I don't want to reinvigorate a hot topic about at rest encryption of Joplin's local database as it's been discussed many times in many posts (now closed). Joplin has passed several security audits, the consensus is: a computer can always been stolen, you should encrypt your hard drive if you feel the need and want to be safe. That is indeed the best practice.
Instead I'm going to share the additional measure I've been taking to secure my Joplin data (on my linux systems).
So far I've been using veracrypt (a maintained secure version of the "dead in mysterious way" TrueCrypt). The idea is very simple: Veracrypt allows me to manage an encrypted container that stores my Joplin's data (which are normally located in
~/.config/joplin-desktop on linux machines).
Then I've created an app launcher (
~/.local/share/applications) using the following
Exec=/home/<your user name>/.joplin/Joplin.AppImage --profile /media/veracrypt1/joplin-desktop
This should be rather self explanatory: I launch Joplin telling it where to get its data from (i.e. my container rather than Joplin's default directory).
This works fine on Linux and I suppose could work as well on MS Windows machines in some way as Veracrypt is cross-platform (or you may use any other similar tool).
Obviously the downside is that anytime you want to launch Joplin you first need to mount your encrypted container. Hell security comes at a price, I got used to it. I'm paranoid enough to come up with such a process, opening an encrypted container before launching Joplin is a small price to pay. Also using a container makes your data (secure indeed and) portable if you can't sync for whatever reason.
Now I've discovered tomb. The principle remains the same (encrypted container) but it's a very neat tool.
No need for a 3rd party application anymore, tomb is just a "simple"
zsh script (thus you can always read it if you feel the urge) that uses proven standard native GNU-linux tools (
Tomb also comes with a couple extra features that I find absolutely brilliant and love:
- You can bind mount the encrypted container automatically (when opening it) anywhere in your home directory. No need to pass a
--profilewhen launching Joplin anymore. I can make tomb bind
- Tomb allows you to hide your encryption key in any image using steganography. Thus the private key (which is also password protected) to open the tomb can be any image on your machine (makes it much harder to break your encrypted container if your key can't be found easily - and you shouldn't have your key and your container on the same machine in theory ... plus you need the password ).
- Tomb is also super fun to use and very "halloweeny" in its communications:
tomb (*) Tomb [joplin] closed: your bones will rest in peace.
That is it. Again the purpose of this post isn't to discuss at rest encryption necessity, but rather to share what measure I decided to take. I'm considering using tomb to secure other directories like
.gnupg which is yet another perfect candidate
Have a lovely week-end.