Encrypted Note on Evernote Servers

[Analyst444 182]

If I encrypt a Note and sync it to the Evernote servers, does the encryption key go with it? If not and someone hacks the Evernote servers, is he going to be available to see what is in my Note without the key?

If no, why are people worried about updating sensitive information to the Evernote servers?

[JMichaelTX 4,117]

You can't encrypt a Note, only selected text in a Note.

No, Evernote cannot see the text that is encrypted.

 

For details on the security issues, do a google on "evernote security"

[SebR 146]

En is not zero-knowledge. But https://discussion.evernote.com/topic/81336-saferoom-zero-knowledge-encryption-for-evernote-and-more/

 

edit: maybe I said bullsh1t...

[JMichaelTX 4,117]

En is not zero-knowledge. But https://discussion.evernote.com/topic/81336-saferoom-zero-knowledge-encryption-for-evernote-and-more/

 

What do you mean by this?   The link is to a 3rd party product.

[JMichaelTX 4,117]

Just found this:

 

Evernote Security overview

 

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

 

[Analyst444 182]

JMichael - Thanks for responding & answering my question.

So, given that the Evernote servers can recover my encrypted data, then I assume that no hacker could either.

If I have drawn the wrong conclusion, please let me know.

[JMichaelTX 4,117]

So, given that the Evernote servers can recover my encrypted data, then I assume that no hacker could either.

 

I think you meant "Evernote servers can *not* recover ...".

 

I'm no security expert, but my understanding of "PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key" means it would be exceedingly difficult to hack.  I would never assume it is impossible to hack.

[SebR 146]

 

Just found this:

 

Evernote Security overview

 

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

 

hmm given this info, I think what I said is wrong. If the password is never transmitted to EN servers I guess we are in a ZK configuration (as I understand it). I'd like to have @GrumpyMonkey's point of view if he read this topic.

However the AES-key could be stronger. It seems 256-bites AES is now the "norm" as a security level.

[Analyst444 182]

JMichael - Yes, a grammar mistake on my part.

And yes, I acknowledge your point that "exceedingly difficult" is a more appropriate conclusion.