I like others users would really like to see an encryption at rest. This feature is critically important to me. +1 for this feature.
In the meantime, I have read the previous thread and as a work around I have implemented the suggested solution- Use Joplin portable in a veracrypt container.
This seems to be working out well so far however I have one problem. When I backup my files, Joplin temporarily copies all files to a location on my unprotected c:\ drive.- somewhere in my Windows c:\users folder. upon completion ti then copies the files to the secure folder I have specified during the backup.
This creates two problems me:
The security of the data is compromised during backup as now every file has been copied out of the secure container.
My system drive is not that big and runs out of space during the backup. I first noticed then because new backups were smaller than the older ones and backing up started causing Windows explorer to crash (as the drive ran out of space). When I investigated I found out that all my files were sitting outside of the secure container.
My request is that Joplin portable use the path which is displayed in Options->General. I did notice that Joplin portable does create a tmp drive inside JoplinProfile however it doesn’t look like the backup process uses it.
Ultimately I would like to see full encryption at rest as it could potentially take care of this issue but in the meantime I would like to see Joplin use the tmp path it sets up inside the portable folder for backups.
Are there any other operations that could cause data leakage? For example, if I open up an attachment does joplin portable create a copy of the file to the same system temp folder rather than using profile temp folder? Does displaying inline images also copy data to the system temp, etc?
Thanks for the changes. I have been testing the new version and I believe a data leak situation still exists. Joplin still uses the system temp folder for regular running operations (other than the backup operation).
Would it make sense to have Joplin use the application tmp folder it creates in portable mode for regular operations?
I have tested it on Windows and Linux and Joplin uses the system temp folder on both. In Windows if the user is using portable mode with a secure container they would expect the data to stay safe inside the container. I looked at the temp folder and Joplin had leaked a lot of data to it.
On Linux, is is perhaps less of an issue because many distros map /tmp to /tmpfs so you are leaking data to volatile memory however it would still be best to keep the data going to the tmp folder that Joplin creates.
Perhaps a simple solution would be to add a configuration checkbox to the settings:
Use system temp or use application temp. Currently in the settings, general, Joplin reports “Notes and settings are stored in:”. This may be a good place to add it.
In portable mode in Windows it makes sense to use application temp. In Linux, I believe the user can use the --profile argument to install Joplin into a secure container or drive so this setting would make sense here as well but then the data is always leaked outside of the container and outside of the user’s control.
Of course, the ultimate solution would be to give Joplin an encryption at rest feature but until then, the security can be improved by keeping the temp data in a more controllable location.
+1 for keeping all data under folder where JopinPortable.exe resides (ie. use application tmp folder instead of system temp folder - or provide option to use app tmp folder, and have that as default.)
I also ended up creating a shortcut for JoplinPortable.exe, so I could pass in the command line parameter
I just found out that Joplin Portable stores application data including a lot of configuration in C:\Users\username\Application Data\Joplin by default. That defeats the purpose of using Joplin in a secure container.
Upon first run, Joplin Portable actually picked all the application data that were left there after uninstalling Desktop Joplin and was happily using them, including eg.: css styles.
There should be no traces of Joplin on the system left after runtime when using Portable version.
This clearly needs to be fixed, once someone finds time to focus on it.
I'm linking to a workaround posted in the upstream issue:
It uses Electron's app.setPath to override the userData directory. The Electron documentation states that .setPath can override paths accessible by .getPath. The paths readable by getPath include sessionData, temp, home, .... However, based on this comment, the application might still briefly attempt to access/create subfolders in the system Application Data folder.