VeraCrypt encryption of Joplin profile

Joplin 2.11.11 - Windows11

Would anyone be able to give me a step-by-step walkthrough for encrypting a Jopin profile with VeraCrypt? I've tried substituting the profile folder in .config-joplin-desktop with a VeraCrypt folder and placing the original contents of the profile folder in there. Also tried doing the same with a VeraCrypt folder within the profile folder. Joplin won't open and I get an error message 'EEXIST: file already exists. mkdir C:\Users\user\joplin-desktop\profile-xxxxxx' when I do. As you will realise, I have little technical skill, so any help will need to be easy on the jargon.

Welcome to the forum!

Can't really say anything about Joplin Desktop and VeraCrypt, but I'm running several instances of Joplin Portable in VeraCrypt containers, both on thumb drives and internal SSDs. Simply put Joplin.exe and the config folder in your mounted VeraCrypt drive and start it from there.

Thanks former_evernotist. I tend to lose USB drives, but if I can install it within a VeraCrypt container on an internal SSD, that's a possibility. I'd prefer to be able to swap the profiles within one instance of Joplin once the encrypted profile is mounted (if that's even possible) but your method is certainly a fall back option. Can you sync to cloud storage with end to end encryption as normal from withiin a mounted container?

Yes, I think profile switching should work as expected. Sync definitely does.
I also suggest using the Portable version: it can do all the things the installed, Desktop version can. But it makes it really simple to manipulate specific folder placement.

Thanks for that zblesk. Good to know you can sync. What you and former_evernotist suggest looks a way forward and if no one comes up with a desktop solution I'll take that route.

1 Like

I did this by using the Joplin portable app and putting the app and it's subsequent profile on a drive that is VeraCrypt encrypted. I have not found anything that the full app can do that the portable on can't, at least nothing that I use anyway.

I have 4 PCs running Joplin, 2 use Bitlocker for the OS and secondary drive / partition with the app and profile on it. 1 uses VeraCrypt that way and the 4th uses a Self Encrypted SSD using a BIOS set access password.

If it fits your use case a separate user account (on the operating system) or a whole disk partition with VeraCrypt could be used to safeguard a proper desktop installation from unauthorised access. Joplin Portable is a fine piece of software, but it takes a very long time to start.

And it has no access to the OS's key chain to store your E2EE password which means that it's stored in plain text in your Joplin database. Maybe that doesn't really matter as in your scenario local storage is encrypted anyway.

Thanks for your response Rootman. Looks like portable is the way to go.

Changing user accounts would be a bit clunky for me. A separate, small partition might work though. I'm going to try that and the portable and see how it goes. Feedback appreciated former_evernotist.

I also use Joplin portable on USB drive as well. I have the drives setup using Ventoy, Ventoy is an ISO boot utility that allows you to boot multiple tools and OS installations from one stick. The Ventoy takes up about 40 GBs, the rest of the drive is devoted to backups of files as well as a passel of portable apps. This includes Joplin portable with it's profile. This partition is encrypted with VeraCrypt.

So I have a USB thumb drive and USB HDDs that can boot into multiple ISO files, Windows installation, utilities and other stuff. The same USB drive has a large partition that is encrypted with VeraCrypt, the Veracrypt files are even on the first unencrypted partition so I can mount the veracrypt partition on a PC that does not have Veracrpyt installed. I have access to my personal files on that second partition as well as a few dozen portable app - most from PortableApps.com.

It makes for a nice little system, I can boot to a WinPE ISO and get access to disks that may have the OS corrupted. I can install Windows or Linux from the same stick. I can use utility ISOs to do many things. I can mount the VeraCrypt partition and have access to a host of portable apps including Joplin, utilities and tools to do a host of things.

I am in IT and I find it invaluable to have so much available right in my pocket.

1 Like

Not sure the responses you have received are solving your problem.
My take is I would not use the built-in profile switching (based on experience on a Mac, I could explain why, but it's lengthy), but rather create an alias in the .config place which points to the veracrypt disk. But there are problems under MacOS, and there may be problems under windows.

Any chance you could add it to this thread, when you find a workable solution ? I am asking since many threads go numb when the solution is found, without explaining what the solution was. If you have specific questions (win or macOS) which you'd like to discuss further - I am ready to spend some time on it.

That's some set up Rootman, from what understand of it. Portable apps appear very versatile. If possible, however, for me, I'd like to keep everything under one roof.

Hi ajay, thanks for responding. I'll be sure to post the solution if I find one. I suspect there may be others interested in the achieving the same end. However, with my leve of technical knowledge.... well, don't hold your breath.

How do I create an alias? Do I duplicate the joplin-desktop file. And do I point to VeraCrypt by encrypting it for use as a mounted drive?

On windows : The Complete Guide to Creating Symbolic Links (aka Symlinks) on Windows

I'll take a look

I've used symbolic links many times. It generally works without a hitch, although a few apps have caused me grief. One in particular, I moved the folder I wanted on my encrypted drive and put a symbolic link back to the original source, works a treat. However, whenever I update it I guess the installation actually deletes the folder I am linking to (actually the link because it does not seem to know any better) and breaks there goes my fix, I have to create the link all over again. So, be sure to check your links to make sure they are still valid.

Links are easy to create from the command line, easier with a GUI. Google up HardLink Shell Extension, it makes creating links as easy as drag and drop.

Thanks for that Rootman. The link ajay sent me looks good. When I get a spare hour I'm going to give it a go. Do I need a hard or soft link do you know?

For the sake of anyone else trying to achieve the same end, I'm updating my progress. I managed to achieve local encryption of a profile and its associated notebooks, but was not able to sync them.

I set up a separate profile which is protected by a VeraCrypt container. The container needs to be mounted before changing profile, otherwise the profile, or Joplin, won't open. Once the container is mounted, Joplin will open again. VeraCrypt provide detailed instructions on how to do this.

Using the link ajay provided above, I found this command to get the 2nd profile to store its notebooks in the encrypted folder mounted on volume J (in my case). mklink /J C:\Users\user.config\joplin-desktop\profile-xxxxxxxx J:\profile-xxxxxxxx

I was unable to get the 2nd profile to sync separately, either to the same server as the default profile, or to a different location. It will sync to the same location as the default profile, but the notebooks are duplicated in both profiles. There doesn't appear to be an option to use a different password for each profile.

You can't use the same cloud storage to sync multiple profiles unless you use filesystem sync into completely separate folders and then sync those between different devices.

Will that only work with Joplin Portable?