Each note, notebook, tags, as well as the relation between items is transmitted as plain text files during synchronisation, which means the data can also be moved to a different application, can be easily backed up, inspected, etc.
Does this mean that synchronisation is done in unencrypted format?
For example, if I configured sync with Google Drive/OneDrive etc.,
- Would my cloud storage provider be able to see the notes
- Would anyone else be able to see the notes other than me e.g. via a MITM attack?
Regards
@mkhalila welcome to the forum
It all depends on how you have set up sync and Joplin.
Simple Summary
Sync to cloud storage using http (if your provider’s or your self hosted server only uses http over the Internet you should not use it)
- Plain text notes are sent unencrypted over the Internet and stored unencrypted on the cloud server.
- Someone capturing your network traffic could record the packets containing your note data being sent / received in plain text.
- Technically your cloud storage provider could see your plain-text note data.
Sync to cloud storage using https (default for Google / OneDrive)
- Plain text notes are sent https encrypted over the Internet and stored unencrypted on the cloud server.
- Someone capturing your network traffic could record the packets containing your note data being sent / received but they would be https encrypted.
- Technically your cloud storage provider could see your plain-text note data.
Sync to cloud storage using https with Joplin end-to-end encryption (E2EE) activated
- Joplin encrypts / decrypts your notes as part of the sync process
- Joplin encrypted (E2EE) notes are sent further encrypted (https) over the Internet and stored Joplin encrypted (E2EE) on the cloud server.
- Someone capturing your network traffic could record the packets containing your notes being sent / received but they would be https encrypted and Joplin encrypted (E2EE).
- Technically your cloud storage provider could see your note data but it would be Joplin (E2EE) encrypted.
Please see:
https://joplinapp.org/#encryption
https://joplinapp.org/e2ee/
Im using the method mentioned above. in my local folder I have jpg, png, etc and .crypted files. But in the sync target I only have .md files. Shouldnt there be any .crypted files , too?
I think you'll find that the encrypted attachment files are stored in the resources folder on your sync target but without any extension.
For instance, I have a GIF file in my local resources folder:
003a6c3fc1784309ad7514b537ab2ed5.gif
Because I also use E2EE, in that same folder there is also a file called:
003a6c3fc1784309ad7514b537ab2ed5.crypted
On my sync target in the Joplin root folder there is
003a6c3fc1784309ad7514b537ab2ed5.md
which appears to be metadata for the encrypted file (which I assume is an exported record from my local database), and in the sync target's resources folder there is:
003a6c3fc1784309ad7514b537ab2ed5
which appears to be the same encrypted content as 003a6c3fc1784309ad7514b537ab2ed5.crypted