(Archived) Encrypting Documents

[Gallus-au 0]

I have just added a new document to Evernote on my Laptop and encryted it. I can now only open it when I put in a password. I have Everynote scyned with my ipad and iphone. However, when I go to Evernote on these 2 devices this document is open ie it does not need a password to open it. This is not secure enough for me. Does anyone know how to overcome this problem?

[jbenson2 2,147]

If you want more security, move the notes to an Evernote local non-sync'd notebook.

It will only be visible on your local client.

The note will not be sent to the cloud (Evernote web), or to your mobile devices.

[BurgersNFries 2,407]

I have just added a new document to Evernote on my Laptop and encryted it. I can now only open it when I put in a password. I have Everynote scyned with my ipad and iphone. However, when I go to Evernote on these 2 devices this document is open ie it does not need a password to open it. This is not secure enough for me. Does anyone know how to overcome this problem?

How did you encrypt the document? Or did you just encrypt some text in a note using Evernote's encryption feature? What client are you using on your laptop?

[Gallus-au 0]

Thanks for your reply. I just used Evernote's encryption feature for the new document I created.

[GrumpyMonkey 4,319]

Hi. Welcome to the forums!

Evernote's encryption only works for text in a note. Evernote does not encrypt attachments If you want to encrypt a file attachment, you need to use something else like Preview (free on Mac) or Adobe Actobat Pro (paid).

You should also note that Evernote (like many apps) currently does not open PDFs on the iPad that have been encrypted at 256-bit by some programs (all?), and you will need to upload them into the Adobe Acrobat Reader app (free) to open them on the iPad. You will not be able to use "open in", so make sure to upload directly. Or, use 128-bit encryption, which Evernote handles just fine.

[JMichaelTX 4,117]

You should also note that Evernote (like many apps) currently does not open PDFs on the iPad that have been encrypted at 256-bit by some programs (all?), and you will need to upload them into the Adobe Acrobat Reader app (free) to open them on the iPad. You will not be able to use "open in", so make sure to upload directly.

Thanks for sharing this major Evernote security limitation, GM.

This puts a major hole in Evernote's suggested strategy of pushing off security/encryption of attachments to the user.

So, if I encrypt a PDF and attach to EN Mac or EN Win, I can later open the PDF from Evernote into a PDF app on my Mac/PC that allows me to enter the password and decrypt the PDF.

But, I will not be able to open the PDF from Evernote on iPhone or iPad.

This is a major limitation that Evernote conveniently does not tell you about.

[GrumpyMonkey 4,319]

You should also note that Evernote (like many apps) currently does not open PDFs on the iPad that have been encrypted at 256-bit by some programs (all?), and you will need to upload them into the Adobe Acrobat Reader app (free) to open them on the iPad. You will not be able to use "open in", so make sure to upload directly.

Thanks for sharing this major Evernote security limitation, GM.

This puts a major hole in Evernote's suggested strategy of pushing off security/encryption of attachments to the user.

So, if I encrypt a PDF and attach to EN Mac or EN Win, I can later open the PDF from Evernote into a PDF app on my Mac/PC that allows me to enter the password and decrypt the PDF.

But, I will not be able to open the PDF from Evernote on iPhone or iPad.

This is a major limitation that Evernote conveniently does not tell you about.

I think most people probably do not use 256-bit encryption and then try to open it on their mobile devices. I know that I only recently discovered this (in the process of trying to discover the problems others were having in 4.3). I also would like this to be documented, and I think Evernote will have to update all of the existing materials, and add new ones sooner rather than later. We all know the documentation is out of date (a reflection of how quickly Evernote is improving).

It isn't a security limitation, in my opinion. It is simply something to be aware of on the iPad/iPhone. You also cannot encrypt text on the iPad/iPhone. There are all sorts of restrictions we live with on the iPad/iPhone for every app. In fact, the only app in iOS that can handle 256-bit encryption is Adobe, so I suspect something in the OS is making things tough for developers. Otherwise, everyone would have it.

Anyhow, this is what user forums are for -- sharing information

[JMichaelTX 4,117]

I think most people probably do not use 256-bit encryption and then try to open it on their mobile devices.

GM, as you and I have discussed numerous times, while the iPad is obviously a mobile device, due to its larger size we need it to support features more like a laptop than a smartphone. I can clearly see use cases where you might archive lots of sensitive documents using EN Mac, but then need to view/read them on EN iPad.

[GrumpyMonkey 4,319]

I think most people probably do not use 256-bit encryption and then try to open it on their mobile devices.

GM, as you and I have discussed numerous times, while the iPad is obviously a mobile device, due to its larger size we need it to support features more like a laptop than a smartphone. I can clearly see use cases where you might archive lots of sensitive documents using EN Mac, but then need to view/read them on EN iPad.

Yep. You and I definitely agree here. The iPad can be a powerful workhorse, but the UI needs adjustment in order to take full advantage of the device's potential. I imagine this functionality will come at some point (I hope so), but there are other more pressing issues (in my opinion) that affect functionality for many more users than the small number (I imagine) who encrypt with 256-bit. I've got a list of these still floating around somewhere, and I know the developers have already heard an earful from me

[JMichaelTX 4,117]

This thread got me thinking about encryption, specifically 128-bit vs 256-bit.

Basically, is there a compelling reason to use 256-bit?

After a short bit of research, I found this:

Which encryption key to choose, 128- or 256-bit? by USBCrypt.com

When you encrypt a disk with USBCrypt, you have the option of choosing the length of the encryption key: 128 or 256 bits. Which length should you choose?

The naïve answer seems to be “the longer the better”: the 256-bit encryption’s got to be much better than 128-bit one, why not use it? The reality, however, is that the 128-bit encryption is just as strong as the 256-bit, while it requires less computational resources and is performed a bit faster.

You can read the full article for more details.

Does anyone disagree with this?

[GrumpyMonkey 4,319]

This thread got me thinking about encryption, specifically 128-bit vs 256-bit.

Basically, is there a compelling reason to use 256-bit?

After a short bit of research, I found this:

Which encryption key to choose, 128- or 256-bit? by USBCrypt.com

When you encrypt a disk with USBCrypt, you have the option of choosing the length of the encryption key: 128 or 256 bits. Which length should you choose?

The naïve answer seems to be “the longer the better”: the 256-bit encryption’s got to be much better than 128-bit one, why not use it? The reality, however, is that the 128-bit encryption is just as strong as the 256-bit, while it requires less computational resources and is performed a bit faster.

You can read the full article for more details.

Does anyone disagree with this?

I am no expert, but as I understand it, everything can be cracked someday. The question is: when? Estimates vary, but 128-bit will be cracked by brute force before 256-bit. I think the point of the article was that in either case it is an incredibly long time, so it doesn't matter. I figure, though, why not use the best encryption available to me? Of course, I didn't know until recently that all but one of my apps (Adobe) don't support 256-bit. LOL.

[JMichaelTX 4,117]

Here's another white paper that suggests that 128-bit encryption is more than enough:

128-Bit Versus 256-Bit AES Encryption (Seagate Technology Paper)

If there were no extra cost for 256-bit encryption, then sure, why not go with it.

But there are real costs, and for the foreseeable future, even the faster, most powerful computers, would not be able to crack 128-bit encryption. From the Seagate article: "Exhaustive key search techniques on a key space of 128 bits, using the latest streamlining processes,require resources (MIPS, memory, power and time) many orders of magnitude beyond current capabilities."

The real extra costs for 256-bit encryption are:

1. Takes longer to encrypt and decrypt
   
2. Only a few apps support it today
   
3. Apps may cost more
   

So, for me, at least for the next year or so, I'm convinced that 128-bit encryption is way more than sufficient to protect my documents. It would be so helpful if I could have a secure Notebook that I could just drop my sensitive Notes/Attachments into without worry.

What would be most helpful is for Evernote to provide full encryption of Note contents and attachments (but not Note metadata) at least on a per Note basis, but preferably at the Notebook level.

[GrumpyMonkey 4,319]

I'd like encrypted notebooks as well. However, I don't see much chance of that in the near future.

As for 256-bit, you ought to be fine without it, so I don't see it as a big issue for Evernote. As long as users know to use 128, everything ought to be Ok. I'll continue using 256 because I rarely need access to the documents from mobile, and those I might want to see are also in Adobe Reader (free app).

[Davos119 1]

Thanks for pointing this thread out to me JMichael - it's useful stuff. I am now using Acrobat X Pro to encrypt PDFs at 128-bit and am having no trouble opening them in Evernote on the iPad.

I just wanted to point out one other potential security risk with encrypted PDFs in Evernote that people may or may not be aware of:

If Evernote gets an unencrypted version of a PDF and OCRs it, then the searchable text that Evernote creates will remain in its database even if you subsequently encrypt the PDF. So you need to be very careful about the order in which you do things. You need to be absolutely sure to create the PDF outside of Evernote and encrypt it before importing it.

That might sound blindingly obvious to some people, but it wasn't to me.

Originally I set up a workflow where my ScanSnap scanner would scan directly to Evernote. I was then opening the PDFs in Acrobat Pro from within evernote, renaming them, applying the encryption, then closing out of them and saving the encrypted version. All fine, I thought.

Some time later, I discovered that some of my encrypted PDFs were popping up in search results. I double clicked on them and they were definitely encrypted - I was prompted for the password to open them. So how, I wondered, was Evernote returning encrypted documents in searches based on keywords within them? Either it was seeing past the encryption, or some unencrypted version remained in the system somewhere. I then discovered that some of my encrypted PDFs (the same ones that appeared in search results) had the 'save as searchable PDF' option enabled in the right-click menu. Sure enough, I discovered that it was possible to right click on an encrypted PDF and save a searchable version of it on the desktop that contained all the text (they were stripped of formatting and other images, but all the text that was identified in the OCR process was all present).

Cue a mad dash to purge Evernote of all my encrypted PDFs, re-sync, then re-import all the already-encrypted versions afresh, so as to stop Evernote getting its beady eyes on the contents.

In hindsight, it was probably quite silly to allow the unencrypted versions to hit the cloud in the first place. If you're that worried about security, then of course you'll encrypt before uploading. But nevertheless, it was a surprise to me to learn that the searchable contents of a document remain in the database even if that document is subsequently encrypted.

Hopefully me posting this might help someone as daft as me from making the same mistake....