Homepage    |    Wiki    |    GitHub    |    Twitter

Securing local data with tomb on linux machines

Hello there,

I don't want to reinvigorate a hot topic about at rest encryption of Joplin's local database as it's been discussed many times in many posts (now closed). Joplin has passed several security audits, the consensus is: a computer can always been stolen, you should encrypt your hard drive if you feel the need and want to be safe. That is indeed the best practice.

Instead I'm going to share the additional measure I've been taking to secure my Joplin data (on my linux systems).

So far I've been using veracrypt (a maintained secure version of the "dead in mysterious way" TrueCrypt). The idea is very simple: Veracrypt allows me to manage an encrypted container that stores my Joplin's data (which are normally located in ~/.config/joplin-desktop on linux machines).

Then I've created an app launcher (appimagekit-joplin.desktop in ~/.local/share/applications) using the following Exec line:

Exec=/home/<your user name>/.joplin/Joplin.AppImage --profile /media/veracrypt1/joplin-desktop

This should be rather self explanatory: I launch Joplin telling it where to get its data from (i.e. my container rather than Joplin's default directory).

This works fine on Linux and I suppose could work as well on MS Windows machines in some way as Veracrypt is cross-platform (or you may use any other similar tool).

Obviously the downside is that anytime you want to launch Joplin you first need to mount your encrypted container. Hell security comes at a price, I got used to it. I'm paranoid enough to come up with such a process, opening an encrypted container before launching Joplin is a small price to pay. Also using a container makes your data (secure indeed and) portable if you can't sync for whatever reason.

Now I've discovered tomb. The principle remains the same (encrypted container) but it's a very neat tool.

No need for a 3rd party application anymore, tomb is just a "simple" zsh script (thus you can always read it if you feel the urge) that uses proven standard native GNU-linux tools (gnupg, cryptsetup, luks).

Tomb also comes with a couple extra features that I find absolutely brilliant and love:

  1. You can bind mount the encrypted container automatically (when opening it) anywhere in your home directory. No need to pass a --profile when launching Joplin anymore. I can make tomb bind /media/<whatever>/joplin-desktop to ~/.config/joplin-desktop seamlessly.
  2. Tomb allows you to hide your encryption key in any image using steganography. Thus the private key (which is also password protected) to open the tomb can be any image on your machine (makes it much harder to break your encrypted container if your key can't be found easily - and you shouldn't have your key and your container on the same machine in theory ... plus you need the password :slight_smile: ).
  3. Tomb is also super fun to use and very "halloweeny" in its communications: tomb (*) Tomb [joplin] closed: your bones will rest in peace.

That is it. Again the purpose of this post isn't to discuss at rest encryption necessity, but rather to share what measure I decided to take. I'm considering using tomb to secure other directories like .gnupg which is yet another perfect candidate :slight_smile:

Have a lovely week-end.


I don't understand, if you do what you preach, your while drive is encrypted. So why encrypt Joplin's data twice?

LOL fair enough.

Indeed you're correct, but I can think of a few reasons why I'd go with belt and suspenders.

First, not everybody follows the best practices. As the topic of at-rest encryption has been quite debated (including by myself) I doubt everybody takes this precautionary measure (i.e whole disk encryption). Thus I felt like sharing another way to protect Joplin's data especially as VeraCrypt is often mentioned as the "go to" solution. I felt tomb could be a nice(r) alternative.

Then, I like my data to be portable and potentially available offline. An encrypted container is a good way to make this possible.

Finally for backup purposes. Even though I use encrypted zero-knowledge cloud solutions I always backup my data in an encrypted format whenever possible. You may think it's an overkill, but I'm crazy like that :slight_smile:

Anyway it's just a tip or an howto if you wish, it's up to you to do it or not.

Update: I forgot a very important point indeed, may be the most important one. On many system, full disk encryption is only possible during the installation process but not later on. I don't know many computers sold with an encrypted hard drive. Even I only reinstall from scratch only once in a while. Some other systems may not be powerful enough to support encryption seamlessly (I have a bunch of raspberry pi that aren't encrypted for instance). Long story short I believe most people actually don't have an encrypted hard-drive.