New feature : request password at startup

I want to prevent someone to spy on my notes...
(when computer is lost or stolen)

today, if you are on my computer and launch Joplin, you can access all my notes!!!
(even if notes are encrypted)
gosh!

@gilluc welcome to the forum.

Password protection is mentioned in the Joplin FAQ.

Also, if you search this forum you will see that it has been discussed before. A lot!

If you want to secure your local data you might want to have a look at this post

Hey there.
I'm obsewing discussions for this topic for a some time and just can't get one point.
What is the problem with implementing of the asked options?
If E2EE is engaged than the notes data is stored locally in encrypted form. Right?
Master password is stored locally in some ecrypted form too.
So, the only thing people are asking is to not save master password and to add an option of showing a plain simple password input dialog at Joplin's startup.
Will Hell come crashing down on Earth if such a naturally expected option becomes a reality?
Regards.

No, that isn't what E2EE is. E2EE only relates to encryption during transit.

To the best of my knowledge the current state of this is that the feature enhancement issue is still open and the FAQ still states:

There is however an issue open about it, so pull requests are welcome: [Feature request] Password or pin protection · Issue #289 · laurent22/joplin · GitHub

From what I can see it doesn't seem like anybody has been bothered by this enough to submit a PR for it.

I have no reason not to trust you. But... what then we see inside *.md files? They contain an encrypted text, not a plain text. Is this some other encryption, which is not involved into E2EE and not related to the master password?
For example:

id: 08f2c429f3b34daab4fa3d485e577f6f
mime:
filename:
created_time:
updated_time: 2021-07-24T17:31:30.323Z
user_created_time:
user_updated_time:
file_extension:
encryption_cipher_text: JED0100002205f0235f9dad834b5eac6d799ea82033e4000328{"iv":"bWS0zxvtN/j+CiiaC+Ke+A==","v":1,"iter":101,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"puHMuihIgdU=","ct":"lvKy7m2EXNFI/hU1Zf/Q+kF3ilyQk5qHZ/tgVFjbPeNS0HjqJT7htHhC8o3QxjsqwJHaceDeQsCtvWox+nmkfUS5oluJWBrqmR9xR3iJMauF8VSWXwzX5bPC5p6IWlkl+kOaQokPu3VDISWBPMNL6tJOwFCtc+ZO5aZqJyL8zuJj+buBDHZgoXr2G4qbxOkBuwI4

The .md files aren't your local notes, they are the notes in their transit state so are therefore encrypted.
Those files are processed by the Joplin clients, decrypted and their data stored within the local sqlite database.
Unless using the local file sync option they shouldn't really be on your system at all - for example I have my clients sync'd with NextCloud and the only place those .md files exist are on my NextCloud server (i.e. in transit) as I don't have my sync target dir set to sync locally to my machines; Joplin accesses the NextCloud instance directly.

Oops... My bad.
I was looking into a wrong place.
I was looking in [userprofile]\AppData\Roaming\Joplin\ folder which contains preferences and cache data and in the Dropbox sync folder. But "raw" notes and attachments are stored in [userprofile]\.config\joplin-desktop\ which is pretty unexpected on Windows.
Thank you for clarifying the matter.

Pity that there is no possible easy way to achieve the desired behaviour. Well... This has been disqussed many times...

Regards.

Welcome to the forum!

Making strong (over the top?) statements aren't how things get done in an open source project. If anything, they will turn people off from working with you (although I appreciate the patience of those who have responded to you),

My experience watching projects like joplin is that everyone thinks that the feature they want is "natural", "obvious" etc.

Also, if access to data has to be implemented at the "application-level" then a lot of other data is in the open too.

Better to have an account at the "operating system level" and have your disc encrypted in its entirety.

If it gets stolen, booting it up wont give access. And when they unplug your harddrive and plug it in another PC they cant read it.

Thank you Joël.

I don't use Joplin anymore.

I have to point out that keepass and aegis and ... are asking for password at startup. So they are wrong ??

IMHO the interesting part of this recurring discussion about PINs at the start and encryption is the following:

The people that ask for a function to lock Joplin by a PIN are always intending to have some additional security level for their notes on their device. And the questioners are users with little or no technical background mostly.

Most people answering to those questions here seem to come from the technical educated part of the community. And the answer is often the same: Encrypt your device or find a good password for the whole device, that’s the best solution to have it safe.

I’m reading here for some months, also backwards in time, and I have not found any other topic, that has been raised so many times.

Here is my view on that:
The answers are correct, but it seems to me that they do not solve the questions. People simply have different views on how to use their devices. As the asking people often allow family members or friends to use their devices occasionally (or any other colleague or boss), IT-professionals do not like do that or do not have to do that.

So for the first group it is consistent to try to keep some information on their device hidden or blocked for other users of the same device. For the second group, that is unnecessary. So the solution of the second group doesn’t fit the needs of the first group. And they won’t ever match as long as we do not cross that ditch.

I bet, this is a typical thing with open source projects that are also used by people that are not part of the community with a more technical background.

No they are not wrong.

But in the case of theft, better to have your complete device locked/encrypted then ONLY the apps themselves.

Exactly.

I very much recognize the importance of actual encryption in protecting my data, and I have such protections on my devices, but it would be nice to seal away that final doubt that somebody might view my notes accidentally or intentionally.

The people that ask for a function to lock Joplin by a PIN are always intending to have some additional security level for their notes on their device. And the questioners are users with little or no technical background mostly.

Most people answering to those questions here seem to come from the technical educated part of the community. And the answer is often the same: Encrypt your device or find a good password for the whole device, that’s the best solution to have it safe.

I’m reading here for some months, also backwards in time, and I have not found any other topic, that has been raised so many times.

Here is my view on that:
The answers are correct, but it seems to me that they do not solve the questions. People simply have different views on how to use their devices. As the asking people often allow family members or friends to use their devices occasionally (or any other colleague or boss), IT-professionals do not like do that or do not have to do that.

So for the first group it is consistent to try to keep some information on their device hidden or blocked for other users of the same device. For the second group, that is unnecessary. So the solution of the second group doesn’t fit the needs of the first group. And they won’t ever match as long as we do not cross that ditch.

The problem - as often with open-source projects - is, that this software is written and maintained by people with a lot of background knowledge, who know how to protect their data and devices and who are confident in a bit more complicated procedures to provide good security.

What those users unfortunately often lack of is enough understanding for users who don't have their background knowledge. My strong impression is that experienced users often have a kind of attidude like: "c'mon, pull yourself together and just DO those simple steps...", being totyally unaware of the fact that steps, which are pretty eays for them, can be a major obstacle for less experienced users.

I understand the reaction and the strong words of Kirr. It's really hard to understand why in an open source project people spend so much time with explaining why they don't want to implement a certain feature, instead of simply helping those who request ist. This is also a matter of respect: It's not respectful to permanently not recognize the needs of less experienced users or those who simply do not want to do things the way suggested. It's not respectful to exclude people who have a different approach or simply different needs, where the suggested solutions would simpy be way over the top.

So here's my question: Does it really take so much effort to implement pin or password protection into joplin that it's too much asked to have it? Or are we talking about a philosophical question of how to handle data security where those who work on joplin have such a strong opinion on how to do things that they are simply not open for alternatives? If wimvan is right, and this topic has been raised very often in the past, what keeps those who work on joplin from simply serving the community of users by helping those who would highly appreciate this feature instead of trying to "educate" them to do things like they do it, no matter if that approach is appropriate and/or helpful in the setting of those who aks for this feature?

EDIT: No, a pin/password does not provide "perfect" security. It's a pretty low-end approach. Nevertheless this low-end-approach works in at least 95% of all real-world scenarios to keep people out of one's private notes.

It hasn't been ruled out by any means, as I stated before the status of it is that the feature enhancement issue is still open and PRs are accepted but nobody seems interested in developing the feature.

People seem to forget we aren't a giant corporation, it's just volunteers.

Okay I was able to solve this pretty easily on Windows by using BitLocker and a bit of cmd/ps magic and it's completely seamless.
You run it, it asks for a password to unlock, then re-locks once you close the app.

Here's how I did it.

• Make a folder somewhere that will hold the encrypted Joplin data and launch scripts, let's call it JoplinPrivate

• Go to Windows disk management, right side panel - more actions and create a new virtual drive of say 128GB. Make it VHDX with dynamic size expansion. And let's call it JoplinPrivate\JoplinEncrypted.vhdx

• Initialize the virtual drive to GPT and format to NTFS.

• Don't assign any letter but assign a NTFS path to an empty folder JoplinPrivate\JoplinDecrypted

• Go to BitLocker tool, find the drive and encrypt it with a password or pin of your choice. You have to save the recovery keys and then can dispose of them.

• Add a new bat file JoplinPrivate\JoplinPrivate.bat that looks like this

@echo off
SET batchdir=%~dp0
"%batchdir%JoplinEncrypted.vhdx" && (TIMEOUT 5)
cls
manage-bde -unlock "%batchdir%JoplinDecrypted" -password
powershell -ExecutionPolicy Bypass -window hidden -command "%batchdir%JoplinPrivateLaunch.bat"

This file tries to mount the vhdx if not yet mounted (this may show an error the first time after reboot but it's fine). Then asks you for a password (this window must be visible) and then launches second invisible part with app and relock.

• Add a second bat file JoplinPrivate\JoplinPrivateLaunch.bat that looks like this

@echo off
SET batchdir=%~dp0
"C:\Program Files\Joplin\Joplin.exe"  --profile %batchdir%JoplinDecrypted\data
manage-bde -lock "%batchdir%JoplinDecrypted" -forcedismount

This file starts in a hidden console and launches your installed Joplin but directs it to an alternative data storage. This way you can use Joplin as usual for non-sensitive notes but have a second instance that is fully encrypted and private. Once Joplin stops it will auto-lock the encrypted drive.

• Now make a shortcut to JoplinPrivate\JoplinPrivate.bat and place it anywhere.

• Edit its properties, use the second button at the bottom to set the icon to Joplin.exe and the third button will make it always run as administrator (that is required to unlock/lock a drive).

• Run it and disable minimize to tray in Joplin settings so that it can auto-lock properly once closed.

• Done

Of course you can make multiple instances like this in extra folders. Be aware that browser plugin will need to re-authorize every time you switch from one Joplin instance to another.

It's not just a question of "effort"; and yes, perhaps it is a philosophical question in that it just does not make any sense to construct security on an application level; that is a task for the OS to handle. Otherwise you'll end up with a zoo of security features, some more coherent, some less, all aiming to make "their" application safe.
By the way, there is a very similar discussion going on in forums for gnucash where users have asked for app-based security features (to no avail)

From a software architecture pov you are not to do this

Instead, if you are very security conscious: use bitlocker or something similar as has been suggested, spurn the cloud, but leave the security where it belongs. (As a (possibly flawed) analogy: you wouldn't secure your living room but rather make sure the entrance to your house is secure ...)

Support! The security problem of the operating system or application program raised by the author is based on the situation that the computer is not public. In addition, there may be some sensitive information in the notes that you don't want to make public, so please also consider implementing this function. Thank you.