I’ve recently started using Joplin and I’m a huge fan of the project - keep up the great work!
I’m currently only using Joplin on my desktop but my goal is to start synchronizing my data across multiple devices in a way that doesn’t compromise my security or privacy.
The obvious solution is to self-host my data but I unfortunately don’t have time to set that up at the moment. Therefore, the only alternative that would fulfill my goal would be to: (1) enable E2E encryption and (2) sync to Dropbox or one of Nextcloud’s recommended providers.
Before I start doing this I would like some assurance that Joplin’s E2E encryption is secure enough to prevent eavesdropping from a third-party cloud service provider.
I would like to know:
Has Joplin ever received a comprehensive security audit?
Have you written tests for the encryption process?
Are the encryption algorithms strong enough to protect my data from being read by third-party cloud provider threats?
I won’t feel comfortable relying on Joplin’s E2E encryption to protect me from eavesdropping by a third-party cloud service providers until the relevant code has been through an independent security audit. Unfortunately, it’s trivially easy to get encryption wrong (and even more likely if, like in this project, you’re not coding in a statically-typed language).
Are there any plans to undergo an independent security audit in the near future? I’d definitely be willing to donate to help cover some the cost (and I’m sure others would too).
Thanks for the info. I’m also very keen to get the app audited but not sure how to set this up actually.
I guess the first step would be to get a quote from a firm to know how much it would be cost, but then how do open source projects usually get funding for this? Do they setup a kickstarter or something?
Yes, it is hard to get this right and even it is OK today a bug could be introduced tomorrow. Historically, most of the errors turns out to be the ways the keys are managed, not the actual encryption.
The weak link, however, is on your local device. The entire notes database is stored in plain text. You would need to encrypt the local disk to make your PC secure.
Another idea is to find a way to use a service like “sync.com” to sync Joplin notes. Sync.com uses end to end encryption. I think I might try syncing my notes to a local folder that is actually synced using E2E.
The best plan would be to set up your own server and use whole disk encryption on that server as well as on the PC.
Would only work if you can get people to know about it and contribute. If you can get promo'd on that site or some others somehow, it would also increase your users.