I investigated Joplin but still have a couple questions
there was a discussion on Reddit where it was mentioned that Joplin stores the password in plaintext format in SQLite database, and relies on OS encryption instead, is this true ? AFAIK Windows 10 Home doesn’t even provide encryption.
Can the default location of the database in Windows be changed? I find that Joplin portable takes too long to start up when placed in Veracrypt container. The default install to C drive is fast but I don’t seem to have any control over database location.
When syncing to Dropbox or Onedrive, isn’t the database encrypted both in transit and at rest ? So I assume it’s also encrypted in Dropbox folder in Windows? Can’t Joplin just use this encrypted data file ?
The data is stored in an SQLite file so if someone has access to your computer they can indeed extract the password if they know where to look.
Note that it's true of many programs - if someone has unrestricted access to your computer, they can probably check your emails, impersonate you at your bank, change your passwords on various services, etc. Even if Joplin was encrypting the password, it would still has to be plain text in memory (to allow sync without asking for the password every time) so someone can still get it from there. There's just no simple solution to this problem, which is why it's currently not implemented.
You can start the executable with the --profile option followed by the path to the profile dir. For example, joplin.exe --profile e:\encrypted_container\joplin. Or you can use the portable version and put it directly on the encrypted container.
It's encrypted in transit and on the sync target. Locally, in the SQLite database, it's decrypted.
For people still referring to this thread, if you are using Windows and want to move the database to a NAS (for example if your NAS is encrypted and you want your Joplin files to be encrypted as well), you would need to create a symbolic link.
For example, create a folder in the NAS called something like "Joplin", then open the command prompt as an administrator, and type mklink /D C:\Data\LinkToNASJoplin "\[NAS Server Name]\Joplin". I tried to use my mapped drive letter instead of the server name but couldn't get it to work. Also a J link didn't work only a D link worked. Note also that C:\Data\LinkToNASJoplin should not exist yet, it will be made by the command you just entered, while the folder name in your NAS should be created before you run the command. If it worked it will then say something like "symbolic link created for C:\Data\LinkToNASJoplin <<===>> \[NAS Server Name]\Joplin"
Then when you want to open Joplin, you would open the command prompt as an administrator, navigate to the folder the Joplin application is saved, for example typing cd C:\Program Files\Joplin and then type joplin.exe --profile C:\Data\LinkToNASJoplin
If you don't want to use the command line to open the application each time, and you want the default Joplin profile database and files to be on your NAS, Joplin is going to try to look for the profile data at C:\Users[Profile Name].config\joplin-desktop. If that folder (or a symbolic link with the same name) is empty, Jopin will create a new set of profile files there. So you would need to replace that folder with a link. First rename or delete that folder. Close Joplin if it isn't already. Next open command prompt with administrative permissions and then enter mklink /D C:\Users[User Name].config\joplin-desktop "\[Server Name]\Joplin\joplin-desktop"
If that all worked, then the next time you open the Joplin app it will install a new database, settings and files in the NAS folder.