Jump to content

Encrypted Note on Evernote Servers


Recommended Posts

Posted

If I encrypt a Note and sync it to the Evernote servers, does the encryption key go with it? If not and someone hacks the Evernote servers, is he going to be available to see what is in my Note without the key?

If no, why are people worried about updating sensitive information to the Evernote servers?

  • Level 5*
Posted

You can't encrypt a Note, only selected text in a Note.

No, Evernote cannot see the text that is encrypted.

 

For details on the security issues, do a google on "evernote security"

  • Level 5*
Posted

Just found this:

 

Evernote Security overview

 

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

 

Posted

JMichael - Thanks for responding & answering my question.

So, given that the Evernote servers can recover my encrypted data, then I assume that no hacker could either.

If I have drawn the wrong conclusion, please let me know.

  • Level 5*
Posted

So, given that the Evernote servers can recover my encrypted data, then I assume that no hacker could either.

 

I think you meant "Evernote servers can *not* recover ...".

 

I'm no security expert, but my understanding of "PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key" means it would be exceedingly difficult to hack.  I would never assume it is impossible to hack.

Posted

 

Just found this:

 

Evernote Security overview

 

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

 

hmm given this info, I think what I said is wrong. If the password is never transmitted to EN servers I guess we are in a ZK configuration (as I understand it). I'd like to have @GrumpyMonkey's point of view if he read this topic.

However the AES-key could be stronger. It seems 256-bites AES is now the "norm" as a security level.

Posted

JMichael - Yes, a grammar mistake on my part.

And yes, I acknowledge your point that "exceedingly difficult" is a more appropriate conclusion.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...