Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature request] Password or pin protection #289

Open
SamuelBlickle opened this issue Mar 12, 2018 · 46 comments
Open

[Feature request] Password or pin protection #289

SamuelBlickle opened this issue Mar 12, 2018 · 46 comments

Comments

@SamuelBlickle
Copy link
Contributor

@SamuelBlickle SamuelBlickle commented Mar 12, 2018

I think it would be nice to have a password or pin protection for notebooks. This would add some privacy for the notes and todos if the content of the notebooks would only be visible when the user enters a password. The notebook should be 'locked' again when an other notebook gets opened or the app is closed.

@laurent22
Copy link
Owner

@laurent22 laurent22 commented Mar 12, 2018

I'm afraid that would be out of scope. Securing apps and device data is something for the operating system to handle. You can also get extra security using an encrypted hard drive, but doing this at the app level I think would not make sense.

@laurent22 laurent22 closed this Mar 12, 2018
@SamuelBlickle
Copy link
Contributor Author

@SamuelBlickle SamuelBlickle commented Mar 12, 2018

i did not think about securing data at os level. imo this is handled really well with the e2e encryption feature. all i thought about is some sort of protection against curious roommates etc. a simple password input would do the trick.

@laurent22 laurent22 mentioned this issue Mar 16, 2018
8 of 8 tasks complete
@laurent22
Copy link
Owner

@laurent22 laurent22 commented Mar 16, 2018

To provide more details, the end to end encryption that Joplin implements is to protect the data during transmission and on the cloud service so that only you can access it.

On the local device it is assumed that the data is safe due to the OS built-in security features. If additional security is needed it's always possible to put the notes on an encrypted Truecrypt drive for instance.

If someone that you don't trust has access to the computer, they can put a keylogger anyway so any local encryption would not be useful.

@mikeziri
Copy link

@mikeziri mikeziri commented Mar 16, 2018

I felt the need for this on my job pc. It is password protected but my boss have access to it.
I trust them but by principle I like to have a master password on my stuff (like password managers).

I understand your point on the security aspect of Joplin is out of scope.

It doesn't seem priority but tell me if I'm wrong, it seems rather easy to check if encryption is set on an instance on startup and prompt for the master password to continue (unlock) instead of loading it from sqlite db.

@SamuelBlickle
Copy link
Contributor Author

@SamuelBlickle SamuelBlickle commented Mar 16, 2018

yes @mikeziri thats exactly my opinion. it should not be very complicated to get passwords from an input field and it would add exactly this level of 'security' i am talking about. often a password prompt is all it needs to stop people from looking through your private data you do not want them to see.

@laurent22
Copy link
Owner

@laurent22 laurent22 commented Mar 16, 2018

The SQLite database is not encrypted, even when E2EE is enabled. It might contain encrypted items it got via synchronisation but those will eventually be decrypted too.

Asking for a password wouldn't be useful if the data behind is not encrypted - anyone can easily open the SQLite file and view all the content without launching the app.

Other than a built-in solution, you could probably do this using a small script. You could for instance put the profile directory in a password-protected ZIP file. Then with a bash or batch script, you would unzip the file (at which point you will be asked a password) and then run the app. When the app close, you'll re-encrypt the file again from the same script.

Otherwise putting the profile on a USB key that you can take with you could be a solution too. I think some USB keys have built-in encryption.

@mikeziri
Copy link

@mikeziri mikeziri commented Mar 16, 2018

Just to understand better:
the notes directory has the encrypted content.
the sqlite has the same data not encrypted?

just to see how I approach a solution for my situation. ty

@SamuelBlickle
Copy link
Contributor Author

@SamuelBlickle SamuelBlickle commented Mar 16, 2018

the method with the zip script could work, yes, even if it's a bit of a workaround.
but i think @mikeziri and me are not thinking about 'encryption' per definition, it's more an added layer of protection because:
yes technically you are right @laurent22 anyone could open the sqlite database but i think 90% of all potential curious office workers or roommates would not be able to do so (or would be too lazy for it).

@laurent22
Copy link
Owner

@laurent22 laurent22 commented Mar 16, 2018

@mikeziri, yes, the note directory on the cloud service (eg. OneDrive, Nextcloud, etc.) has encrypted data.

The local, SQLite data is not encrypted.

@stjok
Copy link

@stjok stjok commented Apr 8, 2018

could not agree more. there should be a password to open the app

@stjok
Copy link

@stjok stjok commented Apr 8, 2018

while I'm at it, it would be great if images could be copied to a note. that and the password get done, I'm contributing and sticking with Joplin. Thank you for considering my requests

@NixSar
Copy link

@NixSar NixSar commented May 27, 2018

This should really be reopened, because of the lack of a pin/password, basically a boss key, Joplin is unusable safely in a work/public setting on a desktop computer. Yes, on your own Android device you can get a third-party app to lock it, but on a work/public computer most people don't have privileges to install such apps and anybody that sits down (or remote desktops) in front of such a computer can immediately go through their notes. A simple pin would alleviate 99% of this problem leaving your notes readable only to a determined IT guy - and that certainly wouldn't be the scope of this request.

@laurent22 laurent22 reopened this May 27, 2018
@laurent22
Copy link
Owner

@laurent22 laurent22 commented May 27, 2018

I'm reopening the issue in case someone would like to propose a pull request.

@nr458h
Copy link

@nr458h nr458h commented May 27, 2018

I'm not a programmer but I would like to add two other points:

  1. I don't know how it is handled at the moment, but the pin/pwd could be used to save the key encrypted (or the hash)
  2. This would also add the ability to unencrypt the notes only when running the app
@t2hv33
Copy link

@t2hv33 t2hv33 commented Jun 4, 2018

Waiting for this feature
I really love feature setting a password for some phrase in the note of Evernote.

@teresaejunior teresaejunior mentioned this issue Jun 7, 2018
22 of 22 tasks complete
@teresaejunior
Copy link

@teresaejunior teresaejunior commented Jun 7, 2018

I'll have to be honest that a password to open the app without encrypting the database itself seems more like a quick hack than a security precaution. It could do the job for some use-cases, but Joplin becomes useless for any sensitive information (I already have KeePassXC for passwords, but it is not practical at all for writing and syncing notes).

@zblesk
Copy link
Contributor

@zblesk zblesk commented Jun 7, 2018

Yes, well, that might be a part of the reason why Laurent is hesitant to just hack something together. Right now I don't have enough time to look for links, but multiple people (including me :D ) have asked about this before, both here and on the forum. Maybe take a look if you're interested.

Though I do disagree with the sentiment that Joplin "becomes useless". There is working E2E encryption, and if you're afraid of your device falling into the wrong hands, you can encrypt the entire device. (Whether it's a phone or a pc.) Or you can just keep Joplin data in an encrypted partition.

@teresaejunior
Copy link

@teresaejunior teresaejunior commented Jun 7, 2018

Not totally useless for sure, but I meant useless for anything sensitive. I don't care so much in my Linux laptop, which I have already setup very securely, but having unencrypted notes in an Android phone feels like sharing all my notes with the world!

I'm not complaining, though, but this is something that would be very valuable.

@zblesk
Copy link
Contributor

@zblesk zblesk commented Jun 7, 2018

@teresaejunior
Copy link

@teresaejunior teresaejunior commented Jun 7, 2018

Applications in Android are sandboxed, but it is not that difficult to find applications that manage to break the sandbox, or even root the phone. I take all precautions I can, of course, but security is never too much.

@NixSar
Copy link

@NixSar NixSar commented Jun 8, 2018

I agree that anything less than an encrypted mysql db is less than ideal, but a pin/boss key is not a hack, it is just a small step towards better security on public computers. Having said that, the end goal should still be database encryption.

@nidusin
Copy link

@nidusin nidusin commented Jun 18, 2018

Hi All,
I agree that some form of authentication makes sense for a note system that advertises encryption. Particularly in a workplace or shared environment as discussed earlier.
My workaround on windows at the moment is to run the portable version of Joplin including its data files in a Cryptomator vault. This encrypts both the executable and the database until a password is provided. Once unlocked the system can run, sync and update as normal. The vault gets locked when I am not present. This would also be suitable for a secured USB stick.
edit: Should work on linux as well.

@aplocher
Copy link

@aplocher aplocher commented Nov 20, 2018

I think having the notebooks themselves password protected would be the best (perhaps optionally down to the note level, but that's more granularity than I need, personally).

I have a hard time convincing people that my notebook called "not pr0n" doesn't have pr0n in it when all it takes is a click of a mouse.

@aplocher
Copy link

@aplocher aplocher commented Nov 20, 2018

J/k btw, but I do have some sensitive information in my notes which will prevent me from switchign to Joplin until that feature arrives. I really dig this tool, though - would love to see that feature and make the switch.

@koshia
Copy link

@koshia koshia commented Nov 30, 2018

I'm also waiting for some similar capabilities. As a manager now, I share 90% of my notes with my staff - but I don't really have a private area to put down notes that may be sensitive in nature. I attempted to run Joplin in multiple sessions and that worked one-quarter of the time, with synchronization kind of hap-hazardly working.

@sollermun
Copy link

@sollermun sollermun commented Dec 14, 2018

I agree with the above comments. There needs to be a way to keep data encrypted and locked on the devices themselves so that other users or applications cannot access the contents. A good example is the Signal app which encrypts both the transmissions and the client side data (if chosen).

@manad777
Copy link

@manad777 manad777 commented Dec 27, 2018

@laurent22 , could you use SQLCipher (transparent encryption for SQLite) for Node? Ex: https://coolaj86.com/articles/building-sqlcipher-for-node-js-on-raspberry-pi-2/

@seascape
Copy link

@seascape seascape commented Feb 22, 2019

I've been looking for the best 1-to-1 Evernote replacement for some months now and was excited to find Joplin. I was really surprised that it stores its password in local plain text and, especially, lacks the ability to query for a PIN or PW upon startup.

Last week I was violently mugged and the attackers took my phone, which I had foolishly (imo) only secured with a swipe-lock (could potentially be figured out by looking at the fingerprint streaks). I had Evernote on there, complete with 1,000 notes, and had been unaware of its PIN feature. So if they got into the OS they could likely get into my Evernote, full of sensitive information. Not good.

I think I ended up OK, but that experience really got my looking at how to better secure my software, especially on Android phones. If Joplin mobile really doesn't have even rudimentary PIN security that is a huge drawback / risk in my opinion. Makes me very hesitant to fully adopt Joplin.

Btw, Android has an ecosystem of third-party "app locker" apps that claim to secure other apps, but all the ones I tried seemed easily circumvented, such as by uninstalling them.

@laurent22
Copy link
Owner

@laurent22 laurent22 commented Feb 23, 2019

In Android, Joplin's data is in a folder that's inaccessible without root, so if the attacker doesn't know your phone password (if they can't unlock it) they can't access any of that data.

@guy-rouillier
Copy link

@guy-rouillier guy-rouillier commented Mar 10, 2019

I agree with the sentiment of optionally requiring the user enter a password or pin when the app starts, and preferably using that to access locally encrypted data. As others have said, sometimes I'll allow others to use my PC (to look up something on the web) or smartphone (to make a quick call). I wouldn't want them to be able to see all my account numbers and passwords simply by pressing on an icon.

I haven't used it, but I see SQLite has an encryption extension:

https://www.sqlite.org/see/doc/trunk/www/readme.wiki

@PopeRigby
Copy link

@PopeRigby PopeRigby commented Apr 1, 2019

Adding on to this, maybe it would be good to be able to set a seperate pin for a certain note, for extra special security.

@cryptosteve2
Copy link

@cryptosteve2 cryptosteve2 commented Apr 13, 2019

I'm also waiting for this ability and need this as a simple protection against roommates.

@rawlife56
Copy link

@rawlife56 rawlife56 commented Apr 19, 2019

I'm not a code magician like @laurent22 is and don't mind as I'm linking a commercial application here and totally understand how tough it's to maintain this one.

Standard Notes went through the same request two years ago and I guess they're currently encrypting the data at rest too. The linked issue provides a great insight which will be a great step for Joplin to look into. Use case is Granny or some random noob's malicious desktop which has a malware application actively scanning the app data on desktops where encryption at rest could slightly help along with the pin protection like many members request here to get rid of nosy roommates.

@Duckseazon
Copy link

@Duckseazon Duckseazon commented May 17, 2019

I would love to see the database encrypted as well. I don't want my employer to be able to find all my notes just because they are not staying encrypted in my work laptop. This sounds like a critical privacy feature to me.

@laurent22
Copy link
Owner

@laurent22 laurent22 commented May 17, 2019

I would love to see the database encrypted as well. I don't want my employer to be able to find all my notes just because they are not staying encrypted in my work laptop. This sounds like a critical privacy feature to me.

As a reminder, it's easy to setup an encrypted container with VeraCrypt and put on it everything you don't want your employer to have access to. The simplest way is to use Joplin portable application (on Windows), and put it on the encrypted container - both the app and the profile will then be encrypted.

@gudaoxuri
Copy link

@gudaoxuri gudaoxuri commented May 17, 2019

Not supporting encryption is the main reason that prevents me from using Joplin. Adding passwords to a few specific notes is a common requirement.

For example, as a operations personnel, will use Joplin to record some of the work content, which can be unencrypted, but will also record the server, middleware user name password, which requires the use of password access.

image

@laurent22
Copy link
Owner

@laurent22 laurent22 commented May 17, 2019

Not supporting encryption is the main reason that prevents me from using Joplin. Adding passwords to a few specific notes is a common requirement.

Again, I'm really curious, why not use VeraCrypt to encrypt Joplin and its profile directory? That way you don't need to worry about encrypting some notes and not other, you'll have the whole thing encrypted. Or am I missing something?

@gudaoxuri
Copy link

@gudaoxuri gudaoxuri commented May 17, 2019

Not supporting encryption is the main reason that prevents me from using Joplin. Adding passwords to a few specific notes is a common requirement.

Again, I'm really curious, why not use VeraCrypt to encrypt Joplin and its profile directory? That way you don't need to worry about encrypting some notes and not other, you'll have the whole thing encrypted. Or am I missing something?

My hard drive uses BitLocker encryption to achieve what you say is similar to the VeraCrypt feature, but the scenario I'm talking about is:

  1. My computer may be temporarily used by others, and I don't want them to see sensitive notes
  2. Joplin's experience should be simple and fluid, and I don't want me to enter my password when I open Joplin, but only ask for a password when I access sensitive notes

This is why OneNote and Evernote support encryption for specific notes.

https://support.office.com/en-us/article/password-protect-your-notes-e5ffd8fd-e811-441a-aa02-e13f0f445933

https://help.evernote.com/hc/en-us/articles/209005547

@NixSar
Copy link

@NixSar NixSar commented May 17, 2019

Not supporting encryption is the main reason that prevents me from using Joplin. Adding passwords to a few specific notes is a common requirement.

Again, I'm really curious, why not use VeraCrypt to encrypt Joplin and its profile directory? That way you don't need to worry about encrypting some notes and not other, you'll have the whole thing encrypted. Or am I missing something?

There are not so uncommon scenarios of multiple people using the same computer - certain work situations and families to name just two. To use the system you are proposing one would need to dismount the veracrypt volume and close joplin every single time they leave the computer. It would be preferable to have the option of Joplin encrypting the entire database and decrypting it on the fly/user request, or keeping certain notes encrypted and manually decrypted on request with special password(s) as @gudaoxuri suggests, or have such notes (or the entire database) lock themselves automatically on a timer and then require a password.

@SamuelBlickle
Copy link
Contributor Author

@SamuelBlickle SamuelBlickle commented May 17, 2019

A Veracrypt container is also a bit of a mess to sync with a cloud service.

@zblesk
Copy link
Contributor

@zblesk zblesk commented May 17, 2019

@guy-rouillier
Copy link

@guy-rouillier guy-rouillier commented May 18, 2019

Again, I'm really curious, why not use VeraCrypt to encrypt Joplin and its profile directory? That way you don't need to worry about encrypting some notes and not other, you'll have the whole thing encrypted. Or am I missing something?

Laurent, I'd like to use Joplin on my desktop (Windows and Linux) and on my mobile phone (Android). Veracrypt would help out on the desktop, but what about mobile?

Thanks.

@JorgeGNL
Copy link

@JorgeGNL JorgeGNL commented May 18, 2019

I found joplin today and tested (Desktop Windows) the reason why I can't continue using it is because there no Password lock when open the app.

This 2 options should be available:

  • Ask Master password when open the app (Encryption enabled)
  • Ask Master Password when inactive for selected minutes,.

I'm looking for a secure note application with end-to-end encryption, without this 2 missing features is the application only 50% safe.

@ProgressiveArchitect
Copy link

@ProgressiveArchitect ProgressiveArchitect commented May 30, 2019

@laurent22, You keep asking people why they will not use VeraCrypt and the answer is simple. People don't want to have to be forced to install and use separate external software to achieve a feature that other Note Apps like Standard Notes already have built-in. Users generally like Bundled Features.
There seems to be a growing trend of users who won't use Joplin for the sole reason of it lacking Encryption At Rest of the App & the Database file.
Seems silly not to work on adding this when so much of your potential user base is requesting it.

@seascape
Copy link

@seascape seascape commented May 30, 2019

Exactly that. Personally it's my #1 reason for not (yet?) switching.

Any external solution hack/bandaid will be more bothersome, less robust, less versatile, and ultimately less secure than a properly done native implementation of those features. Features, in this case, that are starting to be seen as standard and desirable for apps in this category.

Repository owner locked and limited conversation to collaborators May 30, 2019
@laurent22
Copy link
Owner

@laurent22 laurent22 commented May 30, 2019

Locking for now since nothing new is being added.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet