Jump to content

Recommended Posts

I want to use AutoHotkey scripts to access sensitive web sites such as banking. Evernote stores these scripts in an insecure folder (Evernotes/Databases/Attachments). If I delete the scripts from this folder they return when I next access them in Evernote (so they must be stored within Evernote). How can I store scripts securely in Evernote?

Link to comment
  • Level 5*

Hi.  If you store scripts in Evernote you will have access to 'standard' Evernote security - AFAIK there are no upgrades or hacks available.  Is it possible to store your scripts on your desktop and activate them via a link stored in Evernote?

Link to comment
On 7/23/2019 at 12:25 AM, Forevergreen said:

Evernote stores these scripts in an insecure folder (Evernotes/Databases/Attachments).

Actually, they're not stored there. They're stored in the database (the `.exb` file) In order to run/edit/etc an attachment, it must first be stored in a location where it can be accessed. That's what the Attachments are. Anything in there can be safely deleted when EN is not running.

  • Like 1
Link to comment

Than you for your reply.

I understand that Evernote stores scripts in the database but when accessed they are written to an insecure folder which is a major security issue which I haven't seen warnings about in any documentation. Evernote should write these to a temporary location then immediately securely delete them after access. I think it should be made clear to all users that using attachments is not secure.

To reply to your post I had to create a new account as I was unable to log in as "Forevergreen". Whatever I tried I was taken to the registration page. 

Link to comment
  • Level 5*
On 8/1/2019 at 4:38 AM, nevergreen said:

Than you for your reply.

I understand that Evernote stores scripts in the database but when accessed they are written to an insecure folder which is a major security issue which I haven't seen warnings about in any documentation. Evernote should write these to a temporary location then immediately securely delete them after access. I think it should be made clear to all users that using attachments is not secure.

To reply to your post I had to create a new account as I was unable to log in as "Forevergreen". Whatever I tried I was taken to the registration page. 

It's a fundamental part of the way Windows actually works that scripts are only accessible from a stand-alone file on the hard drive.  Not sure that it is Evernote's responsibility to point out to users that confidential data in a Note will be copied (in identical format) into a folder to allow third-party utilities to access it.  Additionally third party apps don't uniformly 'unlock' data to which they've required access so that Evernote even knows that processing has completed.  It is simply not possible to auto-delete what's in the Attachments folder securely or otherwise.

I access sites with links from Evernote to a log-in page,  and log in via a browser app password-protection utility called Bitwarden (many others are available).  Automation beyond logging into the site landing page is inherently insecure - but several steps outside Evernote's ability to control the security of any activity.

Link to comment
  • Level 5

Everybody working on a Windows PC should be warned that the security of all data depends on the security of the PC itself.

Because moving data between applications may and will create temporary duplicates, and because convenience requested by the users creates even more duplicate information, there is no local security of data on a PC.

This has nothing to do with EN.

In general, EN is not meant to store sensitive data, like banking codes, account and password access codes etc. For such information, there are other services that will encrypt everything right on the device, and will allow the decrypted copy to only exist in a shielded enclave in the RAM, and only temporarily.

Who does not understand this anyhow would probably not understand a warning telling exactly this - be it for a lack of basic knowledge or for not being interested in his own data security.

Link to comment

Thanks for the informative replies.

I now understand the reasons for the lack of security accessing some attachments and will find another way.

I still believe that it would be useful to advise those, like me, who are not experts in security of this.

I think the Evernote marketing department would be interested to learn that "In general, EN is not meant to store sensitive data"!

Thanks again for the information.

Link to comment
  • Level 5*
On 8/2/2019 at 2:18 PM, PinkElephant said:

In general, EN is not meant to store sensitive data ...

I store "sensitive data" in Evernote, but I make sure it's protected with encryption

In general, EN data is not encrypted; but there is a text encryption feature.  
I also make use of the native encryption of attachments; pdfs, office/iWork documents, ...

>>And it will not work at all if the sync is faster than you

Agreed, encryption should be executed in a local notebook, or external from the Evernote sync process 

Link to comment
  • Level 5

Sure you can build around the open structure of EN by using text encryption. 

IMHO it is better to use tools prepared for the job to do the job.

On tools prepared for this, you first open a secure environment, and then start to add or modify your data inside. When you leave, encryption is done by default. And the memory will be wiped of all short term residue created by the operation. Even when you forget, and the app closes all by itself, security will be assured.

With EN, you first open an non-secured app. One that will start to sync to an cloud service no matter if you had the intention to encrypt before. And an app that up to my knowledge has not internal means to wipe the uses RAM when closing, or being closed by time-out.

Yes, it is possible to encrypt the Text of a note. For me, this is only the smaller part to the answer. And it will not work at all if the sync is faster than you, or you forget about security procedures out of whatever reason. For these reasons, I regard EN as being unsafe for confidential information.

 

Link to comment
  • Level 5*
20 minutes ago, PinkElephant said:

IMHO it is better to use tools prepared for the job to do the job.

On tools prepared for this, you first open a secure environment, and then start to add or modify your data inside. When you leave, encryption is done by default. And the memory will be wiped of all short term residue created by the operation. Even when you forget, and the app closes all by itself, security will be assured.

Can you recommend any apps for this?  The apps I'm using don't have this level of security

I'm still ok with storing the encrypted file in Evernote.

Link to comment
  • Level 5

For my use it is 1Password.

It offers a document type called „secure notes“. There you can save text plus pictures as attachments (maybe other files as well, have not tested it on the Mac and am currently traveling iPad only).

1PW operates as I expect it for secure storage: It opens only with PW or face / touch ID. Everything stored is encrypted right on the device. Unencrypted data is never leaving the device. It syncs only encrypted data, and the unencrypt only takes place on an authorized device. When a time-out happens, it will reopen asking again for the PW or face / touch ID. It works like this under iOS and on the Mac.

It sure is build around all type of structured account / password / banking data. But the secure notes features allows as well the storage of unstructured notes.

Link to comment
  • Level 5*
23 hours ago, DTLow said:

Can you recommend any apps for this?

May or may not be an exact fit but Veracrypt creates encrypted containers, folders or partitions, where you can store whatever. 

I use it to enable cloud backups of sensitive data.  I created a 2GB container on my PC to house multiple folders, logically the container is simply a logical drive.  After signing in to Veracrypt and mounting the "volume" I  chose for it to appear as the M: drive.  I do whatever in any of the folders, and then dismount/sign out and the encrypted container gets synced to the cloud.   There are options to auto close.  FWIW.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...