i store very sensitive data on joplin. sure the traffic is encrypted but thats thrown out the window when i have the application already open or have it closed when signed in on my pc or mobile device. if someone physically gains access to my hardware when im away then the encryption sync key no longer means anything. also other people can simply just open it and see it all. other note pr journal applications have some sort of pin. i am completely unable to find any sort of way to add a pin to the application on windows or linux. please add this feature. joplin is the best note application i have ever seen.
Given that you mention very sensitive data I think it’s worth emphasizing that adding a pin lock to Joplin would most likely just give you a false sense of security. Joplin stores everything un-encrypted on disk, that means that even if a pin prevented an attacker from using the application, they would still be able to read the notes directly from disk. The best solution for you is to follow @laurent’s advice and encrypt the application and it’s contents. This makes sure that your files are always secured up to the standard of whichever encryption software you choose.
The best is to encrypt your whole drive if you have sensitive data on it. Any app level encryption will never be as secure as disk level encryption anyway.
Disk encryption is very easy to enable these days and it will also protect your email, browser history, and any sensitive file you might have.
I did implement the encryption feature and I do use BitLocker to encrypt my hard drive. I found the local storage folder and I cannot see my notes in a recognizable form. That’s fine, but someone who gets access to my notebook while logged
in, say a hacker, can just start Joplin and view the notes at will. A pin or login would prevent that. Admittedly, I would have other problems if that situation happened, but I’m just saying, layered security is best.
No, a hacker would open the file
~/.config/joplin-desktop/database.sqlite and thus have access to all notes. A PIN is U S E L E S S !!! How often do we have to explain this?
I clearly stated I used Joplin’s encryption feature to encrypt my notes. I opened the file you mentioned and
I verified the notes aren’t readable . So a hacker would NOT have access to my notes through the file system. But a hacker COULD see the notes simply by opening Joplin. A pin or front-end login would prevent access and is NOT useless. I’ll say it
again; the utter lack of front-end security in Joplin is a vulnerability and to make makes use of Joplin for sensitive data unacceptable. I only use it to keep a backup of my notes outside of Evernote in case their system fails. Don’t get me wrong, I think
Joplin is terrific in every other way. I appreciate that Joplin accurately imported my notebooks and notes, is intuitive to use and mimics the Evernote look-and-feel. It’s too bad Joplin doesn’t go all the way and implement front-end security including 2FA
as Evernote does.
Let’s close out this discussion, please. We both made our points.
We haven’t, because just because it is not an ascii file, doesn’t mean it is not clear text. The file is an sqlite3 database, which means you need to use sql commands to access the info.
sqlite3 ~/.config/joplin-desktop/database.sqlite "select * from notes" and you will see your notes.
I couldn’t get that command to run, sqlite3 isn’t recognized as a valid command. I searched my hard drive for it and found the .exe associated with other apps, but it’s otherwise not installed to run separately. I guess that’s one way
to ensure the notes aren’t read. But if they are readable through SQL, then I concede the point and agree front-end security is pointless.
One option you might use would be to use Veracrypt to create a small folder/container for joplin then use the --profile option to open the database in the veracrypt container drive. You would need to remember to dismount the veracrypt drive, but it would secure your data while at rest on your computer.
Please pardon my confusion here. I’ve looked at the joplin encryption information but have not used it. This is certainly part of my confusion.
Are you saying that even if you use encryption the data is not encrypted when at rest? Or, are you saying that the encryption key is stored somewhere in the sql program so you do not enter a password to access the data and it is only meant to keep it safe while traveling or at rest on a remote server.
If it is encrypted, how can it be decrypted without a password?
I’m used to systems like Veracrypt or Keepass where without an encryption password you cannot open or view the database. Does the Joplin system simply store the password and not require it for access? If this is the case, couldn’t there be a checkbox which requests, “Do you want to be forced to enter a password whenever you open the database?” and simply not save it. For example, the Spideroak One backup program has a preference option, “Do you want to enter a password on program start?”
I’m not using encryption so I don’t know the specifics. What I know is that
- the data is encrypted on the sync target and during transfer (even without TLS
- the data is decrypted locally
- you need to enter a passphrase to start the decryption process on the client
- the decrypted notes are stored in clear text on the client
How key management works and whether the passwords are cached locally or not, I do not know.
@laurent wrote the algorithm and I think the speciifcs are available here: https://joplinapp.org/e2ee/ and https://joplinapp.org/spec/
If someone, say a hacker, gets access to your machine while logged in they can see your private pictures, read your email, take your money and impersonate you. It’s pretty much game over and no user-space app can protect itself from its own user.
Now there might be a use-case for application-level protection, for example if you share your account with a co-worker or relative (keep in mind some OSes, especially the mobile ones aren’t really multi-user) and you don’t want them to stumble onto something they didn’t REALLY want to see, sure. But it’s not the use-case presented initially, it can’t be that you have sensitive info on your computer and you would lock your Joplin app but somehow you won’t lock your account.
Be sure that hacker knows to use
We should not assume that using, for example, 2 bits for a band reduces the dynamic range to 12 dB: ADPCM allows up to 96 dB of dynamic range to be used, even with 2 quantization bits, but only with a certain type of signal.
This is a quote from one of my notes copy/pasted from WordPad which I used to open database.sqlite. Sqlite is no security barrier.
By the way there’s usually another way beside full disk encryption to secure files on most OSes, for example in Ubuntu (and other *nix-es) you can encrypt your home directory (I think it’s an option in the install wizard but can be configured afterwards too, it’s done with eCryptfs or encfs behind the scenes) or in Windows you can use EFS (just click “encrypt content to secure data” in Explorer for joplin-desktop folder). It isn’t as secure as full disk encryption but if you use a decent password for your user it should be good enough in case the laptop gets stolen or you need to send the hard drive for warranty.
Ahh, thanks. That explains it. The end to end encryption is meant only for security on the shared server and is not meant to provide any local security. Dropbox, onedrive, etc. employees have no access to your data, but no protection is provided locally.
So, if we were to need security with our notes, then we must provide it ourselves with encrypted drives or tools like Veracrypt’s encrypted volumes.
Right, all OS come with FDE these days, so adding local encryption to an app is mostly a waste of resources. And for the paranoid there are other tools, like the ones you have mentioned, which can be used to encrypt the data additionally to the full disk encryption.
Personally I don’t see an advantage in adding local encryption to an app, but I guess others don’t see it that way. (I’m not talking about plausible deniability or special use cases though.)
I have an use-case like this: Since, at least hypothetically, my employer could tell me to hand over the company computer, I don’t want my notes to be readable there. On principle.
The solution wasn’t that difficult: we’ve asked Laurent nicely, he published a portable version, which I’m now running from a bitlockered USB drive. When I leave work, I can just unplug the drive, problem solved.
I get that. But in my case, it was a requirement by the employer to use Full Disk Encryption. I set it up that the employer did not have any recovery keys. Besides that, I always wipe the hard disk/SSD (additionally to the FDE) before handing over a machine.
Yep, but there’s no portable for macOS. But it matters not. It’s not that complicated to use an encrypted container and symbolic links…
There’s no way to have your cake and eat it, if you don’t want your employer to be able to read your notes don’t put the thing on their computer, there’s no way around it. And now is simpler than ever, almost anybody can afford some sort of computing device without having to rely on the corporate PC. Now if you actually trust company’s PC, as in you have full control over it you can do not only FDE but also EFS (in Windows - just click the “encrypt” property for Joplin’s folder) or similar in other OSes.
My 2c tip:
Running veracrypt encrypted disk by me on company notebook with disk encrypted by company.
If the company will reuse my notebook (even I will have no time to clean it up) there will be just big video.avi file on the filesystem available.