Jump to content

Is encrypted text stored as encrypted text on the server ?


Recommended Posts

Ok… so a certain set of events has lead me to believe that any encrypted text within a note is not actually encrypted as such, it is just parsed by evernote and then replaced by an encryption box.

 

I have an iPad 1 and wanted to try evernote on it, but as iPad 1 can only go as high as iOS 5, evernote refused to load as it requires iOS 7+

 

With this in mind, I then decided to install evernote on my iPhone (iOS 8) and then try again on iPad as it will detect it as a "Purchased Item" and allow me to install the last know compatible release for the iOS version being run.

 

This worked as I hoped and allowed me to run Evernote on iPad 1 (an older version admittedly).

 

Some of my notes have sensitive information such as Serial Numbers which I have encrypted.

 

I switched to Card View and watched evernote import all my notes. I was quite alarmed when evernote started to import notes with serial numbers, and the serial numbers where clearly visible! No encryption, no nothing, just plain text for everyone to see!

 

Once the import had finished, the notes THEN had the serial numbers encrypted. This would suggest to me that these encrypted text is not stored encrypted, and the text is also sent unencrypted, which is a little concerning for possible account hijacks etc…

 

Link to comment
  • Level 5*

Hi.  For a definitive answer,  raise a support request or tweet @Evernotehelps;  we're a user support forum so mostly what you'll get here is speculation and opinion.  Having said that see -

How to encrypt content       - https://evernote.com/contact/support/kb/#/article/28451608
What encryption is used     - https://evernote.com/contact/support/kb/#!/article/23480996
Evernote's policy                - https://evernote.com/security/

 

Oh,  and for third-party encryption: http://www.getsaferoom.com/

 

Link to comment
  • 1 month later...

I too would like an aswer to this: is encrypted text within notes also ENCRYPTED ON THE EN SERVER?

 

I have tried contacting Evernote support directly, but just a basic membership it appears I am unable.

 

THANKS to anyone who can directly me to something official other than the "what type of encrpytion does EN use" note. That only tells me that EN can't access my encryption passcode.

Link to comment
  • Level 5

I too would like an aswer to this: is encrypted text within notes also ENCRYPTED ON THE EN SERVER?

 

I have tried contacting Evernote support directly, but just a basic membership it appears I am unable.

 

THANKS to anyone who can directly me to something official other than the "what type of encrpytion does EN use" note. That only tells me that EN can't access my encryption passcode.

 

Check the link in Gaz's message.

 

Here is an excerpt

Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

 

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

Link to comment

An excerpt from the privacy policy

 

"Evernote also provides you with the ability to encrypt segments of text within any given note. You can learn how to encrypt text by reviewing this Knowledge Base article. Please note, however, that Evernote does not have the ability to decrypt encrypted contents, so we won’t be able to help you recover encrypted contents if you forget the passphrase you used for encryption"

 

 

This suggests that the text IS encrypted at the server end, but this would conflict with my findings that I pointed out in the original post. If segments of text in my note where encrypted (verified by Mac, Windows and iOS versions that I have), why did I see this "encrypted" text as plain text when the content was being sucked down on a fresh installation - something doesn't add up.

Link to comment

Tweeting @evernotehelps garnered this answer:

"After text is encrypted in an Evernote app, only the resulting cipher-text is stored in the note or sync'd to our servers. For additional information on security, please check out this page: bit.ly/1X3WaCp. Hope this helps!"

I agree that seeing the unencrypted text come through on transfer is unnerving and would make me suspicious. Perhaps JimmyBoy, you can private message @evernotehelps with your detailed question.

Link to comment

I hope I can provide some more clear answers to your questions:

  • To provide the search features offered in Evernote, we do not encrypt your content on our servers. Data storage on our servers is outlined under the III. Data Storage and Transfer section of our Privacy Policy as previously noted.
  • Content you manually encrypt using the Evernote encryption feature remains encrypted on our servers using the method described under "Encrypted Text Within a Note": https://evernote.com/security/
  • Apologies for initially missing the issue JimmyBoy is reporting. We are looking into this issue. I’ll keep you posted.
Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...