Encryption on Server & Transmission, Yes, No

[RgaDawg 35]

I know the dB on client side is not encrypted, which I don't care about. Is the dB content encrypted via transmission and on server (cloud)?

I'm asking because the recent updates for the Windows client has some quite serious encryption issues, losing notes, reproducing content within encrypted notes and I have had to de-crypt them for fear that feature is just not stable for now. I have always used this feature on some notes. I understand it is just an extra layer of protection and that the encryption in transmission and on server is actually good enough for protection.
 

 

[jefito 5,589]

https://evernote.com/security

[EdH 1,670]

Jefito posted the details, but in summary, the transmission is over an encrypted TLS connection and the data on the servers is using encryption at rest, so it is only decrypted when you need access to it, or when Evernote does to do something you asked it to do (index/search for example).

[RgaDawg 35]

6 hours ago, EdH said:

.. so it is only decrypted when you need access to it, or when Evernote does to do something you asked it to do (index/search for example)...

So, let's say I put some sensitive info in my Windows EN client, without encrypting in my Client. Then ya'll would be satisfied that it is pretty secure ? Correct. The way I understand it is the Windows Client side encryption feature is not necessary, but just a second layer of protection for those that want the feature. I have some valuable info, passwords, logins, SSNs, etc. The reason I have such info on my EN Client is that if I need it in another city, at an airport, on my phone, on a laptop, then I can get to it ..  Really just talking about using the client here. I realize the web HTTPS is encrypted. Thanks

[DTLow 5,736]

16 minutes ago, RgaDawg said:

So, let's say I put some sensitive info in my Windows EN client, without encrypting in my Client. Then ya'll would be satisfied that it is pretty secure ?

Yes, I'm satisfied my data is "pretty secure";

But I still encrypt my sensitive data; I still backup my data.

I know my data is secure

[RgaDawg 35]

18 minutes ago, DTLow said:

But I still encrypt my sensitive data; I still backup my data.

I do keep backups.
And I prefer to use the client side encryption
However, I'm going to wait a few public updates
Earlier I was using a pre-release which turned up some serious issues with local client side encryption feature.

- Thanks for explaining

[EdH 1,670]

32 minutes ago, RgaDawg said:

So, let's say I put some sensitive info in my Windows EN client, without encrypting in my Client. Then ya'll would be satisfied that it is pretty secure ? Correct. The way I understand it is the Windows Client side encryption feature is not necessary, but just a second layer of protection for those that want the feature. I have some valuable info, passwords, logins, SSNs, etc. The reason I have such info on my EN Client is that if I need it in another city, at an airport, on my phone, on a laptop, then I can get to it ..  Really just talking about using the client here. I realize the web HTTPS is encrypted. Thanks

No, I would not be satisfied that is "secure" unless your hard drive is encrypted.

On your client (Mac and Windows at least) the database is unencrytped and largely plain text. If I wanted access to your data, I just remove your hard drive and read it. On your PC/Mac, you should be encrypting the hard drive, or create an encrypted volume using something like VeraCrypt, or encrypt the folder in Windows using the Encryption feature in properties if you cannot encrypt the full volume.

The encryption in the client when you encrypt text means NO ONE can open it but you with that password. Data you encrypt that way is not searchable, nor decryptable by Evernote. It is jsut a binary blob to them, and they are double-encrypting it on their servers via encryption at rest, just like they are encrypting an image or file in your notes.

I personally wouldn't use Evernote for secure data like SSN, passwords, etc. Not because it isn't secure if you are encrypting the relevant text, but because it is the wrong tool. LastPass or other password managers is better for that. Your entire database is encrypted no matter where it is, and is only unencrypted when you open it. Because password databases are relatively small (a few hundred KB, or even a few dozen MB) they can be encrypted/decrypted virtually instantly, so they are ideal for that sensitive info. Just my 2¢. Right tool for the right job.

[RgaDawg 35]

1 hour ago, EdH said:

.. Right tool for the right job.

Thanks for the ideas. VeraCrypt seems like a nice tool. I have several (Win) apps that contain sensitive data. All of them have the ability to point their dB to a custom location, on an encrypted virtual drive, perhaps.

[EdH 1,670]

2 minutes ago, RgaDawg said:

Thanks for the ideas. VeraCrypt seems like a nice tool. I have several (Win) apps that contain sensitive data. All of them have the ability to point their dB to a custom location, on an encrypted virtual drive, perhaps.

Veracrypt would be my second choice. If you have Windows 10, use Bitlocker unless you have Windows home. Does full volume encryption.

Veracrypt full volume isn't ideal. Veracrypt containers is fine, but still a bit more maintinence than bitlocker, which is 100% brainless after you enable it. You never have to deal with it again. It just works. Just like FileVault on Mac. Super easy.

[RgaDawg 35]

2 hours ago, EdH said:

.. If you have Windows 10, use Bitlocker ..

Information I found says Bitlocker is available for Vista up .. But I don't see it in my Windoze 7 Pro ..

[EdH 1,670]

11 hours ago, RgaDawg said:

Information I found says Bitlocker is available for Vista up .. But I don't see it in my Windoze 7 Pro ..

for Windows 7, you have to have Enterprise to get bitlocker. So Veracrypt it is!