Insecure encryption method in Joplin source-code

This is not for public review, this is for Joplin development team
by reviewing your source-code on Github, i found the below code snippet

const handlers: Record<EncryptionMethod, ()=> string> = {
			// 2020-01-23: Deprecated and no longer secure due to the use og OCB2 mode - do not use.
			[EncryptionMethod.SJCL]: () => {
				try {
					// Good demo to understand each parameter:
					return sjcl.json.encrypt(key, plainText, {
						v: 1, // version
						iter: 1000, // Defaults to 1000 in sjcl but since we're running this on mobile devices, use a lower value. Maybe review this after some time.
						ks: 128, // Key size - "128 bits should be secure enough"
						ts: 64, // ???
						mode: 'ocb2', //  The cipher mode is a standard for how to use AES and other algorithms to encrypt and authenticate your message. OCB2 mode is slightly faster and has more features, but CCM mode has wider support because it is not patented.
						// "adata":"", // Associated Data - not needed?
						cipher: 'aes',
				} catch (error) {
					throw this.wrapSjclError(error);

It shows that on 2023-01-23, some developer comments not to use OCB2 cipher-mode as it is not secure. This is correct, as it is well-known that this mode has been attacked. However, it still there in code.

Now, i see some code blocks that use ocb2 mode with aes 128 as above block, and other blocks that use ccm mode with aes 256.

I know that Joplin team has reverted back to aes 128 for performance reasons, which is ok, but did you revert back to the old insecure cipher-mode ocb2?

My Questions:
Which cipher mode is currently used in the official executable available on Joplin download page (ocb2 or ccm)
What key size is currently used? (256 or 128)


Thanks for reviewing this. I am curious to hear the answer !!

1 Like

We don't use deprecated encryption methods to encrypt new notes, however we leave the method in the code in case a user has old notes encrypted with that method.

So, what procedures should i take to ensure that all my notes are encrypted using secure methods?

I can imagine below list:

  1. Backup my notes to a JEX file
  2. Disable Synchronization
  3. Delete all remote notes
  4. Delete all local notes
  5. Disable Encryption
  6. Import my JEX file
  7. Enable Encryption (now all notes are new notes)
  8. Enable Synchronization (now all remote files are secure)

Am I missing something?

It's probably not necessary but to be sure you can go to the Encryption config screen then, under Advanced options, click "Reencrypt data". Please note that it means all your notes will be uploaded again to your sync target


Thanks for this nice feature. You saved me headache. :slight_smile:

Is there a way to check to see if you have any notes encrypted the "old way"? I'd rather not reencrypt everything if there is another way to go about ensuring the latest encryption is applied to all my notes.

1 Like

I agree - and maybe we should wait with re-encrypting until AES-256 is re-introduced and meant to stay. As far as I understand re-encryption at the current state means changing from AES-128 OCB2 to AES-128 CCM. I have no idea what the real gain in security would be, and I hope that there's people here who can help to clarify this issue.

I don't think there is. But honestly among the hundreds of notes I have there are some 10-20 for which encryption "might" matter. To each one of those I added one char (usually a blank at the end of the note), which guaranties that it is re-encrypted. About all the other notes ? let the malfaiteurs read them and enjoy them !!
My case of course, yours may be different.

I have no idea what the real gain in security would be, and I hope that there's people here who can help to clarify this issue.

Actually, encryption strength depends on some factors including but not limited to:

  • Algorithm (in this case it is AES)
  • Key Size (128 vs 256)
  • Encryption mode (OCB2 vs CCM)

There is nothing to say about algorithm since it is AES in either case.
For key sizes, i think that 128 is too strong. Yes 256 is stronger, but 128 is strong enough and is used everywhere due to its speed. Even my current HTTPS connection to this forum uses AES128.
For encryption mode, this is tricky. Since most of users do not know about it. Encryption mode can make strongest algorithm melt-down like butter.
OCB1, and OCB3 are safer than OCB2. CCM is safer, but slower. This is why people use OCB.

There are papers shows OCB2 weaknesses. One is written by Niels Ferguson a chief security in Microsoft.

1 Like

I added one char (usually a blank at the end of the note), which guaranties that it is re-encrypted

not sure if that is enough.
needs commitment from @laurent
Yes, it will re-encrypt, but it may use the old settings.

It would use the new settings in this case. When an encryption method is deprecated it is used only to read old encrypted data, it will never be used for encryption again.


Modifying individual notes does trigger re-encryption - IRC this has been discussed in other threads as a possible workaround. I wonder if changing the name of a notebook would have the same effect, i.e. re-enrypt all included notes (as all of them will have modified metadata if their folder's name is changed). If it works, it would be a more feasible workaround.

1 Like