username)
     apiRoute(POST, '/api/login/protected', loginApiRoute.loginToProtectedSession);
+    apiRoute(POST, '/api/logout/protected', loginApiRoute.logoutFromProtectedSession);
+
     route(POST, '/api/login/token', [], loginApiRoute.token, apiResultHandler);
 
     // in case of local electron, local calls are allowed unauthenticated, for server they need auth
diff --git a/src/services/events.js b/src/services/events.js
index 0d38f4e3f..826afeb6a 100644
--- a/src/services/events.js
+++ b/src/services/events.js
@@ -2,6 +2,7 @@ const log = require('./log');
 
 const NOTE_TITLE_CHANGED = "NOTE_TITLE_CHANGED";
 const ENTER_PROTECTED_SESSION = "ENTER_PROTECTED_SESSION";
+const LEAVE_PROTECTED_SESSION = "LEAVE_PROTECTED_SESSION";
 const ENTITY_CREATED = "ENTITY_CREATED";
 const ENTITY_CHANGED = "ENTITY_CHANGED";
 const ENTITY_DELETED = "ENTITY_DELETED";
@@ -47,6 +48,7 @@ module.exports = {
     // event types:
     NOTE_TITLE_CHANGED,
     ENTER_PROTECTED_SESSION,
+    LEAVE_PROTECTED_SESSION,
     ENTITY_CREATED,
     ENTITY_CHANGED,
     ENTITY_DELETED,
diff --git a/src/services/note_cache/note_cache_loader.js b/src/services/note_cache/note_cache_loader.js
index a022e6c6e..e5aa03eea 100644
--- a/src/services/note_cache/note_cache_loader.js
+++ b/src/services/note_cache/note_cache_loader.js
@@ -177,6 +177,10 @@ eventService.subscribe(eventService.ENTER_PROTECTED_SESSION, () => {
     }
 });
 
+eventService.subscribe(eventService.LEAVE_PROTECTED_SESSION, () => {
+    load();
+});
+
 module.exports = {
     load
 };
diff --git a/src/services/protected_session.js b/src/services/protected_session.js
index 3decbe960..b86af84e6 100644
--- a/src/services/protected_session.js
+++ b/src/services/protected_session.js
@@ -5,7 +5,7 @@ const log = require('./log');
 const dataEncryptionService = require('./data_encryption');
 const cls = require('./cls');
 
-const dataKeyMap = {};
+let dataKeyMap = {};
 
 function setDataKey(decryptedDataKey) {
     const protectedSessionId = utils.randomSecureToken(32);
@@ -29,6 +29,10 @@ function getDataKey() {
     return dataKeyMap[protectedSessionId];
 }
 
+function resetDataKey() {
+    dataKeyMap = {};
+}
+
 function isProtectedSessionAvailable() {
     const protectedSessionId = getProtectedSessionId();
 
@@ -71,6 +75,7 @@ function decryptString(cipherText) {
 module.exports = {
     setDataKey,
     getDataKey,
+    resetDataKey,
     isProtectedSessionAvailable,
     encrypt,
     decrypt,