Full Encryption Support

[David Dibert 5]

It's becoming increasingly important to have full encryption support in Evernote.  Evernote will only encrypt text, not notes with images. Is there any ETA on this feature, as I am working more and more outside Evernote due to this limitation?   There are workarounds like saferoom/axcrpt and other apps to encrypt a file, copy the encrypted text inside Evernote, and do the reverse to see the notes, but that is very hard and then there's no reason to use Evernote and I might as well store it as a file on a service which is easy access from mobile device. Services like pCloud allow zero-knowledge encryption which works very well, so I'm moving more and more of my Evernotes to files in pCloud, but pCloud doesn't really have a note-based UX. I may be somewhat on the leading edge here, but if I'm moving things off Evernote for better security, others are likely doing the same (or should be will all the data breaching happening today). Evernote seems to be falling behind here in functionality that seemingly isn't that hard to implement. Evernote could require the entire note to be encrypted when there are images which is very acceptable to me and that may make it easier for Evernote to implement it in a first release, Thanks for your consideration. I really like Evernote and I don't want to be slowly moving away for better security. Thanks, Dave

[gazumped 11,652]

Most serious users would welcome any level of encryption,  but Evernote haven't yet released anything - they tend (usually) not to comment on work in progress,  so all we can do is hope..

[David Dibert 5]

Thanks.  I put a request into support a few days ago, but rather got crowd sourced into Directly and they suggested I post the request here.   I'm not sure if anyone at Evernote saw it or not.

[DTLow 5,736]

On 2018-04-01 at 4:43 PM, David Dibert said:

t's becoming increasingly important to have full encryption support in Evernote.  Evernote will only encrypt text, not notes with images.

There are feature requests for note encryption, and notebook encryption.
You're welcome to search for them and indicate your support using the voting buttons in the upper left corner of the discussion.

My vote is for end-to-end encyption of the database

I still consider Evernote the best service to store my data.  
My sensitive data is encrypted external to Evernote.  I make use of the native encryption in note attachments; pdfs, office/iwork documents, ...

[GrumpyMonkey 4,319]

I think I may have been requesting encryption for several years now, with various levels of urgency, but Evernote has not adopted the suggestion for some reason. I'd be interested to know why. As I've mentioned before, competitors have managed it, so it's technically feasible. Where there's a will, there's a way.

[CalS 5,280]

On 4/1/2018 at 4:43 PM, David Dibert said:

It's becoming increasingly important to have full encryption support in Evernote.  Evernote will only encrypt text, not notes with images. Is there any ETA on this feature, as I am working more and more outside Evernote due to this limitation?   There are workarounds like saferoom/axcrpt and other apps to encrypt a file, copy the encrypted text inside Evernote, and do the reverse to see the notes, but that is very hard and then there's no reason to use Evernote and I might as well store it as a file on a service which is easy access from mobile device. Services like pCloud allow zero-knowledge encryption which works very well, so I'm moving more and more of my Evernotes to files in pCloud, but pCloud doesn't really have a note-based UX. I may be somewhat on the leading edge here, but if I'm moving things off Evernote for better security, others are likely doing the same (or should be will all the data breaching happening today). Evernote seems to be falling behind here in functionality that seemingly isn't that hard to implement. Evernote could require the entire note to be encrypted when there are images which is very acceptable to me and that may make it easier for Evernote to implement it in a first release, Thanks for your consideration. I really like Evernote and I don't want to be slowly moving away for better security. Thanks, Dave

Razors edge for me in that what is encrypted can't be searched unless EN makes the changes required. 

However, if you are comfortable with EN's encryption at rest on their servers, you can use VeraCrypt or the like to encrypt your data base locally and still have the power of search.  Mobile devices would still be an issue.

[DTLow 5,736]

2 hours ago, CalS said:

However, if you are comfortable with EN's encryption at rest on their servers, you can use VeraCrypt or the like to encrypt your data base locally and still have the power of search.  Mobile devices would still be an issue.

I'm using the Mac equivalent (FileVault) and I think my IOS devices are secure.

This leaves the data on the servers.  I do apreciate the encryption-at-rest.
It's not a high concern for me - I protect my sensitive data with external encryption.

[David Dibert 5]

Thanks.  Encryption of data at rest provides little protection against intrusions.    Evernote should be able to some how implement a zero-knowledge encryption with Apps on Mobile and Desktop to decrypt.  Then even if an Evernote server or account would be compromised, or a laptop/cell stolen, the user data would still be protected by encryption.  

My original request to Evernote was full encryption of a note, including images.  I guess my second request is to add to that is zero-knowledge encryption.  I would like to know Evernote is going in that direction and I think other users would too.  There are all kinds of workarounds to do this on Evernote, but all of them are really workarounds and also take the user away from Evernote, not attract them to use Evernote for secure notes.  Hopefully Evernote can provide a solution to attract users that want better security.  I don't use Evernote for things I need to be kept very secure for this reason.

BTW, The directly support is great for new users and informational type questions, but really bad at getting any feedback into Evernote or receiving an acknowledgement. 

[DTLow 5,736]

6 minutes ago, David Dibert said:

BTW, The directly support is great for new users and informational type questions, but really bad at getting any feedback into Evernote or receiving an acknowledgement.

This is more a user discussion forum
You can contact Evermote Support at
All Accounts      Twitter @evernotehelps    
Paid Accounts   Contact Evernote Support 

[jefito 5,589]

5 minutes ago, David Dibert said:

BTW, The directly support is great for new users and informational type questions, but really bad at getting any feedback into Evernote or receiving an acknowledgement. 

Not really designed for that; Directly support isn't staffed by Evernote employees.

Posting here in the forums is fine for raising issues with Evernote; they read them all. Feedback / acknowledgement is not guaranteed, though. And plans for Evernote's future development directions may or may not be revealed.

[mprogram 19]

The CEO stated in this interview that they wanted to offer full-note encryption, but that was over a year ago. It's probably a lot easier said than done.

[GrumpyMonkey 4,319]

6 hours ago, mprogram said:

The CEO stated in this interview that they wanted to offer full-note encryption, but that was over a year ago. It's probably a lot easier said than done.

and, the ceo before him promised “sexy” encryption.

the engineers at evernote are probably some of the best in silicon valley (judging by evernote’s reputation, the ones i have met, and their excellent product). i suspect it is more about lack of interest in seeing it happen. apple notes has it. onenote has it. devonthink has it. there is even a third-party plugin for evernote that has it. the only people without encryption for an entire note (at the very bottom level) is evernote. 

whatever the reason, i hope they sort it out.

[David Dibert 5]

Thanks.  Just hoping that someone would see something here is not the UX I was hoping for, but thanks for the insight.  I already created a ticket and was routed here, so I've come in full circle.  I'll use my other solution when I need secure notes.   You can close this out.  Thanks again.

[LCB23 0]

Just want to ask for an update re: the whole note encryption. What's the word? 

Does the "Work Chat" feature have end-to-end encryption like WhatsApp? I can't find any info on this on the support website. 

[gazumped 11,652]

21 hours ago, LCB23 said:

Just want to ask for an update re: the whole note encryption. What's the word?

The word currently,  is "No",  but some fairly major looking new features are expected soon...

[ehinkle 0]

I agree, evernote should give use the ability to encrypt an entire notebook so anything placed in that notebook will be encrypted. That is one of the reasons I stay with evernote is I can capture whatever and place it in a notebook. So if I can capture sensitive information that only I have the secrets to, that would be great. OneNote currently offers this and is what i use for storing medical information, but I would like to keep it all in evernote. I am a premium subscriber and think that should be an added feature for premium subscribers. As for searchiing encrypted notes, I think you should not be able to search them while searching all the other non-encrypted notebooks, but if I log into the encrypted notebook I should be able to search within that encrypted notebook.

[DTLow 5,736]

24 minutes ago, ehinkle said:

So if I can capture sensitive information that only I have the secrets to, that would be great.

fwiw   My sensitive data is stored in Evernote, encrypted.
I use the native encryption built-in to attachment files; pdfs and office/iwork documents, ...

[jaykob 3]

I don't have high hopes of seeing encryption for a complete notebook coming anytime soon to Evernote, but I want to support the idea nonetheless.

I would give up Evernote Web without any hesitation if I know, my notes are completely and always encrypted when leaving my devices.

[jefito 5,589]

13 minutes ago, jaykob said:

I would give up Evernote Web without any hesitation if I know, my notes are completely and always encrypted when leaving my devices.

As far as I know, Evernote data is encrypted between the Windows client (or those of on other OS's) and the Evernote service. Evernote doesn't send your data unencrypted over the wire. See https://evernote.com/security.

That being said, Evernote data is stored unencrypted in your local cache of note data (e.g., your .exb database file). Whether that leaves your machine is a different matter; If you back it up unencrypted onto another medium, then it's a potential attack surface.

[jaykob 3]

11 minutes ago, jefito said:

As far as I know, Evernote data is encrypted between the Windows client (or those of on other OS's) and the Evernote service. Evernote doesn't send your data unencrypted over the wire. See https://evernote.com/security.

That being said, Evernote data is stored unencrypted in your local cache of note data (e.g., your .exb database file). Whether that leaves your machine is a different matter; If you back it up unencrypted onto another medium, then it's a potential attack surface.

appreciate the quick response, but that's not what I said (edit: meant). I know there's encryption for transport, but what I meant with "completely and always encrypted" was end-to-end encryption. Also, with "leaving my devices" I meant via Evernote; I know that there are other means for taking data from a device - should have been more precise here, sorry.

[eric99 978]

On 4/3/2018 at 4:42 PM, GrumpyMonkey said:

I think I may have been requesting encryption for several years now, with various levels of urgency, but Evernote has not adopted the suggestion for some reason. I'd be interested to know why. As I've mentioned before, competitors have managed it, so it's technically feasible. Where there's a will, there's a way.

Which competitors have this, and do they still have an on-line search capability?

[DTLow 5,736]

10 minutes ago, eric99 said:

Which competitors have this, and do they still have an on-line search capability?

On-Line (internet?) search is difficult if you want full encryption.

I know with Evernote, we lose search functionality with encrypted data.

[alexpc 0]

I use Evernote since the beginning. Recently I was aware Evernote redesigned the iOs apps but not a single improvement in security or encryption. I'm tired waiting and being in compromise because Evernote thinks we need better looking apps with poor security. For example, apple iCloud doesn't end to end encrypt backups on iOs, so all my offline notes are ready to read for anyone who could get access to this backups. I stopped backing to iCloud and now I'll stop using Evernote. I'm an unsatisfied premium user who will exit for good. I'm looking for alternatives to migrate my 7000 notes to. End to end encryption, "not your keys not your data" is a must for me. So goodbye, I waited too much and risked too much now waiting in vain. 

[Wanderling Reborn 185]

I keep my sensitive notes in OneDrive encrypted with Cryptomator. (Can be any location, I just happened to have O365).

After Equifax, I don’t trust any single company to keep my data safe. Unless it’s zero knowledge encryption, I assume f’ups will happen. The question isn’t “if” but “when”.

Even Cryptomator is not a 100% guarantee. But at least, it’s far less likely that the same nefarious actors will have access to both Evernote servers and Cryptomator exploits.

[DTLow 5,736]

19 hours ago, Wanderling Reborn said:

keep my sensitive notes in OneDrive encrypted with Cryptomator. (Ca n be any location, I just happened to have O365).

There are many external options to encrypt data    
After encryption, I store the data in Evernote as file attachments to notes

[eric99 978]

I fully agree, I use encrypted pdf, which keeps my note encryption platform agnostic. In the note I can still add some keywords are tags for searching

[DTLow 5,736]

1 minute ago, eric99 said:

I fully agree,, I use pdf encryption, which keeps my note encryption platform agnostic.

There's also native encryption for MS Office and Apple iWork documents

[Wanderling Reborn 185]

20 hours ago, DTLow said:

There are many external options to encrypt data    
After encryption, I store the data in Evernote as file attachments to notes

The reason I don’t store it in EN or ON is that there’s just fewer extra steps required when working with this data.

Also, I can still have it indexed and searched using DocFetcher, with index residing inside the same encrypted container, so it’s only accessible when this container is mounted.

 

 

[David Dibert 5]

I would like to see full end-to-end encryption without using an third party tool.  That is, even the Evernote servers never see a note unencrypted and cannot decrypt it even if they wanted to.   If there are restrictions, that's fine too, like only allowing end-to-end encryption for the entire the note.   Apps like Cisco Webex, Telegram, pCloud, and even WhatsApp can support end-to-end encryption, so why not Evernote?

[PinkElephant 8,068]

WhatsApp is not really safe, because the keys are issued by WA. WA can any day silently remove the current key set for any user and replace it by another. The traffic would still be end-to-end encrypted, but law enforcement officials could read everything as man-in-the-middle.

This true for all other services that generate the keys that are later used.

Especially all Services located in the US can be forced to give access to authorities and at the same time not to disclose it. The same is probably true for a number of other countries in the western world ( not talking about others, where the censorship board sits practically as a department inside of such companies).

A better level of privacy can only be found when the encryption is done with another tool than the storage or transmission. The best level is reached when the tool is open source, secured by a hash fingerprint to prevent code tampering and analyzed by independent NGO experts. The use will not be as smooth, but this encryption should withstand any backdoors.

IMHO it is completely futil to believe any encryption offered by EN (as an US company) would be free of the backdoors they are legally forced to built into it. Even Apple did silently move away from really setting up zero knowledge for iCloud (and all related services), because they would probably have been publicly forced to implement government access, causing even greater damage to the privacy reputation.

[CalS 5,280]

2 hours ago, Wanderling Reborn said:

The reason I don’t store it in EN or ON is that there’s just fewer extra steps required when working with this data.

Also, I can still have it indexed and searched using DocFetcher, with index residing inside the same encrypted container, so it’s only accessible when this container is mounted.

Out of interest.  Assuming you have the container on a local drive either internal or attached, when the container is opened/mounted what is the status of the files on the cloud server?  Are they static until you dismount the container on the local drive and then all updates are processed?  Just wondering.  I use VeraCrypt and I don't think anything is synced to the cloud drive until the container is dismounted.  Downside with VeraCrypt is you have to set a file size when you create the container.  Not onerous but a PITA if you misjudge.