I searched around, and noticed that the password might be stored locally as well.
Actually, I'm new here to use Joplin and enable E2EE. But I think it's not the solution I expected. It stored the typed password and will not ask again even exit the program, it means everyone ables to access the data except for a whole disk encrypt, but this is also very heavy to many users.
I've been used Symantec pgp desktop for years, they treat the encrypted disk static, provide an option for the session timeout, for example, 15 minutes. You need to enter the password if you idle on disk longer than 15 minutes.
Let's return to Joplin. I think a similar way acceptable is an option that 'do not save the master key's password locally', but cache into memory.
Encrypt the data again if idle for some time. If user want to access his data, just input the password again. Many people forget their password, is because they don't have the chance to use it.
Joplin does not encrypt your local note data even with End-to-End Encryption (E2EE) enabled.
E2EE is not a method of encrypting the local note data on your device. It is for when the data leaves your device and is no longer under your control. It is a method of encrypting your data as it moves between clients. These are the "Ends" in the name.
When you send data without E2EE to the sync server it is encrypted by HTTPS. However when that data is stored on the sync server HTTPS no longer applies (the transfer is complete) and it is no longer encrypted. This means that whoever controls the sync server can technically access your note data.
Enabling E2EE means that the data is encrypted by your Joplin client as it leaves you. As it travels to the sync server it is encrypted by E2EE and HTTPS. But when it lands on the sync server it is still encrypted by E2EE. This means that whoever controls the sync server cannot access your note data as it stays encrypted until it is downloaded and unencrypted by your other Joplin client(s).
I believe that Windows and Mac use their encrypted keychains to store the password. On Linux it is stored in the Joplin database. There is an option in the settings to enable keychain support on Linux (General > Show advanced settings) although it states, "This is an experimental setting to enable keychain support on Linux".
Yes, I know how it works the E2EE. I setup my own nextcloud to save data via https too to protect my data.
The point is, Joplin costs a huge work to protect the transmission, but miss to protect the local data. You know, Joplin has a huge user group, and user's env are so different. I see many people ask for a password to protect if himself leaves the device for a while or share the machine with someone else. Actually, I don't think provides a shield to the local data and start-up is a huge change against to the encrypt design of cloud.
Will you consider the schedule to the improvement in near future?
It's not for me to consider as I am not one of the project developers. I am just a long time user that helps out on the forum. However I can say that, as you have seen, there have been numerous requests on this forum to consider adding local encryption.
That's hopeful that many user need this feature. I'm just new that switch from Evernote. Looking for a convenient note app to write something down.
Joplin is good, but it's not complete now, in privacy protection.