Password Protected Notebooks

[EvernoteLover9 159]

I love Evernote, but it's preventing me from putting in sensitive content. For example, I can't keep a personal journal notebook, because other people (i.e. girlfriend, family members, etc.) could one day be looking at those notes, especially since they know that I use Evernote often for many purposes.

 

Evernote already has the ability to encrypt single notes. This is useful for things like storing passwords or other temporary sensitive content. But it's not practical to encrypt many notes one by one.

 

I wish I could password-protect a whole notebook. This way, I can do a lot more with Evernote. If I can encrypt single notes, then why can't Evernote just allow me to encrypt entire notebooks? If reason behind this is because Evernote thinks one could lose a lot of data if a notebook password is forgotten, then perhaps Evernote can help recover the passwords through email.

 

In the meantime, I'm stuck with using other apps (i.e. Pages, Day One, etc) to password-protect my content.

 

Any insight is greatly appreciated.

 

Thanks.

[Frankster 1]

Yes, this feature would be great. This is really the only feature I would want as a premium customer. The other things that you get are OK, but for me some encryption would seal the deal.

 

As for now I can't use Evernote for all my notekeeping purposes, which is a little sad.

[MacDan2004 2]

The ability to password protect and encrypt a single notebook within Evernote would be great for the reasons already mentioned above.

[jacksnack 9]

Forget it folks, I, and many others have tried...they don't want to hear it.  Some "antis" here are more vocal than others.

[GrumpyMonkey 4,319]

Forget it folks, I, and many others have tried...they don't want to hear it. Some "antis" here are more vocal than others.

Where are the antis? If you search the board, I think you'll find lots of support for it, and also many users who are ambivalent, but does anyone say they "don't want the option to encrypt notebooks," or they "are anti-encryption"?

If by "they," you mean Vernote, then I can assure you they have heard. You can even find them in some of the threads responding. Just because they disagree and don't do everything we suggest doesn't mean they are not listening. Have we convinced them yet? No. But, maybe recent events are moving us closer to it.

Maybe, if you offered your specific security concerns, and specific reasons for wanting it then that would be more convincing.

[ProspectiveCustomer 3]

You can count my vote among those looking for a more serious approach to encryption in EverNote. In light of the recent NSA/PRISM surveillance scandal I simply cannot justify - as a non U.S. citizen - storing sensitive business information in EverNote, where it could be extracted at will by U.S. intelligence officials engaged in industrial espionage.

[cwb 225]

No worries there.  Last year they announced building a datacenter in China.  No Prism access there. 

[ProspectiveCustomer 3]

No worries there.  Last year they announced building a datacenter in China.  No Prism access there. 

 

You may think you're being funny, tongue in cheek or showing to the world that "it's not only the U. S. that is bad" but in reality all you're doing with the above contribution is strengthening my argument in favour of more comprehensive encryption options for those prospective users, who are serious about using Evernote for enterprise purposes.

 

And in any case the Patriot legislation also covers data centres abroad as long as the operating company is based in the U. S. This was admitted by Microsoft already years ago: http://www.zdnet.com/blog/london/defense-giant-ditches-microsofts-cloud-citing-patriot-act-fears/1349

 

http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225

 

Competitionwise the Americans have really shot themselves in the foot, when they decided to coerce their cloud services industry to facilitate their spying business. No wonder they wanted to keep it a secret to the world (as in "NOFORN").

[cwb 225]

It was indeed intended to show that we shouldn't be myopic on NSA surveilance of US based data centers.

You should assume that you're subject to metadata (if not more) surveilance where-ever you are.

 

Note that the UK collects more metadata than the US (though through agreement, they share access to one anothers data)

http://www.wired.com/threatlevel/2013/06/gchq-tapped-200-cables/

 

They aren't going to say anything about the spy taps they have on foreign undersea cables, but that's been known for a very long time.

So you have to assume that your data is being sifted over by:

• Your own government, plus any they have intelligence agreements with
• The governments of any countries your packets pass through
• The governments of any enemies of your government through clandestine undersea taps (if ours are doing it, one has to assume some likelihood it happens the other way)

Being inside or outside the US, with a data center inside or outside the US, likely makes very little difference.

 

The only recent news here is that it's recently become news to some people (and perhaps the getting of a renewed sense of the scope creep enabled by moores law).

Act accordingly.  Though the horse left the barn on that requirement long ago.

 

http://en.wikipedia.org/wiki/Operation_Ivy_Bells

http://www.nytimes.com/2005/02/20/politics/20submarine.html?_r=0

 

Using encryption now, just flags you for permanent archiving: http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/

[shambhavi 3]

I am just adding my YES vote for folder encryption. I use a separate program for that now, and lack of folder encryption is the main reason I don't keep financial or legal documents in Evernote.

[GrumpyMonkey 4,319]

I am just adding my YES vote for folder encryption. I use a separate program for that now, and lack of folder encryption is the main reason I don't keep financial or legal documents in Evernote.

For sensitive data, my recommendation is to use Evernote's local notebooks. When you need sensitive data on mobile devices, if you are using iOS, VoodooPad is nice (wifi or iTunes sync with no Internet).

http://www.christopher-mayo.com/?p=288

Ideally, an encrypted notebook will be made available soon. Splitting data up (local/synced or VoodooPad/Evernote) is very inconvenient and inefficient. The alternative, though, is to expose your data (and that of any third parties you might have) to government(s) surveillance and subsequent loss to hackers / other countries (ask the US government where their military secrets went http://www.cbsnews.com/8301-201_162-57586624/how-chinese-hackers-steal-u.s-secrets/).

[stevenrt 11]

I've been an Evernote user for years, and the request for encrypted notebooks has been raised repeatedly.  I would love to have such a feature and would be willing to pay more for it, and would gladly sacrifice the ability to have the contents of encrypted notebooks indexed and searchable.  Unfortunately, I suspect that this requested feature is either extremely low priority or against Evernote's idea that everything should be searchable, and as such, I don't expect it to happen.

 

From a certain perspective, I think not providing greater encryption capabilities is almost negligent.  With such a large user base, you know that some people are storing sensitive documents and data in EN, thinking it is relatively secure (I have known such people - keep in mind that a majority of the world is not that tech sophisticated and when they see things like SSL encryption, they presume their data is always encrypted and absolutely safe).  Yes, these people should know better, and providers such as EN are not required to babysit such people, but if you are aware that people are using your product in an unsecure manner, shouldn't you do something about it?  Just my 2 cents.

 

 

[Metrodon 2,184]

The last couple of minutes of this interview indicate that new "sexy" encryption options will be available "soon" (by the end of the year apparently)

 

http://techcrunch.co...ar-old-startup/

[GrumpyMonkey 4,319]

 

The last couple of minutes of this interview indicate that new "sexy" encryption options will be available "soon" (by the end of the year apparently)

 

http://techcrunch.co...ar-old-startup/

 

 

Yep. Thanks again for finding that.

 

If you want to know the exact spots where relevant stuff is said, see this post http://discussion.evernote.com/topic/39180-password-protect-evernote-in-total/?p=220064

[GrumpyMonkey 4,319]

By the way, Google storage now has encryption. It seems to be roughly equivalent to what Dropbox already has as well. It might sound good to some people, but Google has the keys, so they can be legally compelled to turn your data over to a government and hackers can get a hold of it, so it is (in my opinion) nothing more than a false sense of security. This is not the encryption I want to see in Evernote (and it sounds to me in the interview that it isn't the encryption Evernote wants either).

http://www.pcworld.com/article/2046802/google-to-encrypt-cloud-storage-data-by-default.html

 

This is the kind of encryption I want from Evernote. A notebook encrypted in this manner with zero-knowledge encryption would be ideal.

https://spideroak.com/faq/questions/23/

 

By the way, there is (as Phil mentioned in the interview) a lot of confusion out there about this Prism thing. I am no expert, so please correct me if I am wrong, but if Google holds the key, unlocks the door to your data, and hands the data to the government (as they are legally obligated to do in some cases), then how is their encryption of data on their servers addressing any of the privacy/security concerns that people have about the government over-reach? To my amateur mind, reporting that claims Google is somehow addressing these concerns (see the Verge, for example http://www.theverge.com/2013/8/16/4627232/google-cloud-storage-automated-128-bit-aes-security) sounds bizarrely misinformed, under-researched, and poorly analyzed.

 

I truly hope this kind of (in my opinion) blather is not affecting the thinking folks at Evernote (like smoking the Halfling's weed, as Saruman would say). 

[jbenson2 2,147]

By the way, there is (as Phil mentioned in the interview) a lot of confusion out there about this Prism thing.

 

Not just Phil, but even the people-in-charge don't know what is going on with the NSA.

WaPo’s bombshell: Feinstein didn’t know about NSA’s audit of privacy violations

The big story is that Congress, overseers of the NSA and guardians of the public’s privacy, seems to have zero idea of how many “incidents” there are. And that includes the congressional watchdog-in-chief — the chairman of the Senate Intelligence Committee Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit until The Post asked her staff about it. The NSA, it seems, really is an island unto itself inside the federal government.

http://goo.gl/k7caQV

 

[GrumpyMonkey 4,319]

 

By the way, there is (as Phil mentioned in the interview) a lot of confusion out there about this Prism thing.

 

Not just Phil, but even the people-in-charge don't know what is going on with the NSA.

WaPo’s bombshell: Feinstein didn’t know about NSA’s audit of privacy violations

The big story is that Congress, overseers of the NSA and guardians of the public’s privacy, seems to have zero idea of how many “incidents” there are. And that includes the congressional watchdog-in-chief — the chairman of the Senate Intelligence Committee Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit until The Post asked her staff about it. The NSA, it seems, really is an island unto itself inside the federal government.

http://goo.gl/k7caQV

 

 

 

You raise an important point about making an informed decision about our data. In my opinion, we will probably not know the full extent of surveillance and abuse for many decades to come, and once your data is turned loose, you have no control over it, and it will float around in data centers forever. It may already be too late for some people. For all we know, some of our data ended up in Russia with Snowden.

 

I use the plural "data centers" here, because a lot of this data will escape from government servers through hacking, freedom of information requests, loss, and other means. It has happened before. It is happening. It will happen again. What happens when governments, corporations, and nefarious individuals (including those in the institutions) gain access to our "second brains"? This is some unsettling stuff. 

 

That's why I think it is a good idea for Evernote to institute something like this. The debate really isn't about what Prism does or doesn't do (interesting as it  is), but about instituting a policy that (in large part) removes the "trust" factor from the equation. With a zero-knowledge encrypted notebook, Evernote wouldn't have access, their employees wouldn't, and neither would the government. We don't have to "trust" every govt. official (in several governments, if information sharing news is accurate). We take the power out of their hands and put it in ours. That seems like the safest course of action no matter how this Prism thing turns out.

[aefla 6]

Hey GM,

 

That's why I think it is a good idea for Evernote to institute something like this. The debate really isn't about what Prism does or doesn't do (interesting as it  is), but about instituting a policy that (in large part) removes the "trust" factor from the equation. With a zero-knowledge encrypted notebook, Evernote wouldn't have access, their employees wouldn't, and neither would the government. We don't have to "trust" every govt. official (in several governments, if information sharing news is accurate). We take the power out of their hands and put it in ours. That seems like the safest course of action no matter how this Prism thing turns out.

 

I think you may be right here. Even though Evernote's business model doesn't depend on advertising/tracking (which is good for us!), they aren't immune from unreasonable government requests. I found an article that explains this quite clearly:

 

Indeed, the cooperation [between intelligence agencies and 'cloud' companies] was usually “voluntary” in large part because companies couldn’t afford to seem uncooperative, says another private-sector official who would speak about classified issues only on condition of anonymity. “The ways that pressure works in Washington are very subtle,” he says. “No one’s getting bribed, or punished outright. But it’s the good little Indian that gets rewarded. And these companies needed the goodwill of the NSA and other agencies.”

 

[…]

 

If industry refused, the NSA had the unique ability to both reward and punish, thanks to its implicit veto power over deals and exports

 

If the government wants something, they'll get it. I love Evernote, but I think that the Uplink motto "Trust is a weakness" applies here.

[luv2ride 3]

If people are really worried about storing "encrypted" data in evernote and the government getting it. Then you have bigger problems and really shouldn't even be commenting in this forum.

I just want to keep prying eyes off of my data, that's it nothing else. It's more of a "feel good" than anything else. I've been looking for something cross platform that I can use for journaling my life, family, friends, venting - getting things off my mind without others reading it because I left my machine unlocked & someone went snooping. While this would be rare, it could happen. This would give me peace of mind. I often spell things out as I see them, which, could upset someone if they read it. My thoughts are my thoughts - period... One of the only things I can control these days (I tend to ***** that up to)

 

Looking forward to the update. Been a light user for several years, with the announcement of "secure data" I purchased for the year. Something I dont do very often.  

 

Cheers

[Scoob 5]

There were many things that they said would never be done in EN but this has been a "sexy year" for new features.

 

I'll add my vote for allowing encrypting / PW protecting notes without having to log out of the whole EN program.

[jacksnack 9]

This is good news indeed!!!!!

 

I prefer client-side key storage, but hey, right now in this environment, I'll take anything.

[jacksnack 9]

If people are really worried about storing "encrypted" data in evernote and the government getting it. Then you have bigger problems and really shouldn't even be commenting in this forum.

 

??????

[louie 0]

I've been an evernote premium customer for a few years now and pretty happy with the service.  However, it has become clear that it's no longer possible to trust service providers with my data, despite the best intentions of the service providers to keep my data private.  So, I'm hoping that Evernote will enhance their product to give users like me the option to use zero-knowledge encryption as GrumpyMonkey mentioned in his post:

 

This is the kind of encryption I want from Evernote. A notebook encrypted in this manner with zero-knowledge encryption would be ideal.

https://spideroak.co...q/questions/23/

 

 

 

I understand this may cause some features, like server-side OCR to not work correctly (or at all).  Maybe giving me the option to have my attachments OCR'd might be useful, perhaps some hand-waving assurances that you'll return the OCR'd info and destroy the object.  Or maybe not at all.

 

In this version of the product, EN is reduced to being a storage provider for my data synchronization needs as well as a supplier of high quality client applications.

 

I'm now actively searching for a solution like this, perhaps built over a service like SpiderOak (that I try to use preferentially to DropBox) or something else.  While I have particular reason to distrust EN as a service provider, it seems to me that to solve my problem I don't NEED to try my service provider, and as a matter of good hygiene, I probably shouldn't trust service providers unless absolutely need to.

 

[Vico 7]

I think that encrypted notebooks are one of the most needed features! Not truly safe? Hey! It's my choice!!! They don't provide cars without brakes because they can wear out. Check your brakes, but brakes are usefull. World is full of softwares and devices with drawbacks. You can put your accounts into an usb key and that can be stolen but... it's not a reason to not produce usb keys!!!

Encrypted/password-protected notebooks are usefull for a lot of semi-sensitive or sensitive data. Period. Drawbacks in term of indexing, security, ecc.? Let me know. I will decide if the option fits me. And I know will fit!

[Horlics 2]

I use the in-note encryption feature quite a lot but I think I have read in the past that it's a really weak form of encryption (something about export of munitions being applied to crypto software?).  In which case, what's the point?

[GrumpyMonkey 4,319]

I use the in-note encryption feature quite a lot but I think I have read in the past that it's a really weak form of encryption (something about export of munitions being applied to crypto software?).  In which case, what's the point?

As far as i am concerned, the current encryption seems pointless, though in practical terms, even it is unlikely to be broken. I certainly wouldn't see any point in using it for a whole notebook when better levels of security are available. Ideally, we'll get this feature, it will use at least 256 bit encryption, and it will be zero knowledge.

[OEU 0]

 

I use the in-note encryption feature quite a lot but I think I have read in the past that it's a really weak form of encryption (something about export of munitions being applied to crypto software?).  In which case, what's the point?

As far as i am concerned, the current encryption seems pointless, though in practical terms, even it is unlikely to be broken. I certainly wouldn't see any point in using it for a whole notebook when better levels of security are available. Ideally, we'll get this feature, it will use at least 256 bit encryption, and it will be zero knowledge.

 

 

 

The NSA didn’t weaken a crypto standard. Rather, it put a backdoor inside the standard. There’s an important difference. As a consequence, if you use Dual_EC_DRBG, you’re still well-protected if the adversary you’re defending against isn’t the NSA. But if it is, you’re pretty much stuffed.

 

http://grahamcluley.com/2013/09/nsa-cheated-cryptography/

 

You may find this interesting.  I interpret this to mean all known forms of encryption can be and are being subverted by the NSA.  Perhaps there are algorithms in a tool like TrueCrypt that don't use the Dual_EC_DRBG standard, but you'd have to do some research to find out.  

 

 

Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him.

- Cardinal Richelieu

[jacksnack 9]

 

 

You may find this interesting.  I interpret this to mean all known forms of encryption can be and are being subverted by the NSA.  ...

 

 

 

I don't believe this.  Here is why.

 

Edward Snowden stated:

 

Snowden's response: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

 

 

 

http://www.businessinsider.com/edward-snowden-email-encryption-works-against-the-nsa-2013-6

 

 

 

 

 

AND

 

Bruce Scheier has already stated NOT to use EC.

 

 

 

Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

 

 

 

 

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

 

 

 

Scheier also states:

 

 

 

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA.

 

 

What I glean from all this is the fact that stronger crypto systems have the best chance of working.  But even better would be non-NSA influenced ciphers;  Twofish and Threefish come to mind.  Apart from the latter, and One Time Pads, AES256 seems to be the best choice. (Although adopted by the NSA, it is my understanding it was not developed by the NSA.  Instead it was the "winner" in a search for a new crypto system.  The winner: Rijndael)

 

(PS  I am not a cryptographer, but I follow those that are.)

[Vico 7]

In my opinion, we are discussing of two completely different needs, and I think it's a mistake, trying to reconcile them.

Someone just needs a password protection on notebooks or, let me say so, a "soft" encryption. Useful for personal journaling, not-so-important accounts and so on. Nothing they care to protect from government... They only want to protect from prying eyes. Let's say "private" notebooks.

Others need to store completely unreachable information. Not necessarily terrorists. Maybe politicians who do not want to let someone put his nose on anything private, or professionals who have to keep some data confidential, or, simply, normal people who are concerned to store safely the login data of the bank account. They need a safe or a vault. Let's say "safe" notebooks.

Or maybe, the same person (me, for example) has the two needs.

Why not just make available the two different features?

"Private" notebooks, with just a password. Not strongly protected but searchable and, maybe, password recovery option.

"Safe" notebooks, REALLY encripted, totally or in part. I mean: totally encripted, or searchable titles but unsearchable content. Without password recovery option, of course.

You will NEVER succeed to make a compromise beetween the two solutions or convince the users they do not need one or the other solution. It's a useless struggle.

[cwb 225]

It might be a subtle point but I think a PIN might be better than a "password".  Just like on the mobile devices.  I wouldn't want someone getting carried away thinking there's any security behind that.  I do want to deny casual use if someone is granted brief access to my desktop, without having the hassle of logging in and out of Evernote in the desktop client.  But all of the data is still there for the gleaning if you look at the backend. For that, there's no substitution for encryption.  It's not hard and doesn't have to add noticeable overhead.

[rstrazz 14]

It might be a subtle point but I think a PIN might be better than a "password".  Just like on the mobile devices.  I wouldn't want someone getting carried away thinking there's any security behind that.  I do want to deny casual use if someone is granted brief access to my desktop, without having the hassle of logging in and out of Evernote in the desktop client.  But all of the data is still there for the gleaning if you look at the backend. For that, there's no substitution for encryption.  It's not hard and doesn't have to add noticeable overhead.

 

Agreed, a PIN on the desktop app would be great.  I don't want to have to lock my workstation all the time, especially at home where others want to use the computer.  Just need a PIN to get into the desktop app once it's minimized in the task tray and you open it back up.

[GER_TX 6]

Actually I was wondering why not doing something totally different in order to get right this done without really encrypt the data.

As far as I can see it, some people want that the notebook needs to be password protected but on the other side evernote doesn't want to do this as it would cost more and the system isn't build for that.

So why not just password protect the notebook so when you first want to open it, it asks for a password just to look at it, this can't be so hard to be implemented.

Together with an auto logout, that asks for a password when the file is shown more than like five minutes, you have almost the same,e thing as people are asking for as a someone that wouipd like to see it needs password anyways.

[cwb 225]

Sadly no, a password prompt and auto-timeout (as is in place in mobile EN clients with premium account) has nothing to do with the needs enumerated in this thread.

That's not to say it's not worthwhile, even in addition to encrypted notes/notebooks (be it local, remote, local and remote - non-key-escrowed), but it just addresses the requests of other use cases in other threads.

For now breath is likely best conserved until EN releases what they already have baking in the oven and we kick it around a bit.

[GER_TX 6]

Sadly no, a password prompt and auto-timeout (as is in place in mobile EN clients with premium account) has nothing to do with the needs enumerated in this thread.

That's not to say it's not worthwhile, even in addition to encrypted notes/notebooks (be it local, remote, local and remote - non-key-escrowed), but it just addresses the requests of other use cases in other threads.

 

Actually you misunderstood me.

I said, that single documents should be password protected again, so that the mobile client can stay open as most users like it.

I am not sure if you ever worked with password protected documents in Office, but while your computer might have a password and you can leave it unlocked all day long, just to open this one document, you need an extra password again.

So just password protect a Notebook, so you need to enter maybe a different password than your Evernote password just to open the notebook.

This way most people have what they want, as they just want that people can't open single notebooks from evernote, while all the other ones are an open book to everyone that comes along the computer.

[cwb 225]

Ok, got it.

Isn't that already essentially addressed on the mobile client with PIN support?

Now if we're talking about bringing that over to the desktop side, it sounds appealing, except that somewhere near half of the users I've read posting requests in that area know that the data can still be read on the back end, either in the same account looking at the Evernote folder and sqlite database itself, or the same from another admin level account on the same computer.

Adding local per note/notebook side encryption then serves both halves of the feature request. It blocks both in-evernote and out-of-evernote read attempts.

And this is completely separate from any discussion of the evernote server side handling/non-handling/awareness of the encryption. This would be local client encryption only, with data decrypted on every authenticated read (be that the Evernote user, or a sync operation).

[lllusion 0]

In the attempt to find a Mac replacement for Ms OneNote, Evernote comes up at the top of the list. However, I'm shocked that it's not possible to password protect a whole notebook (local or synced), and to set a desired timeout/lockout period (i.e. 1,5,10,15 min). Even Microsoft figured out this one! So far, Evernote isn't winning my over.

[lrainaldi 225]

Evernote already has the ability to encrypt single notes. This is useful for things like storing passwords or other temporary sensitive content. But it's not practical to encrypt many notes one by one.

 

I didn't know there was a way to encrypt a single note, I know that I can encrypt selected text but not a complete note. I am going to go and look for that feature. 

 

I do agree though that an option to encrypt a complete notebook would be great.

[jefito 5,589]

Evernote already has the ability to encrypt single notes. This is useful for things like storing passwords or other temporary sensitive content. But it's not practical to encrypt many notes one by one.

 

I didn't know there was a way to encrypt a single note, I know that I can encrypt selected text but not a complete note. I am going to go and look for that feature.

I don't believe that there is. You can encrypt a note's text content, but not a whole note, as far as I know.

[lrainaldi 225]

That's what I thought, I didn't see anything about an entire note. That would be sweet if we could do that also. I personally don't like the concept of encrypting only a section of text within a note, I think encrypting a note and/or a notebook would be a game changer.

[Havi Echenberg 0]

I live Evernote's tag line (Remember everything).  For me, that includes, for example, confirmations of bill payments.  In some cases, those include full account numbers for a credit card, for example.  I'd like to be able to encrypt my entire "Finances" notebook.  I am already a premium user - it's an important feature, if Evernote means what it says in its tagline.

 

[jbenson2 2,147]

I live Evernote's tag line (Remember everything).  For me, that includes, for example, confirmations of bill payments.  In some cases, those include full account numbers for a credit card, for example.  I'd like to be able to encrypt my entire "Finances" notebook.  I am already a premium user - it's an important feature, if Evernote means what it says in its tagline.

 

To avoid putting this sort of info into the cloud, I store the bill, statement, and payment details in a local non-sync'd notebook.

This makes the info only available on my home computer.

[Havi Echenberg 0]

jbenson2 - brilliant solution - it just never occurred to me!  (It would still be nice to have an option in between local only and not local but not encrypted, but for now, this solves my immediate problem.)  Thanks!

[malt_licky 0]

I have had it with this on-going debate and Evernote's stubborn dodging / not hearing the very strong arguments for notebook-level encryption.

 

I am migrating to the first alternative (simple) note taking app I come across which does offer better encryption functionality. I am willing to pay for it, and sacrificing other Evernote functionalities is no problem. Hope some developers are reading along...

[aefla 6]

Evernote's on-going stubborn dodging / not hearing the very strong arguments for notebook-level encryption.

 

What are you talking about? Their CEO, Phil Libin, has promised they were working on precisely this (notebook-level encryption), and planned to release it before the end of the year or shortly afterwards.

 

From the Evernote Podcast episode 40, from October 30th, around 51 minutes in:

"We actually got a super cool, uh, we're really really beefing up how we do client-side encryption across the board […] it's something we are hard at work now across multiple clients."

[Metrodon 2,184]

 

The last couple of minutes of this interview indicate that new "sexy" encryption options will be available "soon" (by the end of the year apparently)

 

http://techcrunch.co...ar-old-startup/

 

 

He also said that new stuff was on the horizon in this article.

 

Good luck with your new app!

[BurgersNFries 2,407]

I have had it with this on-going debate and Evernote's stubborn dodging / not hearing the very strong arguments for notebook-level encryption.

The same could be said about users who seem to think because they want something, Evernote should give it to them.  Or users who can't accept the fact that maybe, just maybe, Evernote has discussed said feature & either put a low priority on it (for whatever reasons - time/resources (translate: engineer hours), other/more pressing priorities, etc) or totally nixed the idea altogether.  Evernote never really has been about storing sensitive data, although they do allow you to encrypt text in notes.  There are a lot of other ways to store sensitive data, including encrypting it & putting the file in Evernote.  There are true password managers that handle stuff like this brilliantly.  The fact of the matter is, if this is a deal breaker for you, you need to find another app that better suits your needs.  Good luck with your search.

[ProspectiveCustomer 3]

 

I have had it with this on-going debate and Evernote's stubborn dodging / not hearing the very strong arguments for notebook-level encryption.

The same could be said about users who seem to think because they want something, Evernote should give it to them.  Or users who can't accept the fact that maybe, just maybe, Evernote has discussed said feature & either put a low priority on it (for whatever reasons - time/resources (translate: engineer hours), other/more pressing priorities, etc) or totally nixed the idea altogether.  Evernote never really has been about storing sensitive data, although they do allow you to encrypt text in notes.  There are a lot of other ways to store sensitive data, including encrypting it & putting the file in Evernote.  There are true password managers that handle stuff like this brilliantly.  The fact of the matter is, if this is a deal breaker for you, you need to find another app that better suits your needs.  Good luck with your search.

 

 

Please read the preceding two pages of user contributions expressing similar wishes as to the future functionality of the Evernote product before diving in here with your apologist Evernote defense, which seems largely based on the premise that a product cannot develop beyond what it once was. History proves you wrong on that count and the fact of the matter is there may well have been more people than you think, who stored sensitive data in Evernote and who have only now become aware of the capabilities of US industrial espionage.

[jefito 5,589]

I have had it with this on-going debate and Evernote's stubborn dodging / not hearing the very strong arguments for notebook-level encryption.

This is not a debate, it's just user discussion. Obviously, Evernote has heard the request (viz. Phil Libin's pronouncements). Evernote may do this and deliver it this year, or they may not (for whatever reason). Best to wait until it's been delivered before you make plans to integrate it into your workflow.

[BurgersNFries 2,407]

Please read the preceding two pages of user contributions expressing similar wishes as to the future functionality of the Evernote product before diving in here with your apologist Evernote defense, which seems largely based on the premise that a product cannot develop beyond what it once was. History proves you wrong on that count and the fact of the matter is there may well have been more people than you think, who stored sensitive data in Evernote and who have only now become aware of the capabilities of US industrial espionage.

I've read the posts.  I've been here much longer than you have.  And please don't misconstrue what I said.  If you *really* read what I posted & don't jump to a knee jerk reaction, you'll see you're not comprehending what I said.  This is not  "debate" & I fail to see why you need to drag "history" into this.  The fact that you disagree with Evernote's decision is fine.  But it's *their* product & *their* decision.  Again, if this is a deal breaker for you, you should find an app that better suits your needs. It's really that simple.

Also, once again...

 

The same could be said about users who seem to think because they want something, Evernote should give it to them. Or users who can't accept the fact that maybe, just maybe, Evernote has discussed said feature & either put a low priority on it (for whatever reasons - time/resources (translate: engineer hours), other/more pressing priorities, etc) or totally nixed the idea altogether.

[GrumpyMonkey 4,319]

I have had it with this on-going debate and Evernote's stubborn dodging / not hearing the very strong arguments for notebook-level encryption.

The same could be said about users who seem to think because they want something, Evernote should give it to them.  Or users who can't accept the fact that maybe, just maybe, Evernote has discussed said feature & either put a low priority on it (for whatever reasons - time/resources (translate: engineer hours), other/more pressing priorities, etc) or totally nixed the idea altogether.  Evernote never really has been about storing sensitive data, although they do allow you to encrypt text in notes.  There are a lot of other ways to store sensitive data, including encrypting it & putting the file in Evernote.  There are true password managers that handle stuff like this brilliantly.  The fact of the matter is, if this is a deal breaker for you, you need to find another app that better suits your needs.  Good luck with your search.

 

Please read the preceding two pages of user contributions expressing similar wishes as to the future functionality of the Evernote product before diving in here with your apologist Evernote defense, which seems largely based on the premise that a product cannot develop beyond what it once was. History proves you wrong on that count and the fact of the matter is there may well have been more people than you think, who stored sensitive data in Evernote and who have only now become aware of the capabilities of US industrial espionage.

BNF has a right to her opinion on the topic, just as you do. This is a user discussion board. Let's discuss!

I don't know that history proves anything, but I would say it is generally not terribly helpful with prognostication. I would say history is a great resource for understanding how things have become the way they are today. I am just speculating here, but the fact that Evernote lacks particularly strong encryption and has very few encryption options is probably a reflection of the vision that Evernote has of the service as something akin to your email account--ubiquitous access + a basic level of security. They don't appear to have been interested aiming to create a locked down environment. Several of the Evernote employees have a background in security systems, so it seems to be a choice, not an oversight.

In this sense, BNF is correct, right? She is stating that this is how it has been, pointing out that Evernote employees probably aren't the incompetent or evasive figures the poster has portrayed them as, speculating that they will continue on this course, and suggesting that users might want to consider alternative solutions if they have strong security needs. Her comments seem reasonable to me. And, I can assure you that she reads nearly everything that is posted on this forum. Heck, with 11,000 posts, she's posted in most of the threads!

Evernote might have signaled a shift recently based on the comments made by the CEO about upcoming encryption features. It will be interesting to see what happens. Personally, I'd like to see all kinds of improvements in security, including encrypted notebooks.

[ProspectiveCustomer 3]

But it's *their* product & *their* decision.  Again, if this is a deal breaker for you, you should find an app that better suits your needs. It's really that simple.

 

 

Thanks for reminding us that EverNote is Evernote's product and that EverNote's owners can decide how they want EverNote to develop.

 

For the rest of us I would argue that what should be relevant for Evernote's future strategy and growth ambitions is what prospective customers want and how their existing customers are responding to developments in society by changing their preferences for security vs functionality for example.

[GrumpyMonkey 4,319]

This is irrelevant meta-nonsense based on kindergarten logic. Nobody disputes that a company can react with the stance that you describe and that I would label as "taking their marbles and going home".

 

What should be relevant for Evernote's future strategy and growth ambitions is what prospective customers want and how their existing customers are responding to developments in society by changing their preferences for security vs functionality for example.

Judging by the time stamps, I am guessing that you are responding to BNF here. Again, I don't think what she is saying is nonsense. Of course, I agree that they should aim for further growth and so forth, but I leave it to them to figure out how they want to allocate resources. I have no inside knowledge, so I cannot say if it is good or bad that they don't have encrypted notebooks yet. It is an issue for me, but I doubt I am representative of the larger user base.

[BurgersNFries 2,407]

This is irrelevant meta-nonsense based on kindergarten logic. Nobody disputes that a company can react with the stance that you describe and that I would label as "taking their marbles and going home".

What should be relevant for Evernote's future strategy and growth ambitions is what prospective customers want and how their existing customers are responding to developments in society by changing their preferences for security vs functionality for example.

Of course Evernote listens to their customers & adds features based upon that. What is at issue here is that the feature *you* want has not been implemented. So basing your claim on that is flawed.  As others have said above, Phil mentioned something about security by year end.  However, as with due dates/reminders, the end product may not be what you are expecting it to be.  So as Jeff said, it would be wise to adjust your workflow to the way Evernote works today. 

 

Several of the Evernote employees have a background in security systems, so it seems to be a choice, not an oversight

Nor a lack of ability.

Edited December 10, 2013 by BurgersNFries
Corrected quote

[GrumpyMonkey 4,319]

Several of the Evernote employees have a background in security systems, so it seems to be a choice, not an oversight

Nor a lack of ability.

I think you are quoting me here, right?

Indeed. I think the Evernote developers (at least, in my experience) are extremely competent. I wouldn't be surprised if they are among some of the best in their respective fields. This doesn't mean they will make the "right" decisions (amazingly, they have not implemented all of my suggested changes). It does mean, though, that they have probably thought through all of this a lot more deeply than we have

[BurgersNFries 2,407]

Several of the Evernote employees have a background in security systems, so it seems to be a choice, not an oversight

Nor a lack of ability.

I think you are quoting me here, right?

Indeed. I think the Evernote developers (at least, in my experience) are extremely competent. I wouldn't be surprised if they are among some of the best in their respective fields. This doesn't mean they will make the "right" decisions (amazingly, they have not implemented all of my suggested changes). It does mean, though, that they have probably thought through all of this a lot more deeply than we have

Ahhhh...yes, I am quoting you. Sorry. I will correct this.

[GER_TX 6]

 

I've read the posts.  I've been here much longer than you have. 

 

 

 

 

So I was wondering, because you are here MUCH longer than others, what does make you think that you are better than others?

[BurgersNFries 2,407]

 

 

I've read the posts.  I've been here much longer than you have. 

 

 

 

 

So I was wondering, because you are here MUCH longer than others, what does make you think that you are better than others?

 

 

 

I don't & I don't know why you think that.  I do think I know what Evernote is about more than others. 

[GER_TX 6]

 

 

 

I've read the posts.  I've been here much longer than you have. 

 

 

 

 

So I was wondering, because you are here MUCH longer than others, what does make you think that you are better than others?

 

 

 

I don't & I don't know why you think that.  I do think I know what Evernote is about more than others. 

 

So you work for Evernote?

If not, you have a couple of friends that tell you about stuff in this company?

Or you just assume that your postings count makes you know it better?

[BurgersNFries 2,407]

So you work for Evernote?

If not, you have a couple of friends that tell you about stuff in this company?

Or you just assume that your postings count makes you know it better?

Jealous much?  That's the only reason I can think of why you'd post such silly comments that have no relevance. 

 

But thanks for playing.

[jefito 5,589]

OK, kids. This has veered way off-topic. Let's trying to stop arguing about credentials, and get back to the actual topic, if there's anything more to add to the existing conversation.

[GER_TX 6]

 

So you work for Evernote?

If not, you have a couple of friends that tell you about stuff in this company?

Or you just assume that your postings count makes you know it better?

Jealous much?  That's the only reason I can think of why you'd post such silly comments that have no relevance. 

 

But thanks for playing.

 

Sorry cutiepie, I could care less about someone like you that thinks his postings count makes him a better person.

I am not here to get a high postings count and like you I don't spend my life in an Evernote forum.

[ProspectiveCustomer 3]

I agree completely.

 

Barging in here spewing stuff like "I have been here longer than you" and "Perhaps Evernote considered the feature and decided against it" is completely self-aggrandizing nonsense and is ignorant of the fact that the CEO already announced they were working on these features.

 

As the person responsible for information security in a 200+ person company I am currently the one holding back a decision to implement Evernote for project management and I'm looking forward to seeing what cipher stacks and design principles regarding client side encryption will be put in place for the upcoming release of an "enterprise ready" EverNote.

[jefito 5,589]

OK, folks. Thus is a reasonable topic, but since you're not interested in discussing it here, you'll need to revisit it in a different thread. Locking this one.

[MykLane 0]

Especially with the s ScanSnap scanner option and desire to go paperless it is very important to have a place for secure document storage.  Evernote should keep their solutions cohesive.

[GrumpyMonkey 4,319]

Especially with the s ScanSnap scanner option and desire to go paperless it is very important to have a place for secure document storage.  Evernote should keep their solutions cohesive.

I think that is a great feature suggestion. The solutions are cohesive, in my opinion, but require you to use the local notebooks or encrypt each PDF individually. Personally, I file confidential notes in a local notebook. This way, I avoid any issues with security on the cloud. Ideally, of course, we'd have encrypted notebooks, but until that time, you actually do have some options.

[cwb 225]

 

 

Evernote already has the ability to encrypt single notes. This is useful for things like storing passwords or other temporary sensitive content. But it's not practical to encrypt many notes one by one.

 

I didn't know there was a way to encrypt a single note, I know that I can encrypt selected text but not a complete note. I am going to go and look for that feature.

 

I don't believe that there is. You can encrypt a note's text content, but not a whole note, as far as I know.

 

 

Some 14 score days ago, it was written ^^^

 

Veering back in the neighborhood.

 

So long as there are no attachments

The nearest solution is whole note via:

 

Control-A

Control Shift X

(enter password)

 

You can seemingly have any manner of rich markup (including tables) except a checkbox.

For my client, having a checkbox prevents encryption.

But once the whole item is encrypted, you can go back and add in checkboxes, and they'll be stored.

[hazmatte 3]

I am just going to +1 this topic.  

 

Given how awesome Evernote is otherwise and given that it is my defacto cloud-based-brain, I really need to be able to encrypt entire notes or notebooks.  Encrypting just the text is not enough, there's too much sensitive information stored in non-text formats these days.

 

I hope when they do release it that it's a standard feature, but if it was a premium feature, it would probably be a tipping point for me to go premium.

 

Any word on their progress with launching this feature?

[GrumpyMonkey 4,319]

I am just going to +1 this topic.  

 

Given how awesome Evernote is otherwise and given that it is my defacto cloud-based-brain, I really need to be able to encrypt entire notes or notebooks.  Encrypting just the text is not enough, there's too much sensitive information stored in non-text formats these days.

 

I hope when they do release it that it's a standard feature, but if it was a premium feature, it would probably be a tipping point for me to go premium.

 

Any word on their progress with launching this feature?

No word, yet. My opinion is that this ought to be standard (it is with other note-taking apps on the Mac like DevonThink, nvALT, and VoodooPad). However, if it was a Premium feature, that would be fine with me as well.

[BurgersNFries 2,407]

No word, yet. My opinion is that this ought to be standard (it is with other note-taking apps on the Mac like DevonThink, nvALT, and VoodooPad). However, if it was a Premium feature, that would be fine with me as well.

It's not for me to say. But I'd guess if it were premium, it would spawn a whole 'nuther rant theme similar to the one(s) that offline notebooks should not be a premium feature.

[GrumpyMonkey 4,319]

No word, yet. My opinion is that this ought to be standard (it is with other note-taking apps on the Mac like DevonThink, nvALT, and VoodooPad). However, if it was a Premium feature, that would be fine with me as well.

It's not for me to say. But I'd guess if it were premium, it would spawn a whole 'nuther rant theme similar to the one(s) that offline notebooks should not be a premium feature.

True. I don't envy Evernote's task of deciding what goes with Premium and what doesn't. Their notebook sharing policy might give a clue, though. Free=encrypt one notebook. Premium=encrypt up to 250?

[daltonmd 0]

EN needs to give the option of encryption for notebook level at least.  If not people are not going to be able to trust the integrity of their notes.  I really don't want to start using another tool but the reasons for encryption seem to be growing.

[GrumpyMonkey 4,319]

EN needs to give the option of encryption for notebook level at least.  If not people are not going to be able to trust the integrity of their notes.  I really don't want to start using another tool but the reasons for encryption seem to be growing.

 

I agree. At the moment, I've split my notes up into confidential (VoodooPad) / non-confidential (Evernote) because I need secure access to my notes on iOS. It works pretty smoothly, and it isn't a big deal (especially with my workflow), but I think the more options the better for everyone.

http://www.christopher-mayo.com/?p=1605

 

If you are only using a single desktop, of course, Evernote's local notebooks are a secure solution, because they do not sync to the cloud. I used this solution for a long time and accessed these notes through a remote login, but (as I talk about on the post above), this is no longer an appealing option for me. 

 

Looking forward to Evernote's "sexy" encryption solution

[patman42 1]

+1 for encrypting entire notebooks. This feature would be so useful, especially when considering EverNote for business. I'm currently not a paying customer. I would consider becoming one for this feature alone, if it was done right (i.e. encrypted on the client side, and no, I don't want you to be able to recover my content if I forget the key). With this feature, I'm sure more business user would consider paying for this product.

[GrumpyMonkey 4,319]

+1 for encrypting entire notebooks. This feature would be so useful, especially when considering EverNote for business. I'm currently not a paying customer. I would consider becoming one for this feature alone, if it was done right (i.e. encrypted on the client side, and no, I don't want you to be able to recover my content if I forget the key). With this feature, I'm sure more business user would consider paying for this product.

 

I agree. Encryption on the client side, zero-knowledge (only I have the key and can un-encrypt it), and at the notebook level (one text passage at a time won't cut it) would be perfect for my needs. I think it is a pretty critical feature to have these days -- it's been a year since the Snowden leaks and I am sure some people are wondering why Evernote hasn't done it yet. Then again, hardly anyone else has either! My guess is that this is easier said than done. Still, it is worth the effort, and I sure hope we get the encryption soon.

[jacksnack 9]

I honeslty can't image how EN expects to capitalize on the business sector without encryption...

[jbenson2 2,147]

I honeslty can't image how EN expects to capitalize on the business sector without encryption...

 

Here is some insight into Evernote's plans for the Business launch. This Computerworld article was published in 2012.

http://www.computerworld.com/s/article/9226665/Evernote_to_launch_tool_for_business

[add_good_encryption_NOW 2]

+1

Evernote, please add full-notebook encryption. 

 

I'm a lawyer.  The law on attorney-client and work product privilege requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I can't guarantee that doesn't break privilege.  This is the case for every lawyer in the US, so until you add full-notebook encryption, using your product for serious work puts us and our clients at risk.  The limited encryption you do offer is cumbersome and it breaks search--sufficiently crippled so as to make the whole product not worth it.

 

More broadly, the lack of practical encryption also calls into question whether stuff saved to evernote qualifies for trade secret protection. That's because trade secret law requires you keep your trade secrets, well, secret.  No encryption = no confidentiality = good bye trade secret.

 

I suppose you could have Chris Dahl issue an opinion letter stating that your product doesn't break privilege or waive trade secret protection, with an offer to indemnify your users in the event that turns out to not be true.  But I suspect he wouldn't be ok with that...

[ScottLougheed 1,316]

+1

Evernote, please add full-notebook encryption. 

 

I'm a lawyer.  The law on attorney-client and work product privilege requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I can't guarantee that doesn't break privilege.  This is the case for every lawyer in the US, so until you add full-notebook encryption, using your product for serious work puts us and our clients at risk.  The limited encryption you do offer is cumbersome and it breaks search--sufficiently crippled so as to make the whole product not worth it.

 

While I agree with and support your request as a fellow user who also handles confidential data, it is not Evernote that is putting your clients at risk, it is you who is putting your clients at risk by using Evernote. For data that is this sensitive, there are other alternatives. 

[GrumpyMonkey 4,319]

+1

Evernote, please add full-notebook encryption. 

 

I'm a lawyer.  The law on attorney-client and work product privilege requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I can't guarantee that doesn't break privilege.  This is the case for every lawyer in the US, so until you add full-notebook encryption, using your product for serious work puts us and our clients at risk.  The limited encryption you do offer is cumbersome and it breaks search--sufficiently crippled so as to make the whole product not worth it.

 

More broadly, the lack of practical encryption also calls into question whether stuff saved to evernote qualifies for trade secret protection. That's because trade secret law requires you keep your trade secrets, well, secret.  No encryption = no confidentiality = good bye trade secret.

 

I suppose you could have Chris Dahl issue an opinion letter stating that your product doesn't break privilege or waive trade secret protection, with an offer to indemnify your users in the event that turns out to not be true.  But I suspect he wouldn't be ok with that...

 

Hi. Welcome to the forums!

 

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

 

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

 

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

 

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases. 

[patman42 1]

 

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

 

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

 

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

 

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases. 

 

 

Thanks Christopher, this is very helpful!

[add_good_encryption_NOW 2]

 

 

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

 

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

 

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

 

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases. 

 

 

Thanks Christopher, this is very helpful!

 

 

Thanks for these tips!  Local notebooks are ok, but I really want it on my phone too... Looks like both Voodoo and Devon are iOS only, any recommendations for Android?  Maybe local notebooks + BoxCryptor?

 

Scott--your point is well taken, and for that reason I *can't* use evernote for any sensitive material, despite all indications being that the efficiency boost might be life-changing.  But having lurked on the sidelines for years over this issue, I thought I'd speak up with a couple of specific user stories on why full-notebook encryption should be moved up in EN's development backlog.  In the meantime, I will continue watching and waiting...

[GrumpyMonkey 4,319]

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases.

Thanks Christopher, this is very helpful!

Thanks for these tips! Local notebooks are ok, but I really want it on my phone too... Looks like both Voodoo and Devon are iOS only, any recommendations for Android? Maybe local notebooks + BoxCryptor?

Scott--your point is well taken, and for that reason I *can't* use evernote for any sensitive material, despite all indications being that the efficiency boost might be life-changing. But having lurked on the sidelines for years over this issue, I thought I'd speak up with a couple of specific user stories on why full-notebook encryption should be moved up in EN's development backlog. In the meantime, I will continue watching and waiting...

Thanks for speaking up! I have no answers for Android. Sorry. My Samsung phone is not getting a whole lot of note-taking use because there doesn't appear to be anything wih convenient encryption (I assume a handful of notes is doable on an app somewhere, but I see nothing remotely able of handling hundreds or thousands of notes,). It's too bad, but it looks like this market (note-taking across platforms with encryption) is extremely under-developed at the moment. Even if I had an iPhone, the options are shockingly limited with hundreds of thousands of apps in the stores

If Evernote can nail this, I think it will be a huge mark in their favor when people are comparing apps and considering which one they want to use.

[jacksnack 9]

Evernote IS the best at what it does.  Nothing else comes close...trust me, I have searched.

 

Third party app integration is excellent.  Sync works great.  It's available for almost every platform.

 

So instead of waiting on the encryption, I have started using Local Notebooks more...and not sending docs to EN via File This Fetch. (Use the Mac instead.)

 

Still hoping...

[Scott997 1]

I suggest that Evernote add a new feature, lockable notebooks.  A locked notebook is one that cannot be opened without a password.  This way all notes in the notebook cannot be viewed.  If you want a note to be hidden from view, then simply move it into the notebook.  There is only one password to remember for all the notes in the notebook.  Locking individual notes is a pain and cannot be done on an iPad.  With this feature you can keep a private diary that is not easily viewed. 

 

I know that you can have a passcode lock for evernote for the iPad, but this would just be for one or a few notebooks.  The passcode would only be needed when working with those notebooks.

 

A search should not show a note that is in a locked notebook, but it could optionally indicate that a search result is in a locked notebook.  Or a search will only find a note that is in an unlocked notebook.

 

A notebook would stay unlocked for 5 minutes after the last viewing/ editing of a note in a locked notebook.  Or it could stay unlocked until the user switches to a new app (iOS) or closes the window (web) or quits the program (desktop).

[gazumped 11,652]

I'll +1 that - it has been suggested before, with variations;  and I'm not sure how Evernote would engineer that (please don't tell me how they could..) but I can see it would be a bit of added protection for public use when a user might click the wrong notebook and open up something unexpected.

 

Against that there's the fact that you can lock your screen when you are away from your desk / keep a separate free account for private stuff and switch to/from it easily from Premium / or password protect note contents in a word-processor file to prevent accidental display.

 

Still,  the devs do read these posts...

[chris007mi6 1]

+1 For encryption on notebook level with zero knowledge

 

I'm surprised that a company like EN has such week security levels.

 

After reading a lot about NSA, Encryption, Heartbleed,... I think if your data is in the cloud and the government wants it, they will get it. Even if you use the best encryption methode. So my conclusion: If you want your data really safe, don't send it to the cloud.

[borice 0]

+1 for notebook encryption!  Absolutely needed feature for being able to store sensitive info!

 

[krspeier 2]

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

 

Hoping this will be a new feature soon!

[EvernoteUser78 0]

Only allowing encryption on local notebook is not a viable option, I left NeatReceipts to go to the cloud and now that I am thinking about putting confidential information into Evernote, encryption would be key. I understand why EverNote doesn't want to give us this ability, but we should still keep pushing for it.

 

Maybe they will throw us a bone and allow us to encrypt and protect specific notes/documents via an encryption password that would be only known to the user.....we all understand that encryption can be broken, but a targeted attack would be unlikely......an attack that grabs unencrypted data will happen, it is only a matter of time.

 

EverNote, give us some level of protection for our sensitive data

[ScottLougheed 1,316]

Only allowing encryption on local notebook is not a viable option, I left NeatReceipts to go to the cloud and now that I am thinking about putting confidential information into Evernote, encryption would be key. I understand why EverNote doesn't want to give us this ability, but we should still keep pushing for it.

 

Maybe they will throw us a bone and allow us to encrypt and protect specific notes/documents via an encryption password that would be only known to the user.....we all understand that encryption can be broken, but a targeted attack would be unlikely......an attack that grabs unencrypted data will happen, it is only a matter of time.

 

EverNote, give us some level of protection for our sensitive data

 

1) It is not clear to me that DOESN'T want us to encrypt our data. Granted, encrypting our data with no serverside knowledge of the encryption would prevent any server side services like OCR.... but again I don't think Evernote is against the possibility of users encrypting. 

 

2) Evernote does give us some level of protection for our sensitive data. In the desktop clients users can select any amount of text and encrypt it. Web and mobile apps can decrypt any encrypted text. So, they do give SOME protection.

 

3) I imagine increasing security is on Evernote's radar, especially with their push into business, but offering the server side processing and cross-platform features they do will be hard to juggle with intensification of encryption, so it is not something that they can just jump into willy nilly. 

[EvernoteUser78 0]

I will be clear as to what I want:

 

I want my data synchronized with the online (cloud) version in a way that only I can access while logged in. I want the data to be encrypted on your server in a way that no one can access the data without the encryption key. You can use an encryption algorithm that uses the login password to create the encryption key.

 

I want the data at rest on your servers to be encrypted and secure so that if there is an EverNote security breech, I will know that my data is safe. If that means that EverNote can't use data mining against my data, so be it, but that might limit EverNote's revenue if they are monetizing our data in ways similar to the way Google does....i.e. targeted Ads

[ScottLougheed 1,316]

I don't believe Evernote does much in the way of data mining. They aren't an ad company like google. Most of their need to access your information is so that it can be processed by their OCR system and any indexin it does on the server. These aren't really revenue generators for them.

Your concern about a breach is valid, and Evernote isn't trailing too far behind any other mainstream cloud service provider. Definitely there is room for Evernote and many others to improve, but I really don't think we'll see zero-knowledge encryption, at least not any time soon.

Anything that is really that sensitive should perhaps not be out in ANYBODY'S cloud. Even the best of companies have proven to be vulnerable.

In the mean time, documents that are sensitive could be encrypted by you before adding to Evernote, that will keep those contents reasonably safe.

I am curious thoug, what is it that makes you think Evernote is generating money off users' Evernote contents? Is there something in their terms of service or their privacy policy? Have they started an ad agency a la google that I haven't heard about?

[krspeier 2]

The post about data mining is not mine. I wrote:

 

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plain text, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  

 

This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

 

[BurgersNFries 2,407]

I will be clear as to what I want:

 

I want my data synchronized with the online (cloud) version in a way that only I can access while logged in. I want the data to be encrypted on your server in a way that no one can access the data without the encryption key. You can use an encryption algorithm that uses the login password to create the encryption key.

 

I want the data at rest on your servers to be encrypted and secure so that if there is an EverNote security breech, I will know that my data is safe. If that means that EverNote can't use data mining against my data, so be it, but that might limit EverNote's revenue if they are monetizing our data in ways similar to the way Google does....i.e. targeted Ads

Evernote does not data mine.

If your data is encrypted on the EN servers, it cannot be indexed, which is a big part of Evernote's appeal. If you say to use your logon password as part of the encryption password, then that's not much more secure than no encryption. You may find this old thread informative.

[EvernoteUser78 0]

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

[BurgersNFries 2,407]

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

Please read the thread I linked to above. It's thorough & I'm not inclined to rewrite what I've already written. If you want a simple yes/no answer, then it's really simple...if you don't want a hacker getting your data, then don't put it in any cloud unless it is encrypted with an encryption key that is not known to the hosting company. I use Amazon S3 servers for this. But Evernote is not a backup app...it indexes your data & cannot do this if the data is truly & securely encrypted.

[GrumpyMonkey 4,319]

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

 

Hi. The data is not encrypted on Evernote's servers. It would be nice if they did encrypt it, but I don't want Evernote (or anyone else) to have the key, so I am hoping that if/when they implement a more powerful encryption method that it is "zero knowledge."

[BurgersNFries 2,407]

The post about data mining is not mine. I wrote:

 

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plain text, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  

 

This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

I don't believe anyone said you wrote about data mining...???

Evernote is not & I doubt they ever will be HIPAA compliant, which I believe is a requirement for the medical industry.

[ScottLougheed 1,316]

 

The post about data mining is not mine. I wrote:

 

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plain text, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  

 

This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

 

Yes, to be absolutely clear, my post was not directed toward you, and I never claimed it was you writing about data mining. I was responding to EvernoteUser78 whose post is directly above mine. 

 

 

And, as BnF suggested, if you are keeping medical notes, I would absolutely NOT put that data in the cloud if it could be avoided.

 

You might consider DEVONThink, which has some facilities for LAN sync, so you can keep several devices in sync via your local network rather than transmitting your data over the internet. Now, you'd have to ensure you have a very secure (hopefully offsite) backup as well, since there is no centralized storage like with Evernote. But, you'd also have to make sure you are complying with whatever regulatory requirements you are bound by with respect to storing patients' data. 

 

[ScottLougheed 1,316]

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

 

As we have seen in the last few years, even some of the most robustly secured cloud services are vulnerable when hacking occurs. This is not to excuse Evernote's current state of security, which is not terribly different than a lot of mainstream cloud providers, and could be improved. Rather what I am saying is that ANY cloud is vulnerable when hacking occurs. In most cases, even highly secured cloud storage services will be compromised, it just takes longer. 

 

EDIT (OOPS this time I really did get my posts mixed up!) 

 

Keep in mind that data mining and being hacked are two very different types of events. 

 

You (and others in this thread) might also be interested in this blog post from several years ago:

Evernote's three laws of data protection

[EvernoteUser78 0]

So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?

 

Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.