Analyst444 182 Posted June 26, 2015 Posted June 26, 2015 If I encrypt a Note and sync it to the Evernote servers, does the encryption key go with it? If not and someone hacks the Evernote servers, is he going to be available to see what is in my Note without the key?If no, why are people worried about updating sensitive information to the Evernote servers?
Level 5* JMichaelTX 4,119 Posted June 26, 2015 Level 5* Posted June 26, 2015 You can't encrypt a Note, only selected text in a Note.No, Evernote cannot see the text that is encrypted. For details on the security issues, do a google on "evernote security"
SebR 146 Posted June 26, 2015 Posted June 26, 2015 En is not zero-knowledge. But https://discussion.evernote.com/topic/81336-saferoom-zero-knowledge-encryption-for-evernote-and-more/ edit: maybe I said bullsh1t...
Level 5* JMichaelTX 4,119 Posted June 26, 2015 Level 5* Posted June 26, 2015 En is not zero-knowledge. But https://discussion.evernote.com/topic/81336-saferoom-zero-knowledge-encryption-for-evernote-and-more/ What do you mean by this? The link is to a 3rd party product.
Level 5* JMichaelTX 4,119 Posted June 26, 2015 Level 5* Posted June 26, 2015 Just found this: Evernote Security overview Encrypted Text Within a NoteIf you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.
Analyst444 182 Posted June 26, 2015 Author Posted June 26, 2015 JMichael - Thanks for responding & answering my question. So, given that the Evernote servers can recover my encrypted data, then I assume that no hacker could either. If I have drawn the wrong conclusion, please let me know.
Level 5* JMichaelTX 4,119 Posted June 27, 2015 Level 5* Posted June 27, 2015 So, given that the Evernote servers can recover my encrypted data, then I assume that no hacker could either. I think you meant "Evernote servers can *not* recover ...". I'm no security expert, but my understanding of "PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key" means it would be exceedingly difficult to hack. I would never assume it is impossible to hack.
SebR 146 Posted June 27, 2015 Posted June 27, 2015 Just found this: Evernote Security overview Encrypted Text Within a NoteIf you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data. hmm given this info, I think what I said is wrong. If the password is never transmitted to EN servers I guess we are in a ZK configuration (as I understand it). I'd like to have @GrumpyMonkey's point of view if he read this topic.However the AES-key could be stronger. It seems 256-bites AES is now the "norm" as a security level.
Analyst444 182 Posted June 27, 2015 Author Posted June 27, 2015 JMichael - Yes, a grammar mistake on my part. And yes, I acknowledge your point that "exceedingly difficult" is a more appropriate conclusion.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.