Storing Sensitive Documents in Evernote

[mackid1993 762]

How does everyone feel about storing sensitive documents in Evernote such as tax returns and similar things. I obviously use a long high entropy unique password on my account along with TOTP 2FA. I'm hesitant to store anything too sensitive particularly after lessons learned from the major breach over at lastpass. I keep my sensitive documents local and backed up encrypted offsite.

I'm curious about EN's security track record and how comfortable long time users feel with storing important and sensitive documents on the platform. I'm using EN not just for notetaking but for the powerful document management capabilities. 

Thanks.

[Boot17 1,467]

I mostly trust Evernote's security and so I put some semi-sensitive data in there, but never PII unless I also encrypt those documents/attachments with 7-zip or Veracrypt first. There is also the encrypted text block that I use for some things that are a little bit more than semi-sensitive that are just text.

[mackid1993 762]

1 minute ago, Boot17 said:

I mostly trust Evernote's security and so I put some semi-sensitive data in there, but never PII unless I also encrypt those documents/attachments with 7-zip or Veracrypt first. There is also the encrypted text block that I use for some things that are a little bit more than semi-sensitive that are just text.

I'm hesitant as well. I use cryptomator and keep another copy of my tax stuff on OneDrive but in the Cryptomator vault. I guess my feeling about not keeping that kind of stuff in Evernote was right.

[Beartooth 9]

Almost all my docs are pdf's. Bank and tax stuff are encrypted pdf's. I am curious Boot17, how are you using Veracrypt with Evernote?

[PinkElephant 8,170]

I doubt any hacker is interested in your banking slips or that you paid your taxes. What do you worry about ?

Stuff like crypto keys or passwords should never be stored in a service like EN.

My account security is pretty tight, but that’s it.

[Celedon 7]

33 minutes ago, PinkElephant said:

I doubt any hacker is interested in your banking slips or that you paid your taxes. What do you worry about ?

Stuff like crypto keys or passwords should never be stored in a service like EN.

My account security is pretty tight, but that’s it.

LOL

[PinkElephant 8,170]

@Celedon „LOL“ means you have nothing to say.

Then say nothing (Forum CoC, point 10).

 

[Celedon 7]

46 minutes ago, PinkElephant said:

@Celedon „LOL“ means you have nothing to say.

Then say nothing (Forum CoC, point 10).

 

No, it means I'm laughing out loud.

[PinkElephant 8,170]

No, it means you have nothing to say:

https://discussion.evernote.com/guidelines/

At least here in the forum, that’s the definition of LOL. Because LOLing without any meaningful contributions makes forum threads hard to read, and understand. You can be enthusiastic or amused, and all that is asked for is to share the reason why you are in that mood.

 

[s2sailor 2,230]

Back to the OP’s question, I’m uncomfortable storing anything that I consider sensitive in Evernote unencrypted.  Mostly, I will attach encrypted PDFs which work but I would also prefer an integrated solution.  I really miss local notebooks.  For me that was the perfect solution.  Anything sensitive just stayed off the cloud and I was responsible for its security but that is not coming back.  Next best would be if they implemented zero knowledge encryption but I don’t see that happening either so I use encrypted pdfs and occasionally encrypted text blocks.

[mackid1993 762]

It's really a shame that there is no secure way to store sensitive info in Evernote. Hopefully they add a way to encrypt documents in the future. 

[PinkElephant 8,170]

You can save any encrypted document today.

Encrypt it, and attach it to a note. Done. Don't expect search or any display option to work on it, 'cause it's encrypted. But storing you can.

[W.A. 0]

Some of my notes contain business confidential information; the local notes feature is the main reason that I have continued to use Legacy. If I were to upgrade to v10, is there a way to tell EN to *not* sync a notebook to other devices? I don't need or want to access these notes from anywhere else. I do have synced notebooks with less sensitive content that I'd like to continue to sync, just not these local notebooks.

[VincentC 272]

"Some of my notes contain business confidential information"

W.A.,

I'm wondering, confidential information from your own business or that of someone else?  In case you're not aware, it appears to me that storing confidential information that belongs to others is outside of the Evernote Terms of Service as summarized in the User Guidelines.  (I'm not a lawyer, so this is an amateur's read of the text.)  I deal with information subject to nondisclosure agreements myself pretty regularly, so this is something I happen to be aware of and have to think about.  Here is the text from the User Guidelines dated July 21, 2021:

• "This also means you shouldn’t upload, post or otherwise transmit any Content that you don’t have a right to transmit under any law or under contractual or fiduciary relationships (e.g., inside information, confidential information learned or disclosed as part of employment relationships or under nondisclosure agreements)."

I will sometimes manage this by putting a link to a file in Evernote rather than the file itself.  The file lives in a password protected location so someone else with the link can't open it.  It's not a perfect solution (Evernote can't search the contents of the file, for instance) but it mostly works for me.

Others here are much more qualified to answer your question about whether you can tell Evernote not to sync part of your database in v10 .  I >think< the answer is "no", but I could be wrong.

 

Vinnie

[PinkElephant 8,170]

For those operating under GDRP (European data protection): It is no problem to sign a Date Processing Agreement with EN. Support can help with it.

This signed plus state of the art account security (which means a strong password plus 2FA enabled), and normal business data can be stored and handled in EN, operating under GDRP rules.

So at least for European professional users, there is a legally viable way to use an EN account in a business environment. This is not linked to a specific plan, although I think anybody with a professional use case should be on a subscription.

[mackid1993 762]

I really only wanted to organize my tax documents in EN. I ended up putting a password on the PDF files to be safe although I have a 64 character password and 2FA set up.

[VincentC 272]

I understand.  I myself have decided to not put tax files in Evernote because my SSN is all over them and, for me, password protecting files is more overhead than I want to manage.   I know plenty of people who do store them in Evernote, though - some password protected and / or encrypted and some not.  I don't know anyone who has actually had a problem, whatever approach they take.  

(For readers here who are not US citizens, US social security numbers are really helpful to identify thieves.)  

 

Vinnie

[mackid1993 762]

21 minutes ago, VincentC said:

I understand.  I myself have decided to not put tax files in Evernote because my SSN is all over them and, for me, password protecting files is more overhead than I want to manage.   I know plenty of people who do store them in Evernote, though - some password protected and / or encrypted and some not.  I don't know anyone who has actually had a problem, whatever approach they take.  

(For readers here who are not US citizens, US social security numbers are really helpful to identify thieves.)  

 

Vinnie

Someone would have to break into Evernote's systems and get their encryption keys and then decrypt the disk that stores your database. It happened at Lastpass but they did a lot of things wrong. Their engineers were using their personal computers for work and hackers got in using a vulnerability in an employees Plex Media Server. It was really egregious and one would hope this could never happen at Evernote. With a strong password and MFA an account breach would be highly unlikely. Granted anything with an SSN on it stored in the cloud should have some encryption defined by the user just as best practice.