Home / GitHub Page

Totally confused re E2EE

I have Windows 10 and 2 iOS devices. I have E2EE enabled on Win10 to OneDrive per https://joplinapp.org/e2ee/. What is confusing in those instructions is step 5 never mentions enabling E2EE in the Joplin app on the subsequent devices.

When I go to the iOS devices I see a matching entry in the Encryption page and save the master key that I used on Windows10, yet I am always told via the orange bar on the iOS app to enter the encryption key. Why?

The notes come down from the Windows sync to OneDrive and are readable on the iOS devices… However, E2EE is not enabled on the iOS app. If I do enable encryption on iOS app I am forced to enter a password and even if I use the same password as the Windows password, it creates yet another key entry in the master key list.

I got so fed up with the iOS apps that I deleted them off both of the devices. I thought setting E2EE up would enable encryption from any of these 3 devices and they would use all the same key entry. I want to be able to create a new notebook on any device have its contents encrypted with the same key for all devices and be secure without having 3 different keys in the list plus a whole lot of empty keys from all my failed attempts to get this working

Hello, and welcome to the forum. Sad to hear you’re having difficulties.

Yes, that’s how it should work.

Step 5 says this:

Once this first synchronisation operation is done, open the next device you are synchronising with. Click “Synchronise” and wait for the sync operation to complete. The device will receive the master key, and you will need to provide the password for it. At this point E2EE will be automatically enabled on this device. Once done, click Synchronise again and wait for it to complete.

It doesn’t mention enabling it on subsequent devices, because you needn’t do that.
I think what you should do is: enable it on the first device. Add a note, for example.

Then, according to step 5, set up your phone to use the same synchronization target (OneDrive in your case). Start synchronization and wait.

You should see ‘:key: Encrypted’ notes start popping up (if you have any notes, that is.)
Then just wait.
Eventually, one of the resources Joplin dowloads from your folder will be the master key, encrypted with your password.
Once this happens, Joplin should prompt you for this password, you will just enter it (the same one you entered on your PC where you first set encryption up) and wait.

From then on, Joplin will use this master key to decrypt and encrypt all your passwords. No need to have multiple.

Hope this helps.

2 Likes

This is the issue I quickly run into too. One would expect you go and setup the same password everywhere but this is NOT what you should do - you should set the password just in ONE place and then sync everything and enter the password once the other clients complain that they don’t have it. This is even worse as you can’t cleanup after adding a key: Delete E2EE Master Keys (well, unless you nuke everything on all clients and on the common cloud…).

Thanks for the help. Got the first iOS device to work properly. It shows that encryption is enabled. This is what is confusing since I was always seeing this banner before

I took this to mean that the outgoing new notes created on that iOS device were not being encrypted. Is this prompt showing up because there is an old not used Master key on the Windows machine that can not be deleted? Really feel that deletion of unused Master keys should be implemented so that newbies like me do not get confused by this banner on devices.

When I started with Joplin I did not realize that one just had to enter the password in the Master key whose first couple of characters on the iOS app matched the ID on the initial setup device (Windows). This is because I wound up having 6 old master keys on the initial set up device (Windows). In the frustration with setting up encryption on the iOS device, I also wound up with unused Masterkeys on there as well which in turn now show up on the Windows device. These iOS devices Masterkeys have a later timestamp so simply using timestamp on the key as a basis of which key is the currently active one is not always correct.

One really needs to stress the importance of key IDs. I think that the instructions on E2EE setup should make mention that the password only needs to be entered in the Masterkey whose ID matches the initial set up device.

Pull requests that clarify the doc are always welcome. For the key issues, it’s indeed a known problem which hopefully should be fixed some day.

1 Like

I tried to do so: