Joplin is an amazing Evernote alternative I seek for a long time.
Using Evernote for many years I still more and more afraid of losing my huge collection of knowledge in case they decide to cancel my account or the whole service at all.
I really appreciate your effort and now I’m migrating my 3800+ notes including about 1.5GB of images (the majority of my notes are web clips).
Now I’m in the phase to decide to encrypt or not to encrypt.
At first sight, the answer is easy - always encrypt.
But the encryption solves data protection just on remote synchronization storage, not for local copy.
Enabling encryption, all my images in resources directory are encrypted while keeping an unencrypted copy as well. The size of the encrypted image is about 1.5-1.8x bigger than the original one.
resources directory now occupies 4GB instead of previous 1.5GB.
When I decide to use filesystem for synchronization, it requires another (about) 2.5 GB for sync directory.
6.5GB of required space for 1.5GB of data is not a big deal on my home PC but definitely an issue on my mobile phone.
I will use my private virtual server as sync repository, synchronization itself will use TLS on the network.
As the ratio between the confidentiality level of my notes (almost nothing confidential) and the probability of unwanted reading disk of my virtual server is acceptable low for me, I have decided to not use Joplin encryption.
Did I miss something important why I should stay with Joplin encryption or not?
At this point, if you have so much data, it’s indeed probably better not to use encryption just yet, especially if you don’t have any sensitive data in there.
There are changes coming in that might help handle your data:
An option to download resources only on demand. It’s mainly useful on mobile as it means you’ll have your note, but you only download the resources as needed. In your case, it will save about 4GB on your phone.
Maybe something to clean up the .crypted files left behind. Originally I left them there because they can be occasionally (but rarely) useful. So a future update will probably have these files cleaned up, which again in your case will save a lot of data.
Since I’m using my own cloud system on my own server (with full disk encryption), I’m not encrypting the data. IMO encryption would only make sense, if you used a public cloud service or WebDAV server which is not under your control. But that’s just my opinion.
I seek for Evernote replacement.
The kind of data I was willing to share with Evernote I can store on my virtual server hosted by somebody.
The level of data confidentiality and level of risk that somebody access my data is in balance for me.
I have a physical server at a datacenter. Shared host/cloud is not secure at all. As soon as someone has access to the hypervisor all data (this includes encrypted data) is compromised. The cloud or shared host provider always has access to the hypervisor.
It is very easy to create a mem dump from a VM and retrieve keys and passwords.
I am sorry, but I don’t understand what you are saying. I don’t use a cloud based service (a VM that can be accessed via a hypervisor), but a bare metal server in a data center.
My transport is encrypted by TLS 1.3, so good luck cracking that forward secrecy. So my data is nowhere unencrypted except the mounted filesystem on my server, which no-one has access to. The data center owners have physical access to the machine, but they can’t really do anything. I removed USB and some other useless crap from the kernel…
So, there’s no way to expose unencrypted data, unless one is using http, in which case they should stop talking about security and probably never, ever touch a computer again.
Yes that's correct, in that case you don't need E2EE because the server is physically at home, and data is encrypted in transit. Encryption is useful mostly when the data is sent to a third party server, like Dropbox or OneDrive, or a VPS hosted by a third-party.
Hi, @laurent ! Please tell me, as a newbie, what is the principle of encryption in Joplin. On my Mac, I can see unencrypted files: images, PDFs, etc. in the ./resources folder. When I search by extension on the server, in the NextCloud, I can't find images or documents. Does this mean that all my files are encrypted on the cloud and are safe in case a hacker gets access to the server?