Jump to content

Welcome! You're currently a Guest.

If you'd like to join in the Discussion, or access additional features in our forums, please sign in with your Evernote Account here. Have an Evernote Account but forgot your password? Reset it! Don't have an account yet? Create One! You'll need to set your Display Name before your first post.

Photo
Windows

Are my notes private at work?

privacy work cache enterprise evernote

  • Please log in to reply
15 replies to this topic

#1 Gusterman

Gusterman

  • Pip
  • Title: Member
  • Group: Members
  • 1 posts

Posted 09 May 2012 - 01:36 AM

I rely on Evernote at work to capture every thought that goes through my head. Some of these thoughts are not related to work, and some are not necessarily compliant material. I believe my cached notes are being saved in my C drive.

It is a normal practice at organizations to warn employees that, for example, corporate communications such as e-mail, are not private, and every message is able to be read if necessary.

I use my own Evernote account at work, as opposed as a corporate account. (Working in web development, I have some liberties as to what I can install in my work conputer.)

The way Evernote is built, is there a possibility that the organization could peek into my notes or otherwise access them?

Sincerely

G

#2 jefito

jefito

  • Title: Evangelist / Moderator
  • Group: Evernote Evangelist
  • 10,762 posts

Posted 09 May 2012 - 02:22 AM

Yes, your notes database is stored on your local drive, if you use the Windows client. You could use the web client, if you wanted access to your notes at work; that's accessed via https:, so that would be secure, on the other hand, your browser has a cache, so that could be a problem. There are also mobile clients for, for example, iOS and Android devices, so if you have mobile Internet access or Wi-Fi, that's a possibility, as well.
~Jeff
EVERNOTE: Getting Started | Support Page | Knowledge Base | Support Requests | Best Practices for submitting a support request
If someone helped you, or you like or agree with someone's post, let them (and us) know by clicking their post's "Like" button.

#3 gdmilner

gdmilner

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 75 posts

Posted 09 May 2012 - 03:25 AM

No. Ultimately, nothing is truly private on a computer you don't own.

Sorry, but that's the truth of it.

The may be "private" in the sense that they cannot see them on an ongoing bases, but anything on that computer is available to your employer whenever they want to look at it.

#4 Liam Gretton

Liam Gretton

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 62 posts

Posted 09 May 2012 - 12:14 PM

You can get a decent degree of security in your current setup by using an encrypted USB device to store the Evernote database files.

I use TrueCrypt but you may need administrative rights to install it. Otherwise there are plenty of self-encrypting USB devices on the market.

Once you have one of those in place, just set the location of 'Evernote local files' in Evernote's options to be a folder on your encrypted device.

#5 passness

passness

  • Pip
  • Title: Member
  • Group: Members
  • 6 posts

Posted 09 May 2012 - 01:48 PM

your notes database is stored on your local drive.
Posted Image

#6 Liam Gretton

Liam Gretton

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 62 posts

Posted 09 May 2012 - 06:40 PM

your notes database is stored on your local drive.
Posted Image


'Local' as far as Evernote is concerned means on a device attached to your computer.

In fact with TrueCrypt it's not necessary to have a separately encrypted device, you can just create an encrypted file container and use that to store Evernote's database. The encrypted file container is an encrypted file that can be mapped to a drive letter and treated as a local disc.

#7 riow

riow

  • Pip
  • Title: Member
  • Group: Members
  • 10 posts

Posted 19 November 2012 - 12:15 PM

I've just sync to the newly installed Evernote on Win7 desktop. I'm worried if the data stored locally in Win7 has been encrypted.

#8 jefito

jefito

  • Title: Evangelist / Moderator
  • Group: Evernote Evangelist
  • 10,762 posts

Posted 19 November 2012 - 12:48 PM

No. The data is stored in a sqllite database, unencrypted.
~Jeff
EVERNOTE: Getting Started | Support Page | Knowledge Base | Support Requests | Best Practices for submitting a support request
If someone helped you, or you like or agree with someone's post, let them (and us) know by clicking their post's "Like" button.

#9 riow

riow

  • Pip
  • Title: Member
  • Group: Members
  • 10 posts

Posted 19 November 2012 - 01:26 PM

is there any option to encrypt it or secure it in Evernote?

#10 jbenson2

jbenson2

  • PipPipPipPipPip
  • Title: User # 142,683
  • Group: Members
  • 5,590 posts

Posted 19 November 2012 - 02:31 PM

is there any option to encrypt it or secure it in Evernote?


Sure, several users encrypt their Evernote database with TrueCrypt. (very secure)
http://www.truecrypt.org/

#11 jefito

jefito

  • Title: Evangelist / Moderator
  • Group: Evernote Evangelist
  • 10,762 posts

Posted 19 November 2012 - 10:27 PM

If you want to use TrueCrypt to encrypt your database, you should search the forums for TrueCrypt for details.
~Jeff
EVERNOTE: Getting Started | Support Page | Knowledge Base | Support Requests | Best Practices for submitting a support request
If someone helped you, or you like or agree with someone's post, let them (and us) know by clicking their post's "Like" button.

#12 riow

riow

  • Pip
  • Title: Member
  • Group: Members
  • 10 posts

Posted 20 November 2012 - 01:36 PM

I had experience on using Truecrypt a long time ago. Thanks for reminding me about it.

#13 panayotov

panayotov

  • Pip
  • Title: Member
  • Group: Members
  • 10 posts

Posted 19 June 2013 - 02:25 PM

Hi,

 

I like Evernote very much and have been using it for a long time. I also recently upgraded to Premium for one and only one very simple reason, a very tiny minor feature - PIN lock for my Android app. I'm somehow OK with the potential security risks that come with storing personal data in the cloud, however, I'm more aware about what I store locally on my device (a smartphone, PC, laptop, etc.). So with the PIN lock my local security was in line - the Windows client I use is secured with the password of my account.

 

So, today I was modifying some settings in the Windows client when I noticed that I can choose the location of the local databases, the Windows client uses to cache the data in my Evernote account. I immediately went there and tried opening the snippets and main database files and guess what? Voila! They opened and every bit of info I'd put into Evernote was there, accessible to everyone interested. There's lots of other info in these files, which is not human readable but the content of all notes is there. (Additionally, there is a folder attachments, which contain images for me and probably other stuff for other users - yes, completely unprotected.)

 

I'll try to put this mildly - this is a joke. I know - almost everything that has a lock can be unlocked. However even the minor trace of security is missing here. Yes, the encryption Evernote is using for transmitting your data over the wire is weak. But it's there. What if my device gets stolen and a malicious person goes there and just opens these files and get all of my data without any effort? I don't want to test this on my Android device, which is the most vulnerable device I have in terms of security, because I'm afraid of what I might discover there.

 

Is it so hard to encrypt the local files and decrypt them when the user logs into the client and encrypt them again when they log out?

 

Please consider this as a Feature Request.

 

Regards,

A big fan and an Evernote evangelist in my social circles.



#14 BurgersNFries

BurgersNFries

  • Title: Moderator
  • Group: Evernote Evangelist
  • 12,157 posts

Posted 19 June 2013 - 02:33 PM

Hi,
 
I like Evernote very much and have been using it for a long time. I also recently upgraded to Premium for one and only one very simple reason, a very tiny minor feature - PIN lock for my Android app. I'm somehow OK with the potential security risks that come with storing personal data in the cloud, however, I'm more aware about what I store locally on my device (a smartphone, PC, laptop, etc.). So with the PIN lock my local security was in line - the Windows client I use is secured with the password of my account.
 
So, today I was modifying some settings in the Windows client when I noticed that I can choose the location of the local databases, the Windows client uses to cache the data in my Evernote account. I immediately went there and tried opening the snippets and main database files and guess what? Voila! They opened and every bit of info I'd put into Evernote was there, accessible to everyone interested. There's lots of other info in these files, which is not human readable but the content of all notes is there. (Additionally, there is a folder attachments, which contain images for me and probably other stuff for other users - yes, completely unprotected.)
 
I'll try to put this mildly - this is a joke. I know - almost everything that has a lock can be unlocked. However even the minor trace of security is missing here. Yes, the encryption Evernote is using for transmitting your data over the wire is weak. But it's there. What if my device gets stolen and a malicious person goes there and just opens these files and get all of my data without any effort? I don't want to test this on my Android device, which is the most vulnerable device I have in terms of security, because I'm afraid of what I might discover there.
 
Is it so hard to encrypt the local files and decrypt them when the user logs into the client and encrypt them again when they log out?
 
Please consider this as a Feature Request.
 
Regards,
A big fan and an Evernote evangelist in my social circles.


This has been discussed at great length already. Please search the board on security & encryption for more info. And to clarify, PIN codes typically only keep someone out of the app. They do not encrypt or hide the database or work files from people who are tech savvy enough to dig around in the bowels of your hard drives.
I'm not affiliated with Evernote. Evernote is an integral part of my life.

Submit support requests toward the bottom of the help/support page here. If you do not receive an auto reply email with a case #, it did NOT get submitted. Premium users will receive a reply within one business day, California time. Free users receive a reply as time permits.

#15 jbenson2

jbenson2

  • PipPipPipPipPip
  • Title: User # 142,683
  • Group: Members
  • 5,590 posts

Posted 19 June 2013 - 02:48 PM

Not just local but system wide.

After the coordinated hacker attack into Evernote's password (hashed and salted) database in March, Evernote came up with 3 new security features.
http://blog.evernote...urity-features/

The Access History is interesting, but should to be checked regularly.

Unfortunately, Evernote continues to rely on 64-bit RC2 crypto.
http://evernote.com/...rticle/23480996

 

It would be reassuring to see Evernote increase their security from the rather archaic and easily broken 64-bit RC2 to a more robust 256-bit AES.
 



#16 Liam Gretton

Liam Gretton

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 62 posts

Posted 19 June 2013 - 08:43 PM

If you can't trust the physical security of your PC, then encrypt the files with Bitlocker, TrueCrypt, etc. Same goes for every other device, I don't bother with the Evernote PIN on my Android device, I encrypt the whole device and have it lock after 30s automatically, that protects everything.

 

It's not the application's job to deal with file encryption etc on a device in my opinion, there are too many potential vulnerabilities that can never all be anticipated adequately. If you're worried about your Evernote files being picked apart, surely you have other files that are similarly vulnerable (in my case it's mainly the stuff I can't entrust to Evernote due to security concerns, sadly).

 

Also I'd dispute that Evernote's encryption over the wire is weak, I haven't checked, but I expect it's 128-bit SSL or better. The RC2 encryption available within individual notes is laughably bad though, they're almost better off removing that feature if they can't or won't implement something credible.

 

On a related note, if EN could implement client-side en/decryption of what gets stored on their servers I'd be able to use EN for just about everything I do. Until then, I have to restrict its use practically to what I'm willing to reveal to the world. Until last week I was only worried about hackers breaking into EN, but it turns out I also have to consider the US government poking around :-(







Also tagged with one or more of these keywords: windows, privacy, work, cache, enterprise, evernote

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Clip to Evernote