How secure is this?

Friend of mine showed me a couple of weeks ago how he uses to almost anything. I started using it but realized that I sometimes didn’t want to write my deepest ideas there because I was afraid that some hacker might get hands to it. I started planing to move my notes local. I looked some markdown editors and found Typora. It seemed great and I installed it but then I started searching how secure it really is and realized that they have a checkbox “send anonymous data” which scared me off from the software. If they can collect data (of course I needed to approve it) they might also collect my notes. After this I just thought that I’m going to use plain text editor because at least that way no one will get access to my files. Then I found Joplin. This seems great and if I don’t connect it to cloud services it seems fully local. Could someone explain is there any risk that the people who created this could somehow get my files if they wanted? Another thing that scared me in Typora was that they stored backup of the notes automatically to somewhere in the computer and I don’t want this. I probably will have encrypted USB where I use the files and I never want them to be backed up some computer without me noticing.

Most likely not. Unless you hand someone your computer, give them the firmware password, and decrypt the hard disk for them. Then they’ll have access to all your data on your computer. Unless you have additional encrypted containers for certain data, e.g. the profile directory and sqlite database for Joplin. If you give them that password too, then yes, they will have access to your Joplin data.

There are 3 reasons (all under your control) why Joplin would connect to the outside world:

  • if you check Save geo-location with notes in settings, the app will connect to a public API to retrieve the location data
  • if you check Automatically update the application in settings, Joplin will access github to check for a new release
  • if you setup a sync target, the data will be synced to the target

What tessus said is all correct, I’ll just add an example on to it.

No, Joplin doesn’t collect your data or send it anywhere by default. So if you encrypt your hard drive, or use the Portable version that’s available for Windows and put it on an encrypted USB drive, you should be set.

Furthemore, if you turn on sync, you can also enable end-to-end encryption and use your own storage. (Either in some public cloud, like OneDrive, or your own thing like NextCloud). The E2EE bit makes sure that even if the cloud got hacked and all the data got stolen, it’s still not possible to decrypt them - the decrypted version of your files never leaves your computer.

All of that is entirely optional and off by default; Joplin by itself doesn’t even offer any ‘default’ sync target.

I’ve been using the Encrypted USB + Joplin Portable combo for some time now and am satisfied with it.


Okay then this is perfect. I appreciate that you aren’t like some alternatives collecting data. I probably don’t ever want to use sync although it should be secure but it’s definitely valuable option to have.

Now I found two big problems with this. First of all it’s saving the files to somewhere and it seems like I can’t change that location. I haven’t found it yet. The second thing is that when I synced it to another directory the files were named using random number and character format. This makes it impossible to modify the files without the software for example if you are using another computer that’s not yours. I hope the names could be more descriptive to solve this problem.

A lot of those things have been answered around the forums, so if you want more info, search.

But here’s a quick off-the-top-of-my-head recap:

  • setting your profile directory is indeed not possible. There is an unsupported option for the CLI client, and when you use the Portable version, the files are in the same directory as the .exe, right next to it. I don’t even know which version or which OS you’re using, but AFAIK this is about it.
  • Joplin takes care of its own data. You’re not supposed to edit them I wouldn’t get my hopes up for friendlier names for now.
  • Technically, the notes are in the SQLite database, so you can always read them from there. Hypothetically, also edit them.
  • You’re not supposed to sync the profile data yourself - you might mess something up. Did you use the built-in sync into a directory? If yes - that is there to let Joplin instances sync (either just locally, or from a network location). Do not edit the files manually and expect everything to work in Joplin; that’s not what the sync feature is for.

That’s the gist of it, if I’m not wrong somewhere. Again, for more info, search the forum or the web.

BTW: you’re afraid of your notes being unencrypted somewhere, but then want to copy them overt to someone else’s computer for editing? What did I miss?

HTH. Enjoy.

1 Like

Some of it is answered in the FAQ too:

Also you don’t want to sync, but you sync with a directory anyway, then you want to edit the synced files directly? Why not in that case have some Markdown files you edit yourself?

1 Like

Thanks for answers. I’m actually using Ubuntu 19 but I can figure out where the files are probably pretty easily. I have actually thought about editing Markdown files just by myself but I thought that this kind of visualization might be easier sometimes. Maybe because there is no flexibility to use just basic text editor to modify the files but always requires the software I might not want to use this. But thanks for answers and I will figure out the rest by myself and also think if this is a good for my needs.