Forevergreen 0 Posted July 23, 2019 Posted July 23, 2019 I want to use AutoHotkey scripts to access sensitive web sites such as banking. Evernote stores these scripts in an insecure folder (Evernotes/Databases/Attachments). If I delete the scripts from this folder they return when I next access them in Evernote (so they must be stored within Evernote). How can I store scripts securely in Evernote?
Level 5* gazumped 12,224 Posted July 23, 2019 Level 5* Posted July 23, 2019 Hi. If you store scripts in Evernote you will have access to 'standard' Evernote security - AFAIK there are no upgrades or hacks available. Is it possible to store your scripts on your desktop and activate them via a link stored in Evernote?
dcon 166 Posted July 31, 2019 Posted July 31, 2019 On 7/23/2019 at 12:25 AM, Forevergreen said: Evernote stores these scripts in an insecure folder (Evernotes/Databases/Attachments). Actually, they're not stored there. They're stored in the database (the `.exb` file) In order to run/edit/etc an attachment, it must first be stored in a location where it can be accessed. That's what the Attachments are. Anything in there can be safely deleted when EN is not running.
nevergreen 0 Posted August 1, 2019 Posted August 1, 2019 Than you for your reply. I understand that Evernote stores scripts in the database but when accessed they are written to an insecure folder which is a major security issue which I haven't seen warnings about in any documentation. Evernote should write these to a temporary location then immediately securely delete them after access. I think it should be made clear to all users that using attachments is not secure. To reply to your post I had to create a new account as I was unable to log in as "Forevergreen". Whatever I tried I was taken to the registration page.
Level 5* gazumped 12,224 Posted August 2, 2019 Level 5* Posted August 2, 2019 On 8/1/2019 at 4:38 AM, nevergreen said: Than you for your reply. I understand that Evernote stores scripts in the database but when accessed they are written to an insecure folder which is a major security issue which I haven't seen warnings about in any documentation. Evernote should write these to a temporary location then immediately securely delete them after access. I think it should be made clear to all users that using attachments is not secure. To reply to your post I had to create a new account as I was unable to log in as "Forevergreen". Whatever I tried I was taken to the registration page. It's a fundamental part of the way Windows actually works that scripts are only accessible from a stand-alone file on the hard drive. Not sure that it is Evernote's responsibility to point out to users that confidential data in a Note will be copied (in identical format) into a folder to allow third-party utilities to access it. Additionally third party apps don't uniformly 'unlock' data to which they've required access so that Evernote even knows that processing has completed. It is simply not possible to auto-delete what's in the Attachments folder securely or otherwise. I access sites with links from Evernote to a log-in page, and log in via a browser app password-protection utility called Bitwarden (many others are available). Automation beyond logging into the site landing page is inherently insecure - but several steps outside Evernote's ability to control the security of any activity.
Level 5 PinkElephant 9,015 Posted August 2, 2019 Level 5 Posted August 2, 2019 Everybody working on a Windows PC should be warned that the security of all data depends on the security of the PC itself. Because moving data between applications may and will create temporary duplicates, and because convenience requested by the users creates even more duplicate information, there is no local security of data on a PC. This has nothing to do with EN. In general, EN is not meant to store sensitive data, like banking codes, account and password access codes etc. For such information, there are other services that will encrypt everything right on the device, and will allow the decrypted copy to only exist in a shielded enclave in the RAM, and only temporarily. Who does not understand this anyhow would probably not understand a warning telling exactly this - be it for a lack of basic knowledge or for not being interested in his own data security.
nevergreen 0 Posted August 3, 2019 Posted August 3, 2019 Thanks for the informative replies. I now understand the reasons for the lack of security accessing some attachments and will find another way. I still believe that it would be useful to advise those, like me, who are not experts in security of this. I think the Evernote marketing department would be interested to learn that "In general, EN is not meant to store sensitive data"! Thanks again for the information.
nevergreen 0 Posted August 3, 2019 Posted August 3, 2019 I was quoting "PinkElephant" in a previous post. I suggest that you read the entire thread.
Level 5* DTLow 5,749 Posted August 3, 2019 Level 5* Posted August 3, 2019 On 8/2/2019 at 2:18 PM, PinkElephant said: In general, EN is not meant to store sensitive data ... I store "sensitive data" in Evernote, but I make sure it's protected with encryption In general, EN data is not encrypted; but there is a text encryption feature. I also make use of the native encryption of attachments; pdfs, office/iWork documents, ... >>And it will not work at all if the sync is faster than you Agreed, encryption should be executed in a local notebook, or external from the Evernote sync process
Level 5 PinkElephant 9,015 Posted August 4, 2019 Level 5 Posted August 4, 2019 Sure you can build around the open structure of EN by using text encryption. IMHO it is better to use tools prepared for the job to do the job. On tools prepared for this, you first open a secure environment, and then start to add or modify your data inside. When you leave, encryption is done by default. And the memory will be wiped of all short term residue created by the operation. Even when you forget, and the app closes all by itself, security will be assured. With EN, you first open an non-secured app. One that will start to sync to an cloud service no matter if you had the intention to encrypt before. And an app that up to my knowledge has not internal means to wipe the uses RAM when closing, or being closed by time-out. Yes, it is possible to encrypt the Text of a note. For me, this is only the smaller part to the answer. And it will not work at all if the sync is faster than you, or you forget about security procedures out of whatever reason. For these reasons, I regard EN as being unsafe for confidential information.
Level 5* DTLow 5,749 Posted August 4, 2019 Level 5* Posted August 4, 2019 20 minutes ago, PinkElephant said: IMHO it is better to use tools prepared for the job to do the job. On tools prepared for this, you first open a secure environment, and then start to add or modify your data inside. When you leave, encryption is done by default. And the memory will be wiped of all short term residue created by the operation. Even when you forget, and the app closes all by itself, security will be assured. Can you recommend any apps for this? The apps I'm using don't have this level of security I'm still ok with storing the encrypted file in Evernote.
Level 5 PinkElephant 9,015 Posted August 5, 2019 Level 5 Posted August 5, 2019 For my use it is 1Password. It offers a document type called „secure notes“. There you can save text plus pictures as attachments (maybe other files as well, have not tested it on the Mac and am currently traveling iPad only). 1PW operates as I expect it for secure storage: It opens only with PW or face / touch ID. Everything stored is encrypted right on the device. Unencrypted data is never leaving the device. It syncs only encrypted data, and the unencrypt only takes place on an authorized device. When a time-out happens, it will reopen asking again for the PW or face / touch ID. It works like this under iOS and on the Mac. It sure is build around all type of structured account / password / banking data. But the secure notes features allows as well the storage of unstructured notes.
Level 5* CalS 5,311 Posted August 5, 2019 Level 5* Posted August 5, 2019 23 hours ago, DTLow said: Can you recommend any apps for this? May or may not be an exact fit but Veracrypt creates encrypted containers, folders or partitions, where you can store whatever. I use it to enable cloud backups of sensitive data. I created a 2GB container on my PC to house multiple folders, logically the container is simply a logical drive. After signing in to Veracrypt and mounting the "volume" I chose for it to appear as the M: drive. I do whatever in any of the folders, and then dismount/sign out and the encrypted container gets synced to the cloud. There are options to auto close. FWIW.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.