Encrypt text in notes

[2Wheeler 0]

I use EN to store passwords and other secure text and need to encrypt it to keep it secure.  I can do this easily on my desktop PC but can’t do it online or on my iPad.  If I type a password into a note on my iPad, I have to remember to go into my desktop EN and encrypt the text.  This is very annoying and time-consuming.  When is EN going to make it possible to encrypt online and on the iPad?

[agsteele 2,933]

Evernote encryption is not designed to protect passwords etc. It is a desktop feature only.

For passwords use an external password manager. So do not use Evernote. You can encrypt an external document, either with a native program such as Word or use an encryption program - I use AxCrypt. These fully encrypt the document. Encrypting with Evernote means the original unencrypted content is initially saved to the servers unencrypted.

[gazumped 11,639]

I totally agree that Evernote is not good for password management.  I use a browser add-in BitWarden which can generate randomised passwords up to 128 characters,  check that you're not using the same password twice,  help log you in to any browser page with any level of security and maintain a secure text note for each entry in case you have more information to keep secure.  There are dozens of apps around that will provide similar features - a quick internet search will give you a run-down of what's available!

[2Wheeler 0]

Encryption in EN works very well for text in notes on desktop PC.  Why should I have to use an external program when I want to encrypt text in EN when working on my iPad?  Why doesn't EN provide the same encryption tools on the iPad on in EN online as it does on desktop EN? 

[agsteele 2,933]

When you encrypt on the desktop your text is initially being saved as plain text. So the initial copy is saved on the servers without encryption.

You subsequently encrypt but, still, the unencrypted version remains on the servers for sometime.  Hence it is very unwise to use the built in Evernote encryption for anything other obscuring a note to prying eyes over your shoulder. That's why it isn't recommended for protection of passwords.

Using an external program to encrypt is much safer. It encrypts the original on your device (computer, iPad etc) then you attach the encrypted file into a note so the plain text is never synchronised to the cloud. You can then open that encrypted document on any device that supports the original software and it works across devices. So that is a work around which will provide a means to achieve what you desire by a different approach. An external encryption program also overcomes the many other limitations of Evernote's native encryption. You can encrypt bullet lists, formatted text, tables and the like. None of these are possible inside Evernote.

I can't tell you why mobile devices don't have the same Evernote encryption options as the desktop. There will be some technical reasons I am sure. To find out why you would have to ask Evernote technical support via a ticket.

External encrytion applications you could consider include AxCrypt and Saferoom (via the app stores which integrates with Evernote).

Password managers to commened include: NordPass, LastPass, KeePassXC and many others you could locate with a search.

[eric99 978]

37 minutes ago, agsteele said:

When you encrypt on the desktop your text is initially being saved as plain text. So the initial copy is saved on the servers without encryption.

You can easily solve that by unplugging the  network before typing and encrypting your sensitive data. Once encrypted, you may reconnect again.

Of course, EN could handle this much more secure but they have other priorities I'm afraid...

[gazumped 11,639]

3 minutes ago, eric99 said:

You can easily solve that by unplugging the  network before typing and encrypting your sensitive data. Once encrypted, you may reconnect again.

Easy for one entry,  a but of a pain for several...  and wouldn't Evernote still retain the first unencrypted version  of the note in Note History once it was all synced up?

[agsteele 2,933]

4 minutes ago, eric99 said:

You can easily solve that by unplugging the  network before typing and encrypting your sensitive data. Once encrypted, you may reconnect again.

That seems to be just as much hassle as using an external program but if it does the job then all good...

[gazumped 11,639]

-And on the general topic;  if anyone wishes to use Evernote for passwords,  they are,  of course, quite free to do so.  I doubt that Evernote will ever see fit to improve their support for password entry though,  since there are literally dozens of competitors in that precise area,  all of whom have some level of free service.

[eric99 978]

1 minute ago, gazumped said:

Easy for one entry,  a but of a pain for several...  and wouldn't Evernote still retain the first unencrypted version  of the note in Note History once it was all synced up?

No, I tested that already, I've never seen that. I think note history  is handled always at the server site...

[gazumped 11,639]

Just now, eric99 said:

I think note history  is handled always at the server site...

True - it's a system snapshot rather than a note-by-note thing.  I sit corrected...☺️

[eric99 978]

33 minutes ago, agsteele said:

That seems to be just as much hassle as using an external program but if it does the job then all good...

Yeah,  my message is, if you like to use EN encryption, you need to disconnect your network during creation, otherwise it gives a false sense of security

[eric99 978]

Another problem with EN encryption is that you"re locking yourself into Evernote. Other note taking apps don't know how to decrypt your data. This isn't a problem with standardized external program encryption ( word, pdf ...) .

[Boot17 1,439]

Can you not just encrypt some dummy text (that would be saved in note history unencrypted) and then after encrypting the dummy text, you change it's content -- like this?

 

[eric99 978]

56 minutes ago, Boot17 said:

Can you not just encrypt some dummy text (that would be saved in note history unencrypted) and then after encrypting the dummy text, you change it's content -- like this?

 

yes, this works as well!

Actually,  the GUI should enforce such workflow as you describe:

1. The user opens the encryption box (without text selection)

2. The user enters the text

3. The EN client  encrypts the text  before syncing

 

Encryption of selected text is unsafe and should be impossible

 

[gazumped 11,639]

1 hour ago, eric99 said:

Encryption of selected text is unsafe...

Only if someone gains access to your account,  can find a precise note,  and step it back to the date on which you had unencrypted text.  Also I tend to use encrypted PDFs which are secure before they get added to notes.

[PinkElephant 8,048]

I think we can all agree that the EN encryption function has its positive aspects, and limitations. In fact these limitations apply to most cloud services. When you upload before you encrypt, you always have that problem that cloud services may already have made a temporary or permanent copy of the unencrypted content, before the user can interact.

This is why solutions like Boxcryptor encrypt everything before it is uploaded, and decrypts on device and not on server.

EN uses industry standard encryption - but this is obviously not enough when a function like note history makes everything recoverable from safety images.

[2Wheeler 0]

Based on the answers I received, l am puzzled and disappointed.  There is desktop encryption for selected text and I assumed, apparently wrongly, that this encryption securely protects it from being read by anyone, inside or outside of Evernote.  I have seen no notices in Evernote to the contrary.  I have used Evernote encryption to encrypt not only passwords, but also private personal information for the last couple of years, again wrongly assuming those encryptions securely protect them.  One answer declared :  “…Everyone knows Evernote encryption is only useful to protect against someone looking over your shoulder from reading it.”  If Evernote’s encryption is that insecure, there ought to be warnings to that effect to users.  I am truly disappointed in such lack of attention to detail by Evernote developers and I wonder what other defects are hidden in its functions.

[PinkElephant 8,048]

When you use a function, you should inform yourself about what it does, and what it doesn’t.

The forum is user2user, so we give opinions here, not official statements. If you want an official statement, ask EN support.

Some facts: We (the users) have warned often in this forum against using EN to store ANY PASSWORDS. You hear us: NO PASSWORDS. Use an app that is build to store and assist with passwords. There are plenty, free and paid, locally hosted or cloud based, integrated into browsers and OS, or in addition.

We have warned as well (you don’t mention it, just for completeness) against storing any cryptocurrency information. NO CRYPTO INFORMATION in EN, NEVER. The only secure place to store crypto keys is a cold wallet, physically disconnected from any network and safely stored away.

Since EN will only encrypt plain text (even no formatting allowed), the usefulness of this encryption feature is limited anyhow. It is not possible to encrypt any attachments or complex text. So we propose to use an external encryption program to encrypt the content, and only store it as an encrypted file into EN. Simple encryption is available for office documents and pdfs, or for all sort of files through „zipping“ it with encryption enabled (ZIP, RAR). You can as well create an encrypted image file (ISO).

By principle no encryption offered by the same provider as the storage will safely protect you. EN encrypts everything in storage anyhow, so all data is encrypted on the server, and by a different method during transfer. But of course EN holds the keys. They need to, to do OCR, search indexing and other useful operations. EN says they don’t hold the key to the encrypted text snippets (and can’t help in recovering any of it). I think this is true, but it boils down to a question of trust if you base your action on this statement.

If note history compromises the encryption depends on your own handling of the note: When you create the note fresh and encrypt before you close it, I doubt there will be a note history saved. But if it is created and saved, and later opened and (partially) encrypted, a note history will likely reflect the content that has been in the note before encryption.

This is just an aspect of a general rule: Only if the encryption is done independently from the storage service, you have a good chance it will never be compromised - even if something goes wrong with the cloud storage.

[Boot17 1,439]

1 hour ago, 2Wheeler said:

There is desktop encryption for selected text and I assumed, apparently wrongly, that this encryption securely protects it from being read by anyone, inside or outside of Evernote.

It does protect that text on *that* specific note from being read by anyone. But if you encrypt the plain text after the plain text was already synced to the server then there is also a copy of your note when it had just plain text as part of the note history feature. That's why I suggested putting in random "asdf" text, encrypt that, and then change it inside the encrypted part of the note.

[2Wheeler 0]

Of all the replies,  Boot17’s is the most helpful since it is minimally inconvenient and, unless I am missing something, provides the encryption security I am seeking.  Replies from other forum members seem to blame me for the shortcomings of the encryption tool and/or recommend alternatives that require significant effort using external encryption tools.  I get that no encryption method is completely secure and that users need to be aware of the limitations of whatever method they use.  My point is that Evernote should (and should have from the beginning) informed users of the limitations of its encryption which have been pointed out by forum members, and should have suggested the workaround in Byte17’s reply.

[Boot17 1,439]

On 9/13/2022 at 8:02 AM, 2Wheeler said:

When is EN going to make it possible to encrypt online and on the iPad?

FWIW - you can create a templated "encrypted block text" note on Desktop Evernote. Then on the iPad you can copy that encrypted block text into a different note and modify the copied encrypted block. So you can copy and modify an encrypted text block on iPad, but you can't create a new one from scratch.

[2Wheeler 0]

Thanks for this practical and minimally obtrusive iPad encryption workaround.