Zen 1 Posted September 2, 2013 Posted September 2, 2013 Hello, I use Evernote desktop application in Windows 7 64 bits and in Android phone. I just found out reading in Evernote Knowledge online help that there's little or no good encryption support on local Evernote databases.. with some people sugesting the use of 3rd partir softwar to enforce encryption. From what I just read I remember 2 main ideas: a) Only use online access and *DONT* install Evernote for Windows. Seems we can encrypt notes by using option "Encrypt Selected Text.." present in menu "Format" of Windows Evernote desktop application, but.. seems its not strong enough, since it seems can be cracked in just couple seconds. I store sensitive data in my Evernote notes, and as such would like to ask Evernote community some questions, receive recomendations in how to maximize the security: 1. What way and/or software/procedures can one use to fully protect Evernote local database in a Windows 8 64bits system ? 2. What way and/or software/procedures can one use to fully protect Evernote local database in an Android mobile phone ? Thanks, Zen
BurgersNFries 2,407 Posted September 2, 2013 Posted September 2, 2013 Hello, I use Evernote desktop application in Windows 7 64 bits and in Android phone. I just found out reading in Evernote Knowledge online help that there's little or no good encryption support on local Evernote databases.. with some people sugesting the use of 3rd partir softwar to enforce encryption. From what I just read I remember 2 main ideas: a) Only use online access and *DONT* install Evernote for Windows. Seems we can encrypt notes by using option "Encrypt Selected Text.." present in menu "Format" of Windows Evernote desktop application, but.. seems its not strong enough, since it seems can be cracked in just couple seconds. I store sensitive data in my Evernote notes, and as such would like to ask Evernote community some questions, receive recomendations in how to maximize the security: 1. What way and/or software/procedures can one use to fully protect Evernote local database in a Windows 8 64bits system ? 2. What way and/or software/procedures can one use to fully protect Evernote local database in an Android mobile phone ? Thanks, Zen Please search the board on encryption and/or security. I know this has been discussed a lot already with respect to the Windows platform.
Zen 1 Posted September 2, 2013 Author Posted September 2, 2013 Burgersnfries, 1st) Please don't take me wrong, I'm not kind of person to post without searching before..2nd) Your post would be much better if it contained a useful link.. From what I have searched and read before, I learned Evernote lacks a lot of security on its local database, and from one of the suggested programs to encrypt windows folder I googled and found out someone/some software was/is able to crack that windows folder encryption program (TrueCrypt).. so you see even not been an "expert/guru" I did enough research to get me a bit in Limbo to see what is a nice solution in order to continue using Evernote windows desktop application. Until I feel I found, or someone kindly shared how he/she doing with your Evernote installation (ex. what security are you using in your own Evernote windows instalemente for example Burgersnfries coud you share please ?), I'm removing Evernote Windows application and only using web access. Thanks for any useful and direct suggestions,Zen
BurgersNFries 2,407 Posted September 2, 2013 Posted September 2, 2013 Burgersnfries,1st) Please don't take me wrong, I'm not kind of person to post without searching before..2nd) Your post would be much better if it contained a useful link..From what I have searched and read before, I learned Evernote lacks a lot of security on its local database, and from one of the suggested programs to encrypt windows folder I googled and found out someone/some software was/is able to crack that windows folder encryption program (TrueCrypt).. so you see even not been an "expert/guru" I did enough research to get me a bit in Limbo to see what is a nice solution in order to continue using Evernote windows desktop application.Until I feel I found, or someone kindly shared how he/she doing with your Evernote installation (ex. what security are you using in your own Evernote windows instalemente for example Burgersnfries coud you share please ?), I'm removing Evernote Windows application and only using web access.Thanks for any useful and direct suggestions,ZenAny encryption can be broken if someone has the time, tools & CPU power. However, Truecrypt with a strong password is sufficient for most of us who do not have billions of dollars at our instant access or never worked for the CIA. I have posted often on this board about TC as well as security. It's not just with the desktop app, it's with the EN servers that a user should educate themselves. Again, I urge you to use the search function.
Level 5 jbenson2 2,149 Posted September 2, 2013 Level 5 Posted September 2, 2013 Zen, The search function within this forum certainly is not your friend. It is quite handicapped - almost crippled. I have found a search can be more effective by leaving the forum entirely and using Google to search the entire web. Occassionally it will steer you back to this forum with some great insight.You are correct about your concern for sensitive information in Evernote. Personally, I question your perceived value of storing your important data only in the cloud. In my opinion, that is the worst place to put it.For critical data, I put it into a local (non-sync'd) Evernote notebook on my home Evernote Windows client. This prevents the information from ever getting into the cloud. It also prevents the data from being shared with any other devices (phone, tablet, etc.) I don't use whole disk encrypion (TrueCrypt) because Evernote does not support it.Security experts have ridiculed Evernote's weak crypto. For instance, earlier this year in March, 2013:Steve Gibson (GRC.com) was surprised to learn about Evernote's weak crypto. "... everybody's doing 256-bit AES, which blows away [Evernote's ancient] 64-bit RC2."A good PC needs only a few seconds to break 64-bit RC2!The next week, after doing more research in the Evernote docs, he came on even stronger.Evernote says they don't have enough staff members to get the certificate for strong crypto, so they're sticking with the ancient 64 bit. He said, It's really not the security you want.More information from arstechnica's risk assessment about Evernote's substandard crypto can be found here:http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/I have requested that Evernote issue an updated White Paper on their security, especially after the hack earlier this year which required everyone to generate new passwords. The feedback I received was the security issue has been discussed many times and it is not needed to be brought up again.With that in mind, there might be something newer, but here is an Evernote status on their security written several years ago by Dave Engberg:Sep 08, 2009 6:07 pmI agree ... if you have particular concerns about some of the data in your account, then an encrypted file like a password-protected PDF is a good solution.It's hard to prove a negative ("Your data could never be stolen from Evernote..."), but we do make moderate efforts to mitigate these risks through a layered set of security policies and technologies. Random examples from your comments:There's no uber-index of contents of accounts ... we maintain separate user search indices of each user on decentralized storage with no cross-access between individual servers.Physical access to all storage (online and offline-backup) requires multiple authentication factors in protected facilities, and is restricted to only the four full-time IT/Operations staff that maintain the servers. Even Phil, the CEO, doesn't have passcards and keys to the data center. Security policy says that the departure of any such staff will result in full rekey and change of all passwords, etc.Our Privacy Policy and Terms of Service restrict what we can (and would) do with your data ... in particular, we have never (and will never) give your own data to other parties. This may make our life a bit more difficult in the short term (e.g. we don't let Google look at your notes to give us relevant ads), but we're in this for the "long haul", and we see the pay-off in customer loyalty and conversion to Premium over time. All of our user conversion graphs slope pleasantly up and to the right ... Also, from Dave Engberg on March 26, 2009There's some information about our security and privacy here:http://blog.evernote.com/2008/04/15/evernote-privacy-and-security/I personally feel that Evernote is appropriate to store things that you'd be willing to send over email via a high-end email provider. I.e. if you have something that you absolutely would never want to be stored "in the Internet" anywhere, then you wouldn't send it to someone via email, and you wouldn't store it in your Evernote account.A few people have tweaked this slightly by subscribing to a Premium account and then encrypting their own files (e.g. in something like a ZIP file) and then attaching that to a note. That would give you a backup of your data, but Evernote has no way of processing the data in that ZIP, so you couldn't search for words in those files, etc.If you're really just looking for an encrypted, opaque back-up of part of your hard drive, there's some pretty good online backup services available that offer this in a way that automatically handles updates and changes, etc. You could even configure it to back up your Evernote database directory to have a backup of your local notebooks. I used Iron Mountain's service at a previous job, and it worked pretty well once you muddled your way through their setup UI.
Zen 1 Posted September 3, 2013 Author Posted September 3, 2013 Burgersnfries,1st) Please don't take me wrong, I'm not kind of person to post without searching before..2nd) Your post would be much better if it contained a useful link..From what I have searched and read before, I learned Evernote lacks a lot of security on its local database, and from one of the suggested programs to encrypt windows folder I googled and found out someone/some software was/is able to crack that windows folder encryption program (TrueCrypt).. so you see even not been an "expert/guru" I did enough research to get me a bit in Limbo to see what is a nice solution in order to continue using Evernote windows desktop application.Until I feel I found, or someone kindly shared how he/she doing with your Evernote installation (ex. what security are you using in your own Evernote windows instalemente for example Burgersnfries coud you share please ?), I'm removing Evernote Windows application and only using web access.Thanks for any useful and direct suggestions,ZenAny encryption can be broken if someone has the time, tools & CPU power. However, Truecrypt with a strong password is sufficient for most of us who do not have billions of dollars at our instant access or never worked for the CIA. I have posted often on this board about TC as well as security. It's not just with the desktop app, it's with the EN servers that a user should educate themselves. Again, I urge you to use the search function. Hi Burgersnfries, TC seems a good solution for windows.And how about Android phones with Evernote app, do you suggest a nice approach to protect local database of evernote in android ? Finally, if server side can be issue/compromized?.. then what kind of setup would allow one to use android app and windows app in a more secure way?Not syncing with Evernote servers.. but then how could android app sync somehow with windows app ? After googling even a bit more, i can see a strong setup would be to:- not sync with Evernote servers, using local Evernote db stored in a TrueCrypt file stored in Dropbox or even a personal USB pendrive. But now problem is how to setup things in my Android phone? Because in the end of the day I would say 95% of my time i find myself using Android app too read/access my notes, being windows Evernote mostly used to create/edit my notes. update: Can you tell me if only interface to data of Android app is connection to Evernote servers? Or does exist other way ? Can you please advise/suggest your ideas given the way I use Evernote ? Thanks and Regards,Zen
Level 5* Metrodon 2,188 Posted September 3, 2013 Level 5* Posted September 3, 2013 If you want to sync between any devices running Evernote then you need to connect to the Evernote service in the cloud. If you have information that you are concerned about encrypting when it is on a device under your personal control then I'd suggest that data such as this is probably best not trusted to any cloud provider.
BurgersNFries 2,407 Posted September 3, 2013 Posted September 3, 2013 Hi Burgersnfries, TC seems a good solution for windows.And how about Android phones with Evernote app, do you suggest a nice approach to protect local database of evernote in android ? Finally, if server side can be issue/compromized?.. then what kind of setup would allow one to use android app and windows app in a more secure way?Not syncing with Evernote servers.. but then how could android app sync somehow with windows app ? After googling even a bit more, i can see a strong setup would be to:- not sync with Evernote servers, using local Evernote db stored in a TrueCrypt file stored in Dropbox or even a personal USB pendrive. But now problem is how to setup things in my Android phone? Because in the end of the day I would say 95% of my time i find myself using Android app too read/access my notes, being windows Evernote mostly used to create/edit my notes. update: Can you tell me if only interface to data of Android app is connection to Evernote servers? Or does exist other way ? Can you please advise/suggest your ideas given the way I use Evernote ? Thanks and Regards,ZenI only use my Android device casually, so I can't suggest a solution.As Metrodon said, EN is a cloud service. Any syncing between devices is done via the cloud. There is no direct syncing between devices & AFAIK, that is never part of their plan, since they are a cloud service. On Windows, you can copy one database (exb) file from one computer to another. (Please search the board, should you want more info on this.) But since different OSes use different file types, this normally cannot be done cross platform (IE Windows to Android.) As has been discussed on the board already, it is not recommended to put a "live" EN database in Dropbox, since there is a risk of file corruption.The most secure way to protect sensitive data is to have it truly encrypted. 'Truly encrypted' meaning if you forget/lose the password your data is lost forever ("zero knowledge") & you cannot click an option to get the encryption password (which should differ from an account login password) from someone else such as the host (IE Evernote, Dropbox, etc.). I would suggest you use a good password manager (SplashID, Roboform, 1Pass, Lastpass, etc. have all been discussed on the board). Or use a strong password & password encrypt (not just password protect) the info in a TC container, PDF, etc. (Also, already discussed on the board & many other places on the internet.) Having said all that, there is nothing that is guaranteed against any & all hacker attacks, including any & all cloud services, even zero knowledge. It's simply a matter of balancing making it as difficult as possible for someone to brute force the password with ease of use. For most of us, zero knowledge encryption with a strong password is sufficient. But that is not EN's focus. They focus on indexing your notes & those notes cannot be indexed if their indexing software cannot 'read" the notes.
Liam Gretton 86 Posted September 3, 2013 Posted September 3, 2013 And how about Android phones with Evernote app, do you suggest a nice approach to protect local database of evernote in android ? Whole device encryption has been around since about version 2.4 of Android I think. You should also put a short time out on the screen lock. Google will find you plenty of hits for instructions, but here's one to start with: http://www.maketecheasier.com/encrypt-android-phone/2013/05/15
Recommended Posts
Archived
This topic is now archived and is closed to further replies.