Homepage    |    Wiki    |    GitHub    |    Twitter

How to store Joplin notes in Cryptomator

I've been trying and failing to get Cryptomator to provide at-rest encryption of Joplin notes on a Linux/Ubuntu system. In the second half of this post I've detailed my process and I'd love help on sorting it out!

I am new to Joplin but have spent many hours researching this process, mostly on this discussion forum. I am migrating from Evernote to Joplin for security reasons. I note previous discourse on (a) incorporating at-rest encryption into Joplin and (b) using third party tools to provide at-rest encryption for Joplin notes, including this thread with this quote:

And I note the recommendation to use symbolic links on linux systems for this purpose.

I haven't found a clear guide for integrating Joplin with Cryptomator, in spite of several suggestions that it can work. Perhaps this thread can establish such a guide.

My process is this:

  • Install Snap version of Joplin (v2.6.10)
  • Open Joplin to initiate creation of the standard application files and user profile.
  • Close Joplin to free these files from locking/use by the application.
  • Copy these files, i.e., the folder $HOME/snap/joplin-desktop/ to a location in my Cryptomator vault. Note, the vault has to be open for this to work.
  • Delete the original folder ($HOME/snap/joplin-desktop/) and replace it with a symlink to the location in the Cryptomator vault.
  • Try to open Joplin (via the Ubuntu GUI)
  • Discover that Joplin won't open!

I've done this process twice and checked the operation of the links with a file manager, so I'm confident that the process I've described has been conducted as stated. After the first time, I deleted the symbolic link and copied the Joplin files back to their original location ($HOME/snap/joplin-desktop/). I was then able to open Joplin as per normal again.

I know that the unlocked Cryptomator vault presents itself as part of the user's home folder, while storing the encrypted files elsewhere. I don't know if this relates to my problem! In my case, both the unlocked vault and the encrpyted file storage are within my home directory.

Joplin Version: Joplin 2.6.10 (prod, linux) - Snap version
My OS: Ubuntu 20.04

A significant amount of Snaps sandboxing model is enforced by AppArmor. AppArmor is heavily based on filesystem paths and AppArmor is smart enough to identify a symlink as a different path. By moving the location of the folder with a symlink, you're probably removing a lot of its permissions to read and write data, and if you looked at the AppArmor audit logs, you'd probably find plenty of access denied messages from this.

At a minimum, you'd need to consider using something like a Bind Mount, which AppArmor is blind to and would work as you're expecting to, but in all honesty, I'd actually just recommend using the AppImage here. The automatic update model for snaps is significantly more complex than the upgrade model for AppImages, and I wouldn't like for you to discover that changing the paths like this opens up bugs because it wouldn't be tested.

3 Likes

Thank you @james-carroll - I followed your advice and used the AppImage instead instead of the Snap version of the app. For anyone wanting to know, my installation process was:

  • Open my Cryptomator vault and create a folder somewhere in it for Joplin - let's call it /my/vault/Joplin
  • Copy the AppImage file (v2.6.10) into that folder and give it permission to run as an executable.
  • Double click on the file to open Joplin and initiate creation of the standard application files and user profile. These will be created at ~/.config/joplin-desktop/
  • Close Joplin to free these files from locking/use by the application.
  • Copy these files, i.e., the folder ~/.config/joplin-desktop/ to the chosen location in my Cryptomator vault, /my/vault/Joplin.
  • Delete the original folder (~/.config/joplin-desktop/) and replace it with a symlink to the location in the Cryptomator vault.

I've opened and closed Joplin several times, and added notes, both before and after restarting the computer. All seems to be working well.

1 Like

You can do it also without link:
Joplin-2.6.10.AppImage --profile /my/vault/Joplin/joplin-desktop

This is true but AFAIK, it means that Joplin must be opened in this way EVERY TIME. If not, Joplin will open with another/separate profile at the default location (~/.config/joplin-desktop/) and operate on an independent set of notes.

That's right. I have written a little script with that command and I run it instead of the long one.

1 Like