Jump to content

Evernote Encryption


Recommended Posts

Problem

There doesn't seem to be a way to change your encryption passphrase. 

Expected result

A way to change encryption passphrase across all devices, for both past and future content.

Actual result

There is currently no function to change encryption passphrases. I discovered 2 workarounds. However, they don't scale well and technically don't solve the problem overall. 

First Workaround

Step 1 ) Delete all encrypted text

Step 2 ) Restart Evernote

Step 3 ) Follow the prompt for making a passphrase again

This is extremely inconvenient if you have a lot of encrypted content. 

Second Workaround

Simply make a new passphrase for every piece of content moving forward. Which technically isn't even a workaround because it does nothing for previously encrypted content.

 

Sidenote: You guys claim that you don't store our encryption passphrase. If that's the case, how am I able to decrypt content across multiple devices? Surely you guys have to be storing an encrypted version of the passphrase somewhere. 

Screenshot 2017-05-24 20.37.05.png

Link to comment
  • Level 5*
11 hours ago, GioLogist said:

You guys claim that you don't store our encryption passphrase. If that's the case, how am I able to decrypt content across multiple devices? Surely you guys have to be storing an encrypted version of the passphrase somewhere. 

The password is stored within the encrypted text.  
Similar to encrypting a pdf file, the password is stored in the file
I can mail you the pdf file, you can read it using the password

Link to comment
  • Level 5*
32 minutes ago, DTLow said:

The password is stored within the encrypted text.

??

No, that doesn't make sense: a password inside the encrypted section would be useless. The user needs to supply the password, and the decryption goes from there. See, e.g. 

and https://evernote.com/security/. Relevant section is:

Quote

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

 

Link to comment
  • Level 5*
13 hours ago, GioLogist said:

I discovered 2 workarounds. However, they don't scale well and technically don't solve the problem overall. 

I can suggest a third.  When you see the encryption dialogue,  just type in a different passphrase.  I got up to about 5 different phrases n different notes and made it a standard practice to save a hint in the note as to which one I'd used.  I do the same for password protected files,  though I found recently that hints don't help if you know the password starts with brackets () - but you don't remember which sort of brackets you used - {} / [] / () etc.  If you do change passwords in this way,  as you note,  the old ones aren't changed.  The password is baked into the note content so has to be changed individually.

Per another user's excellent suggestion I'm using my LastPass account to generate unique passwords where I need them,  and just saving the note link in the LastPass window.

Link to comment
  • Level 5*
5 hours ago, jefito said:

No, that doesn't make sense: a password inside the encrypted section would be useless. The user needs to supply the password, and the decryption goes from there.

"Stored" is the wrong word
The text is encrypted with a password.  The OP was concerned with Evernote storing encryption passphrases. 
The password is not stored externally

Encrypted text, like encrypted PDFs are self contained

 

Link to comment

Nevertheless, I also would like automated password changing: technically it's very possible to implement that: ask the user the old password and the new one, loop through all encrypted notes, decrypt with the old and encrypt with the new one again, a simple job for a  computer, extremely cumbersome for a user...

Link to comment
  • Level 5*
7 minutes ago, eric99 said:

ask the user the old password and the new one

That could work, unless multiple passwords were used; not a great idea but each encrypted text could have a different password

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...