Home / GitHub Page

Encrypt or not encrypt?

#1

Hi, Joplin community.

Joplin is an amazing Evernote alternative I seek for a long time.
Using Evernote for many years I still more and more afraid of losing my huge collection of knowledge in case they decide to cancel my account or the whole service at all.

I really appreciate your effort and now I’m migrating my 3800+ notes including about 1.5GB of images (the majority of my notes are web clips).


Now I’m in the phase to decide to encrypt or not to encrypt.

At first sight, the answer is easy - always encrypt.


But the encryption solves data protection just on remote synchronization storage, not for local copy.

Enabling encryption, all my images in resources directory are encrypted while keeping an unencrypted copy as well. The size of the encrypted image is about 1.5-1.8x bigger than the original one.

resources directory now occupies 4GB instead of previous 1.5GB.
When I decide to use filesystem for synchronization, it requires another (about) 2.5 GB for sync directory.

6.5GB of required space for 1.5GB of data is not a big deal on my home PC but definitely an issue on my mobile phone.

I will use my private virtual server as sync repository, synchronization itself will use TLS on the network.

As the ratio between the confidentiality level of my notes (almost nothing confidential) and the probability of unwanted reading disk of my virtual server is acceptable low for me,
I have decided to not use Joplin encryption.

Did I miss something important why I should stay with Joplin encryption or not?

Many thanks.
//Rado1

#2

At this point, if you have so much data, it’s indeed probably better not to use encryption just yet, especially if you don’t have any sensitive data in there.

There are changes coming in that might help handle your data:

  • An option to download resources only on demand. It’s mainly useful on mobile as it means you’ll have your note, but you only download the resources as needed. In your case, it will save about 4GB on your phone.

  • Maybe something to clean up the .crypted files left behind. Originally I left them there because they can be occasionally (but rarely) useful. So a future update will probably have these files cleaned up, which again in your case will save a lot of data.

Once this is in, it might make sense for you to turn on E2EE (following the guide on https://joplinapp.org/e2ee/)

#3

Hi, @laurent

Currently, to get rid of Evernote as fast as possible, will go by non-encrypted way.
After the improvements you described, I will consider the encryption later.

Many thanks.

#4

Since I’m using my own cloud system on my own server (with full disk encryption), I’m not encrypting the data. IMO encryption would only make sense, if you used a public cloud service or WebDAV server which is not under your control. But that’s just my opinion.

#5

Hi, @tessus.

I have the same feeling. Just want to be sure I didn’t miss some area.
Thanks.

#6

Do you have the machine physically at home (or at work, whatever)? Or is it some shared hosting/cloud scenario, where you have the machine under your control?

#7

I seek for Evernote replacement.
The kind of data I was willing to share with Evernote I can store on my virtual server hosted by somebody.
The level of data confidentiality and level of risk that somebody access my data is in balance for me.

#8

I have a physical server at a datacenter. Shared host/cloud is not secure at all. As soon as someone has access to the hypervisor all data (this includes encrypted data) is compromised. The cloud or shared host provider always has access to the hypervisor.
It is very easy to create a mem dump from a VM and retrieve keys and passwords.

#9

That’s why I’d asked. :slight_smile: