Encrypt Photo in a note?

[TigerMe 1]

Can you encrypt a photo in a note? If so, how?

[BurgersNFries 2,407]

EN only allows text encryption. You can use a third party app to encrypt the image and then drop it into EN.

[TigerMe 1]

I hope they bring this feature into the service.

[BurgersNFries 2,407]

I'd guess if they ever do, it's really, really low on the priority list.

[TigerMe 1]

That's a shame because as it is now the scenario is broken. I can't encrypt a note itself but for some reason text. Seems random.

[BurgersNFries 2,407]

That's a shame because as it is now the scenario is broken. I can't encrypt a note itself but for some reason text. Seems random.

I have to say I have no idea what this means. EN does allow you to encrypt text. You cannot encrypt a note by simply saying "encrypt note". But you can select the text within a note & encrypt it. There are (or used to be) apps that allowed you to encrypt images. There are apps that allow you encrypt PDFs. You can put those encrypted files in EN. But EN itself does not encrypt PDFs, images, etc. Only text.

[brentpeters 4]

Would like to see this feature as well.

[gazumped 11,652]

You can drop a photo into a PDF file and then encrypt that file as above; or just password-protect it to show the file as an icon, not a picture. Or change the file type from JPG to XXX (forinstance) and it shows up as an icon only. Restore the correct suffix to see the image.

[Owyn 457]

You can drop a photo into a PDF file and then encrypt that file as above; or just password-protect it to show the file as an icon, not a picture. Or change the file type from JPG to XXX (forinstance) and it shows up as an icon only. Restore the correct suffix to see the image.

Or right-click open with an image editor. Most of them are smart enough to decode by file header, not, just the file extension.

[gazumped 11,652]

Or - keep the image file on your local hard drive (no remote cross-platform possibilities here) and set up a link from your note to the file. Just discovered - probably should have remembered - that "file:///" (without, obviously, the quotes) and the path works quite well. Plus a hyperlink is text, so you can encrypt that if you want.

[wipes brow, tucks subconscious geek into bed, turns out light]

[Blind_Fly_Theater 0]

I'd also like to see photo encryption... I make lots of photo notes of personal papers (ie Tax Returns).

Using a non-Evernote-approved 3rd party app is less secure IMHO than just putting it in EN un-encrypted (not to mention inconvenient)

Love you Evernote... Just a request

[keo 0]

I'd love to see this as well.

 

Encrypting text only in an app that can store much more type of data doesn't make much sense.

 

The best would be to kepp an entire note encrypted, as it is, together with attahcments and everything.

[gazumped 11,652]

Hi @keo - welcome to the forums.  If you have a search around,  there's been endless discussion about whether,  what and how to secure stuff.  It is possible to user-encrypt anything,  and/or to local-only store it if you prefer to keep stuff off other peoples' servers entirely.  End of the day,  Evernote don't do predictions or publish route maps,  so you'll just have to wait and see with the rest of us...

[Grant837 110]

I too would like to see this, as its not consistent to offer encryption and then not allow all types of content to be protected that way.  This especially in light of the related solutions that offer to manage your personal and business receipts, travel documents and itineraries, etc... lots of 'identity theft'  potential, and given the recent attack on Evernotes security, the criminals out there know that too...

 

I dont like using all the work arounds mentioned as that defeats part of the value of Evernote, that you can easily, in one tool, collect, store, search and review your data.

[gazumped 11,652]

I too would like to see this, as its not consistent to offer encryption and then not allow all types of content to be protected that way.  This especially in light of the related solutions that offer to manage your personal and business receipts, travel documents and itineraries, etc... lots of 'identity theft'  potential, and given the recent attack on Evernotes security, the criminals out there know that too...

 

I dont like using all the work arounds mentioned as that defeats part of the value of Evernote, that you can easily, in one tool, collect, store, search and review your data.

 

If you don't use a workaround,  and Evernote doesn't do what you want,  I think that defeats the value of Evernote full stop.  No-one's saying that this shouldn't be available - Evernote is reviewing its security protections as we speak,  so you might be pleasantly surprised.  Just that until the guys get around to adding this,  you have limited (but still effective) options.

[BurgersNFries 2,407]

I dont like using all the work arounds mentioned as that defeats part of the value of Evernote, that you can easily, in one tool, collect, store, search and review your data.

 

Hardly.  You can easily store encrypted PDFs in Evernote. They won't be searchable.  But no notes (including EN's own encryption) that are truly & securely encrypted will be.  And you wouldn't want the encrypted parts to be.  Otherwise, that means someone (IE Evernote's indexer at the very least) can view them.

[cwb 225]

From a UI perspective I think it's more disruptive that inserting an image or other attachment into a note in a desktop client means that you can no longer select all and encrypt. It's perhaps a lazy way to indicate to the user that the attachment won't be encrypted. Instead it might be nice for select all to just select all the encrypt able text, and use some other indicator for the attachment issue.

[dust_buster 0]

I dont like using all the work arounds mentioned as that defeats part of the value of Evernote, that you can easily, in one tool, collect, store, search and review your data.

 

Hardly.  You can easily store encrypted PDFs in Evernote. They won't be searchable.  But no notes (including EN's own encryption) that are truly & securely encrypted will be.  And you wouldn't want the encrypted parts to be.  Otherwise, that means someone (IE Evernote's indexer at the very least) can view them.

First of all, it's obnoxious how condescending some of you "Evernote Evangelists" are and it's poor customer service. 

 

I don't think it's too much to ask for the ability to encrypt an image in EN when they already allow us to encrypt text. As Grant837 is saying, we like that EN is an all-in one tool. We don't want to have to encrypt an image with a separate app and THEN add it to EN and if EN cared about efficiency or security, we wouldn't have to use a separate app. 

[jefito 5,589]

 

I dont like using all the work arounds mentioned as that defeats part of the value of Evernote, that you can easily, in one tool, collect, store, search and review your data.

 

Hardly.  You can easily store encrypted PDFs in Evernote. They won't be searchable.  But no notes (including EN's own encryption) that are truly & securely encrypted will be.  And you wouldn't want the encrypted parts to be.  Otherwise, that means someone (IE Evernote's indexer at the very least) can view them.

First of all, it's obnoxious how condescending some of you "Evernote Evangelists" are and it's poor customer service. 

 

I don't think it's too much to ask for the ability to encrypt an image in EN when they already allow us to encrypt text. As Grant837 is saying, we like that EN is an all-in one tool. We don't want to have to encrypt an image with a separate app and THEN add it to EN and if EN cared about efficiency or security, we wouldn't have to use a separate app. 

I'm not sure what you're objecting to in the post that you've quoted. Seems pretty factual to me. Was there any incorrect information? Or was there some other post that you didn't care for, but didn't quote? As it is, we are not official Evernote customer service representatives -- if you need that or want to make an official feature request, then the way to do that is to open a support request.

 

Anyways, we users -- Evangelists or otherwise -- can only offer workarounds for features that people want because we are not Evernote employees, we don't work on the products, and therefore can only deal with Evernote as it exists, not as we'd wish it to be. Everyone has their own favorite features that they'd like to see added (I sure do), but Evernote only has so many resources available for a very long list of ideas, many of them good ones. For the record, the ability to encrypt attachments or whole notes seems pretty reasonable to me, but I have no view into Evernote's aims and schedule.

[thommango 8]

+1 for image and file encryption.  I'm not sure who would be buying EN Business without the data being ecrypted - particularly after their infamous breach.  Seems like something the product should have been founded upon.

[gazumped 11,652]

+1 for image and file encryption.  I'm not sure who would be buying EN Business without the data being ecrypted - particularly after their infamous breach.  Seems like something the product should have been founded upon.

 

The "infamous breach" was a drive-by,  largely defeated by Evernote's existing defenses,  that was similar to dozens of other attacks that have liberated sensitive information from household name sites.  Evernote seems widely regarded as having reacted promptly and well to the situation.  Anyone who buys Evernote business -who is,  actually,  in business- should already have their own encryption in place on all hardware and storage,  so any add-on by Evernote would probably be superfluous.  Nonetheless,  it's something they're working on now.

[cwb 225]

woah, that's glazing things over a little.

The press slagged Evernote for storing passwords with MD5 (not industry standard due to weakness for many years), and blogging that they viewed it as safe because it would never be exposed outside the data center (oops).

They were slagged for sending notification emails to change passwords using a 3rd party service with 3rd party links rather than setting up their own domain URL's in the mailing (especially when warning about 3rd party links in the same email).

They were slagged for a password reset process that didn't prevent compromised credentials from performing the password reset (though I understand the historical corner they were backed into).

 

A business having encryption on the storage on their end does nothing for the Evernote server side, or the client side logged in with compromised credentials (which EN still provides no transparency into), and is difficult to manage with employee BYOD devices, or at home.

 

But yay's that it all continues to be worked on.

[cwb 225]

Back to the encrypting of "binary" attachments thread.

 

Yup, endlessly discussed.

Sadly, the attachments are already stored as "text" and encrypting them wouldn't be any different than encrypting the "text" in a note.

 

Source:

http://dev.evernote.com/documentation/cloud/chapters/data_structure.php

 

The attachments are encoded into the note similar to how email attachments are encoded into email with MIME.  The whole note becomes Evernote Markup Language, "largely a subset of XHTML".

Encrypting any or all of a note is simple for Evernote to do, and have it indexable/searchable exactly as it currently does.

 

Evernote is already storing attachments as text, and still indexing them.

Encryption just adds pseudo-randomness to that text, and it ceases to be human readable.

 

Whatever the content of your note and it's attachments are, they're already all munged up into an extended ascii/textual representation.

Whether that's human readable depends on your fluency in XHTML and MIME encoding.

So pseudo randomizing the text (ultimately encryption just re-orders the bits into a different storage format), is just one more trivial client step.  Images and PDF's are no different to this process.

There's nothing to stop the EN client securely storing them, and then selectively displaying them just as EN clients currently does.  Encryption doesn't change how that process needs to look or work, other than whatever authentication hoop you put in to authorize the display.

 

The only real trick is the clever design of your UI and backend around when and to who, to reverse the process for and display the original content. 

 

Normally all the backend client and server stuff happens just as if the encryption wasn't there.  It's no barrier to what it usually does with the data (or the client wouldn't be able to decrypt and present the data to you).  It's just an additional text formatting, if you will.

 

Ultimately it's about 3 questions.

1. Is it's usefully secure enough and usefully easy to use that people will, to ultimately bother with.  So far that's pretty much a no in EN.

2. Does the encryption prevent someone bypassing your client and reading the data directly, bypassing all the security window dressing you may or may not put up at the front door?

3. Does it provide a second level of security for certain content, to prevent casual or inadvertent viewing, when the default mode of the client is to open the users account without further challenge.

 

If there's desire, they could include a UI preference for the note to be searchable, and use two cipher keys.  One Evernote knows, and one they don't.

 

Putting my IT hat back on, I would guess that a good chunk of resistance Evernote would have to taking encryption any futher in the direction of non-escrowed keys (something they can't search), is that it would hamper data deduplication and efficient storage compression on the server side.  Given that it's part of the value proposition that Evernote offers (monthly transfer limits but no limit on back end storage), it's something that users should care about as well.

 

But that limitation goes away if it's confined to local only notebooks.  But then Evernote starts feeling like entirely the wrong tool for that since you're bypassing most of it's value proposition.

[cwb 225]

But it's all different needs and different requirements.
Business or home, PC's are not secure, and keeping them secure is no easy task.

Most people are looking for a place within their PC that is:

• Safer to keep their data in that just in the documents folder (especially with shared use PC's)
• Not just simple to find stuff in on the PC (Windows and Mac built in indexing does that for all local documents), but searchable on all their online devices (so sync/distributed), without downgrading that safety
• Provides a space where the pooled information provides one stop shopping and is more usable as a whole, than as separate little lose-able bits

Local encryption is easy and addresses point 1.
But pre-encryption does add some problems for the Evernote back end to solve (not impossible, but still, I'm glad not to have to be working on them).

The problem is that you need to feel safe that the authentication and controls on the Evernote server side is secure enough that getting at the data there doesn't become the path of least resistance. Not only from new/novel/unknown security holes, but just usual problem of authenticating that a data request is coming from an authorized owner of the data. Something that passwords are hopeless at, with so many areas of potential failure.

And that's tough to convince people of.
It either takes a very long time of no bad events (something the clock just got reset on for Evernote), or being clear and transparent about the good data protection in place on the back end.
I would argue that Google and Lastpass provide good examples of that.
They are clear about the processes involved (in some cases even open source code)
They are clear about who and what are accessing your account (to you at any time) so that you can verify.
They are reasonably clear with notifications of events as they happen, and flagging you to activity you may want to verify.

So they buy a lot of trust in a short period of time.
Encryption on the client side is easy and gets at what I think a lot of people are looking for without perhaps being able to clearly articulate. And if there were better authentication bits on the server side, I think a lot of peoples desire for encryption (or pre-encryption/escrowless encryption) would go away. Because it's really meant to solve a trust issue.

Where-as client side only encryption is more often meant to supplement or solve an authentication issue. As in, can someone other than me and my evernote client read the data? None of the following should be able to:

• A guest account
• another local admin account
• A text editor or SQLite browser which doesn't opt in to EN security prompts
• A recovered backup, which bypasses any business storage level encryption, and the operating system login (and a default EN client which doesn't prompt for authentication on opening)
• A an allowed temporary user of the Evernote client who may see 99% of the data but not the last 1%

[gazumped 11,652]

Wow - "slagged" (three posts back if you're not keeping up) seems a little over the top for the very qualified expressions of disappointment I've seen.  Quotes and references please if you want to make that fly. 

 

As to the rest,  Evernote will do encryption in their own way and at their own pace.  There's nothing useful I can add to their deliberations - except that they'd be pretty dumb to publish any details at all.  That's kinda like painting a target somewhere and issuing a challenge...

[cwb 225]

Wow - "slagged" (three posts back if you're not keeping up) seems a little over the top for the very qualified expressions of disappointment I've seen.  Quotes and references please if you want to make that fly. 

 

Ars Technica

Substandard crypto needlessly puts Evernote accounts at risk

 

Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.

It goes on to highlight other security non-industry standard weaknesses in the password storage of some mobile Evernote clients, the RC2 cipher encryption.

 

Informationweek.com

Evernote used the wrong security method to store passwords, cryptography experts say. 

 

FierceCIO TechWatch

Evernote criticized for substandard security

 

Sophos

Evernote shoots itself in foot over "never click on 'reset password' requests" advice

[gazumped 11,652]

Surely if experts felt Evernote had seriously dropped the ball,  alongside being 'critical' they would have been recommending users to bail out in favour of a more reliable service? All I see is a media feeding frenzy with dumb headlines and quotes that "experts" are criticising,  without naming or quoting the experts.  I think you're supposed to apply some mature judgement to stuff like that.

 

And I forgot.  There is no more reliable service.  And your last quote is criticising Evernote for being hasty in fixing the problem,  not for having the issue in the first place.

 

I understand that you're concerned - and you have every right to be proprietorial about your data.  You should definitely take whatever action concerning the disposition of that data you feel is merited in the circumstances.  I intend to decisively do nothing at all and wait for Evernote to get its act together - since there's still nothing you or I can do to influence what that will be or when it will happen...

[cwb 225]

That's just silly.  Allow a spade to be called a spade.

 

I can't do anything about what you're "seeing" or not.

The first article names the security researcher.

The second article names at least three security researchers.

The third link names and quotes a security researcher listed in the previous two.

The forth link IS a security research firm.

 

90%+ of the service framework is fine.

It's simple implementation that needs the attention.

Swap salted MD5 for a PBKDF2 based solution.

Swap RC2 for AES.

Tweak the notification system and reset system as I'm sure is already done, and you're there.  No need to build or move to another service.

Just demonstrate that you know about security and care about users data enough for them to trust you with it.  Especially when your CTO is going to blog about how he worked for years in cryptography for the government and enjoys getting to use that knowledge at Evernote.

 

The (justified) inference of the criticism was why the security wasn't upgraded earlier.  And why they felt what they had was still industry standard, a decade after it wasn't.  I'm not going to get into that again.  It should be self obvious, and not worth my time debating further.

 

My last link WAS about being hasty in fixing the problem.  Because if you read my email to the end, where you requested citation, 2 of the 3 points I said they were "slagged" on were about the notification.  You invoked cite.  I cited.

 

Can you just be gracious enough to end this with "thank you for replying to my cite request", and we'll let it die.

 

I've suggested no action to anyone, and taken all needed actions for my part.  That's not the point of this.

I originally took issue with the overly generous painting I believe you gave to the media coverage.  It was not a tempest in a teapot.  There have been plenty of hacks, but Evernote's exposed a more creaky security infrastructure than most, and they got called on it.  Let that stand as it is, it's been covered ad nauseum, but let's not white-wash it post-mortem.

 

I have also responded to some who would defend the status quo suggesting this security stuff is all just too hard, and should really be the end users responsibility, or they really shouldn't be putting any of this outside their computer.

That's just plain mis-informed, misguided, enabling, and just not helpful.  I call it and correct it, where it stands.

[Akhiles 0]

It is unfortunate Evernote lost this feature.  Version 2.2 allowed encryption of selected text AND images.  They had the tec.  They just decided not to include it with the newer versions. Too bad, very inconvenient!

[gazumped 11,652]

To encrypt picture:  print to PDF file.  Encrypt (password protect) PDF file.

[Akhiles 0]

Yes I can print to PDF and encrypt the PDF file.  Their are many things I can do unrelated to Evernote I can do. And I do appreciate the suggestion for a workaround, but however that still is just a workaround, and very inconvenient.  The older versions of Evernote let you perform this simple encryption in Evernote itself.  It is a feature that needs to return.  Does anyone know where the Evernote "Suggestion Box / Feature Request" is on this site?

Thanks.

[montasser 0]

I have to say that I also needed this feature many times. There are many workarounds, but having it implemented in evernote would save us a lot of time. I hope it will be implemented in future versions.