Joplin Portable: Security Risk?

In the folder "Joplin" which is created by the portable version in Window's AppData directory (regardless where it's started from) there's a text file called "Local State". It contains a hash of the user's encryption password in the entry "encrypted_key". Is this a potential security risk?

This is in line with another thread posted two weeks ago, but I think it's worthwhile to open a new one for this issue.

We don't save anything in that folder so it's probably something else. Electron may save some data but it won't be Joplin data such as notes or keys

Thanks for clarification! Maybe someone acquainted with the way Electron interacts with Windows' AppData\Roaming folder can explain the sole content of the Local State file:

{"os_crypt":{"audit_enabled":true,"encrypted_key":" "}}

At the end of the expression I've deleted a long combination of digits and characters which looked like a hash to me. I can confirm that neither the "@Joplin" folder nor the "Joplin" folder contained in the directory cited above have anything to do with note data. They seem to reside on the hard disk even weeks after having started Joplin Portable from a thumbdrive, however, so it may be a good idea to delete them manually after every use.

what would I have to search for, to find that File/data? I don’t get it…

The complete path and file name is as follows:

C:\Users\User\AppData\Roaming\Joplin\Local State

This is a hidden folder, but can be accessed fast by using the shortcut Windows-R and typing %AppData%.

1 Like

I did some research on Electron's os_crypt, but I'm still not sure what the encrypted_key in Joplin Portable's AppData is good for and if it's potentially dangerous to be permanently stored there (if not deleted manually):

https://stackoverflow.com/questions/72951071/is-electrons-safestorage-for-passwords-and-login-credentials

@laurent is absolutely right about Electron's affinity with the AppData\Roaming folder: In one of the Windows machines which I rarely use I discovered that Evernote (haven't used it for years) put some kind of cache there almost 1 GB in size.

Joplin is much better in this particular respect, but it still puzzles me what's going on in that Local State file with its hash value representing some kind of "encrypted_key".

The "encrypted_key" value is just Base64 encoded. When decoded it produces data that starts "DPAPI" and contains the string "Chromium". An unencoded version from a test virtual machine is shown below.

According to Wikipedia the Data Protection Application Programming Interface (DPAPI) is a cryptographic application programming interface available as a built-in component in Microsoft Windows.

Joplin is built using the Electron framework which uses a version of the Chromium browser engine.

From what I can gather, Chromium (the actual browser) protects any web-site usernames and passwords the user wishes it to store by encrypting them. It does this using AES and by generating a key and using the DPAPI to protect it. It seems that the DPAPI uses information Windows holds about the logged in user to protect the key so only the logged on user can use it. So it looks like the data that starts DPAPI (and was Base64 encoded) is not the key itself but a version encrypted using the DPAPI.

The key data is stored in a "Local State" file somewhere in %AppData%\Roaming so that if roaming profiles are being used the "Local State" file is accessible by the user on other machines.

From what I can tell this "Local State" file you have found is there because Joplin / Electron uses Chromium. But, as Joplin is not being used as a web-browser and Chromium is only being used to render the application, the user is not visiting web-sites and being presented with an option to remember site login details. So this appears to be an unused Chromium artefact created just because Electron uses the Chromium browser engine.

I am in no way an expert on this subject, in fact I do not even qualify for amateur status! I just looked into it to reassure myself and decided to share what I pieced together. If a knowledgeable person knows better please let us know. For now I am happy that this is just an Electron / Chromium artefact and not something that Joplin itself is using.

4 Likes

Just to be sure I've also checked what the keytar library is doing behind the scenes - it's the library we use to save secrets such as passwords and keys. What they say is this:

On macOS the passwords are managed by the Keychain, on Linux they are managed by the Secret Service API/libsecret, and on Windows they are managed by Credential Vault.

So basically it will always be to the system keychain, they make no mention for example of using the Chromium secret store API. Additionally, when using the portable app we don't use keytar and save the secrets to the portable profile so that nothing is left in the system keychain. (By the way this is one of the reasons you should always encrypt your portable drive)

2 Likes

Thanks again for further clarification, @laurent and @dpoulton ! The fact that users should safeguard their storage location (portable or not) is well documented. Maybe we should advise users of the portable version about cleaning up their temporary files as well. In contrast to Evernote (which is of course based on Electron, too), these files don‘t seem to contain anything worthwhile protecting. It‘s just the fact that you‘re leaving some sort of trace there, but that has already been discussed in other threads.

I did not delve into this, but it seems that it could be easily solved if "JoplinPortable.exe" was a proper "portable" app (as described in https://discourse.joplinapp.org/t/problems-with-joplin-portable and https://discourse.joplinapp.org/t/joplin-portable-should-have-everything-in-the-same-place)