Encrypting the Joplin Database

Michael's Site About Martial Arts Aikido Jinenkan Tatsumaki Dojo Projects Security My Toolkit GitHub Links Encryption Encrypting the Joplin Database By MichaelNovember 27, 2020 Though Joplin comes with end-to-end encryption, that feature only protects the data stored on whichever server is being used for syncing the notes between applications. On standard installations, the data isn't actually encrypted locally on the devices themselves, the way it is with Standard Notes.

In Windows, the notes are stored in an SQLite file in C:\Users[User Name].config\joplin-desktop. Opening the database file using an SQLite browser, we can see the notes and password-derived cryptographic keys are actually stored unencrypted. Anyone who can access this file can read everything in it. It would be nice if that database could be encrypted, with a password-derived cryptographic key, to ensure the notes remained private. The good news is there are ways to do this, and it's possible to set up very strong security for the desktop installations of Joplin, at least.

Using Windows Native Encryption and Account Control By far the easiest method of encrypting the database is to use Windows' native encryption to protect the joplin-desktop directory and its contents. To do this, just right-click on the directory, and under the General tab, click the 'Advanced...' button. Check the 'Encrypt contents to secure data...' option. Windows will automatically encrypt and decrypt this directory, using the cryptographic key associated with your account. This will protect the data from anyone who doesn't have access to your account or the system's admin account. But I'm not certain enough that this provides adequate security or privacy on a shared computer, with someone else being able to elevate their account to admin permissions.

Joplin in an Encrypted Container A far more secure option is to install Joplin as a portable application inside an encrypted container, where the database and configuration files are protected against even those with full access to the computer - unless, of course, a keylogger is installed. Another advantage of this is that the encrypted container doesn't need to be on the machine - it could exist on a USB drive. As it happens, Joplin is also a handy method of exchanging files between encrypted volumes on Windows and Linux systems, since attachments are also sent encrypted.

For this you'll need the portable version of the Joplin application and VeraCrypt (alternatives are available). Simply set up an encrypted container (ideally ~4GB), download the portable application installer to that volume then run it. Now the local Joplin notes and the copies on the remote server are strongly encrypted.

Android Devices The security model is a little different for mobile devices, which typically aren't shared and have just one user (plus a hidden admin account). Also, a typical smartphone is switched on continually, so the benefits of full disk encryption (internal storage and microSD) are actually limited, since the disks are almost always in a decrypted state. There are ways, for those with expertise and resources, of getting data from locked Android devices while they're still switched on. That said, it's still better to have full disk encryption enabled than not.

Another (relatively weak) layer of security we can add is an 'app locker' - this would be enough to prevent the average person from accessing selected applications if they happened to pick the device up while it's unlocked. One my devices has Huawei's own EMUI launcher, which can be configured to require a PIN to access the Joplin app. On the other device, I installed Norton App Lock, which does roughly the same thing, but it needs to be configured to use the device admin account to prevent it being uninstalled without the PIN. Edit: It looks as if Norton's App Locker works by adding a PIN-protected overlay to the application being opened. This article was updated on November 30, 2020

Encryption Privacy Security Michael Michael PREVIOUS POST Using Joplin NEXT POST A PhD Research Idea Related posts Encryption Using Joplin I don't know why I haven't given this a proper look before. Essentially Joplin is a markdown editor application that…

November 17, 2020 © 2020 Powered by Publii Static CMS About Martial Arts Projects Security My Toolkit GitHub Links