Jump to content
Kurt Cubic

(Archived) (Archived) REQUEST: Additional encryption options for notebooks and syncing

Recommended Posts

I'd also like to see the ability to force password prompting at a note or even a notebook level.

To give an example of where this would be useful (and local options like drive encryption aren't practical), I would like to keep a note with all my passwords in it, and be able to access it through the iPhone client. At the same time though, should my phone be stolen (not exactly unlikely where I'm from) I don't want anyone to just be able to grab these passwords.

Thanks,

Matt

Share this post


Link to post

If you put some passwords into a note, you can select that text and Encrypt it. Then you can view it from Mac, PC, web, or iPhone after re-entering your secret passphrase.

I have a number of notes with encrypted passwords in them. I find it useful to just encrypt the password itself, so I can still search for other text in the note to find it.

Share this post


Link to post

Hi Dave,

Thanks, I actually picked up on the encrypting the same day I posted from one of your older podcasts (I'm working through all of them in fairly short succession, I think I may be beginning to hear the theme music in my dreams :D ).

Share this post


Link to post
Yes, we try to be clear about what our software and servers do, and then you can make your own decision about whether that's appropriate for an individual task. This is similar to email ... you should choose which information you want to send via email, and what requires a secure courier or some other mechanism.

We specifically do not claim to have any vertical industry certifications (e.g. HIPAA for US medical usage) that may govern your professional usage of Evernote.

It seems like the Windows client could interact with the online data without storing it locally, since the web client does this. Why not allow us to disable 'sync' but require us to log into the local client with our online credentials? Then we can view local (in my case, work related) notes and our personal notes while still not putting our personal data in the clear on our non-private machines.

As it stands the native code client is perfectly useless for me, which is sort of sad. I guess my other option is to export all my data and terminate my premium membership - not much use in using TLS/SSL if it lands on my disk as plain-text.

Share this post


Link to post

I would like to control access to my evernote account on my computer -Can you set a password for the desktop version of evernote for the mac?

Thanks,

Paul

Share this post


Link to post

We recommend enabling the password-protected screensaver on your computer if you're worried about someone else accessing your computer while you are away. This will prevent access to all of your applications and files (not just Evernote).

Share this post


Link to post

This could not be the solution. If somebody stealing my MacBook he can access the data buy dismounting the HDD and copy the data. It should be possible to encrypt the whole database on a Mac and also on the IPhone.

Because of that security whole I can't use Evernote in way I like using such applications

Share this post


Link to post
This could not be the solution. If somebody stealing my MacBook he can access the data buy dismounting the HDD and copy the data. It should be possible to encrypt the whole database on a Mac and also on the IPhone.

Because of that security whole I can't use Evernote in way I like using such applications

That's why the recommendation is to use an encryption program (IE Truecrypt) if you're concerned about security. All my sensitive information (including my Evernote database) is stored on an encrypted drive. I'm PC so can't tell you how to implement encryption on a Mac.

Share this post


Link to post

This should be implemented in the evernote app not sticking together with workarounds. To do this I have to the folder, add screensaver password, firmware password and so on. encrpyt

Share this post


Link to post

Except, EN would need your password/passphrase in order to enable the powerful search function. Of course, if the EN servers had access to your password/passphrase, that is a security hole in the event someone hacked EN servers. (Highly unlikely but possible.) Which is why one shouldn't store sensitive info (bank statements, credit card statements, social security numbers, etc) in EN unless you're encrypting each note.

Quoting Dave Engberg:

"When you encrypt text within a note (e.g. a password, PIN, or credit card number), that text can only be decrypted by someone who knows your passphrase. Evernote has no way to extract the hidden text, since we don't ever get access to your passphrase.

(snip)

This also means that we can't process encrypted text to allow you to search for notes. If you only encrypt the sensitive parts of your notes, you can still search for the non-encrypted parts to find those notes."

viewtopic.php?f=38&t=6565&p=24408&hilit=encrypt+search#p24408

We are such a computer oriented society now & people walk around carrying laptops that have their sensitive info for work, copies of bank statements, passwords & pins, medical information, etc. If the laptop is lost or stolen, it's essentially the same as leaving the stack of papers with that info on them for anyone to see, unless it's encrypted. Users need to be responsible for their own computer security & backup systems. Most people lock their homes & cars. Do the same thing with your computer info.

Share this post


Link to post

I will not store such data. To store those Data I already use an application with encrypted database and password.

I have personal data in EN that should only be accessible with user/password and also the disk data. EN comes with the statement store your notes but some notes are personal and I don't want to encrypt each piece of that note. At least I collect my notes with the IPhone and I can't encrypt it there.

Storing page scans and PDF is also very heavily used by me and I don't want to encrypt each time. Useless.

Share this post


Link to post

I really think Evernote's approach here is wrong.

Some of us really, really need app level security to prevent people from accessing our note database. What if we want to let someone access our computer to use webmail? Your screen-saver workaround is absolutely useless in that case.

I've made the same arguments about the iPhone app. It really needs to have the option to have a PIN code before letting a user access the notes. Same story here - PIN code at the phone level is not enough. What if we lend our phone to someone, to make a call, play a game, etc. Dropbox just added this to their iPhone app - Evernote should too - to all versions.

I really don't understand the resistance to this. OS level security is NOT enough.

Share this post


Link to post

You should check into a program that allows you to password protect your applications. I use the one by Superlogix (IIRC, it's only PC, tho.) Or set up a guest account. If I let someone use my desktop to check webmail, I don't want them getting into my email, NeatReceipts, Evernote, etc.

Share this post


Link to post

For all users of Evernote on the Mac:

I bought Espionage (24$) to encrypt data from Evernote on the FS level.

Since Evernote 1) don't understand the requirement 2) will not be able to provide an encryption on FS level Espionage integrates very well!

Share this post


Link to post

Is this encryption option available on the free version? I wouldn't mind spending $4.99 for the paid version, but not $4.99/month.

Share this post


Link to post
Is this encryption option available on the free version? I wouldn't mind spending $4.99 for the paid version, but not $4.99/month.

Ok, maybe you're still in high school. BUT...FWIW, $4.99/month ($3.33/month if you pay annually) for a service that you use extensively is peanuts. A few more cents than a vente mocha at Starbucks. Having said that, encryption is available on the free version.

Share this post


Link to post

I'm sorry but I haven't been able to find it on the free version. Can you tell me how to access it?

Share this post


Link to post

After re-reading the first message I discovered where it is:

on a Mac- select the text you want to encrypt, option (or right) click the selected text and choose Encrypt text. Great!

Share this post


Link to post
Ok, maybe you're still in high school. BUT...FWIW, $4.99/month ($3.33/month if you pay annually) for a service that you use extensively is peanuts. A few more cents than a vente mocha at Starbucks. Having said that,

I'll ignore the condescending tone (even though you didn't bother to tell me how to do encryption- using a PC). I'm transferring notes from a Palm, and $40/year is a waste to me for something that has been free all these years. No, I'm not in HS, nor do I waste $ at $tarbucks, etc.

Share this post


Link to post

I'll ignore the condescending tone (even though you didn't bother to tell me how to do encryption- using a PC).

I didn't tell you how b/c you didn't ask how.

Share this post


Link to post

OK, BF, Please tell me how to encrypt contents of a note using my PC. Thanks.

Share this post


Link to post
OK, BF, Please tell me how to encrypt contents of a note using my PC. Thanks.

If you read the note directly above yours...

After re-reading the first message I discovered where it is:

on a Mac- select the text you want to encrypt, option (or right) click the selected text and choose Encrypt text. Great!

Works the same way on PC.

Share this post


Link to post

I tried that the other day using Firefox. I just get generic choices that aren't related to Evernote (choices that show up on any website opened in Firefox, such as "copy", "select all", etc.). Today I tried it in Windows Explorer, with similar results (the choices are different, but they're all Explorer-generic, not Evernote specific.) Any ideas what I may be missing? I'm hilighting specific text in a specific note before right clicking the mouse.

Thanks.

Share this post


Link to post

OK, thanks. I did that, and was able to encrypt a note. I saw it locked. I then synced my iPod Touch. The note is still unencrypted on the iPod after sync, though. Any ideas? Is there any decent documentation for Evernote? I did a search of Encrypt in the EVERNOTE FOR WINDOWS USER GUIDE and found virtually nothing.

Share this post


Link to post

Evernote is a great product on many levels, It syncs cross plaform, allows me to search my documents, and allows some formatting of those documents. However i have two types of note taking that I do...

Home/Personal

Notes that are of a personal nature that I dont want to share with work. Not confidential or problematic for other people to read, but definitely stuff that I'd like to keep private.

Work

Notes and details that I'd like to save long-term, these are confidential I wouldnt want any random person viewing my iphone to see them.

The Problem

Devices are meant to be shared, think iphone, ipad, your computer. Its not feasible, and a little bit offensive to say: oh sorry, i have that pw protected cause i dont want anyone to use it EVER. Instead i leave my phone unlocked and trust that it rarely leaves my sight, but even if it does someone can make a call but they cant view my passwords in 1password. Mint figured it out, 1password does it right, even dropbox knows i dont want prying eyes to jump into an unlocked device.

Evernote doesnt have this feature and they dont seem interested in supporting it.

So maybe its my boss, or my gf or my little brother...All people I trust, but who doesnt want to take a little peek now and then right? For this reason I have removed Evernote from my work machine, in the real world my employer has access to my machine and i dont blame them for needing that(in case im run over by a car)

So that leaves me with home, I take a fair amount of notes for home, but not nearly enough to fill the Free quota. Evernote is only worth money if i can use it for business:

I want Evernote for business and home

I will pay for it

I want it synced on all my devices

I NEED some form of non-system-level protection

Wordy but someone at evernote doesnt have this type of user in mind, who is paying for a subscription? Why? Please someone tell me im being irrational

Share this post


Link to post

There are tons of reasons to use Evernote for personal reasons only.

Hobbies, favorite restaurants, home and auto receipts, capturing web info, family photos, vacation details, addresses, genealogy, etc.

I am retired, but I use it every day and I pay for the premium version. I usually don't hit the max upload amount, but I feel the $5 a month is well spent for a good company. I don't need a corporate expense budget to justify it.

In my opinion, the issue of a password for work related stuff is a bit of a red herring. There are other ways to skin the cat. The info does not have to be stored on a work computer. It can be accessed from the office via the Evernote website which requires a password for access. At my former company, I brought along a program I had used for a dozen years called GoldMine - a customer relationship management program. Even though it was only on my office computer and was password protected, the MIS department was not happy and asked the CEO to speak to me about using software that was not "company approved". It was their computer and network so I abided by their wishes and removed the program.

If I felt GoldMine was important enough for the entire sales department to use, I would have gone before the Board and pleaded my case. But I knew that others in the sales department would never use it, so I did not push the issue for the dedicated software. Instead I pushed for an easier program that was web based; SalesForce.com; and it was accepted. I exported my GoldMine info to SalesForce and ended up with a win-win for everyone.

So if Evernote is not working for you due to issue of a password, then move on and select something else.

Share this post


Link to post
Its not feasible, and a little bit offensive to say: oh sorry, i have that pw protected cause i dont want anyone to use it EVER.

Not only do I think it's feasible, I think it's careless not to have a PIN on your phone. Phones are small & easily lost or stolen. I don't want an unauthorized user to be able to get into my phone or the apps on it. And I don't care what an authorized user thinks if they try to get into something like EN, Quicken, my email, etc & find it's password/PIN protected. The very fact that they tried to get in there proves my reason for having them protected. (My iPhone is jailbroken & I use Lockdown to put a PIN on apps like EN, Ebay, Amazon, etc.)

Share this post


Link to post

Hello all,

I know that adding security to Evernote is an ongoing request for many EN users. For my purposes, I needed a relatively sleek and simple solution to encrypt my Evernote files locally. There already have been articles on this topic. All of these programs establish a similar task: create a password-protected .sparsebundle which will hold Evernote's data files. If a user wants to "open" Evernote, they need to be allowed access to the .sparebundle holding the data files.

I have seen some posts cover this issue, none provide a full walkthrough that is accessible or easy to find. I am sharing this guide so there is at least one walkthrough on securing Evernote.

I decided to use Knox which is a propriety folder encryption software and SymbolicLinker, which creates multiple aliases for your Evernote files. SymbolicLinker is free, Knox is also about $39 for a license (but there is a free trial). I know that for some of you, this is the breaking point between deciding to leave your files unencrypted or not. I recommend using TrueCrypt and DiskUtility for free alternatives if you do not want to pay to secure Evernote. One of the reasons I picked Knox over other commercial and free apps is for its overall design and integration with iDisk.

Securing Evernote with Knox and SymbolicLocator:

1) Make a zip backup inside of the Evernote files stored in the following locations. (right click > compress)

~/Library/Application Support/Evernote

~Library/Caches/Metadata/com.evernote.Evernote

2) Download SymbolicLinker Service. This will create an enhanced alias which will redirect the Evernote data files to its new location within the Knox password-protected volume. Install SymbolicLinker Service on every computer you plan to use Knox and Evernote. Devices running 10.6 support the SymbolicLinker application. Devices running 10.5 support the SymbolicLinker plug-in.

These are the 10.6 install instructions copied from the Read Me (the 10.5 or lower install instructions are lower in the file):

1. Open the folder titled "Library" at the root of your boot disk. Make sure there is a folder there named "Services". If the folder doesn't exist, then make one with exactly that name (without the quotes, of course). If you are not the system administrator, or you do not want the service to be available to available to all users on the system, then use the Library folder inside your home directory instead.

2. Copy the "SymbolicLinker.service" bundle that came with this distribution into the Services folder. DO NOT copy the SymbolicLinker.plugin file; it serves no purpose under Snow Leopard.

3. Either log out and log back in again, or reboot your computer, or (even easier) run SymbolicLinker.service once by double-clicking on it. Either one of those things will force the OS to update its list of services. SymbolicLinker is programmed to stay in memory for a short period of time, and then automatically quit when it is no longer needed. When it is not running, it will still show up in the services list, so this is a purely memory-saving move.

4. You should also make sure that the service is enabled (sometimes it is by default, sometimes it isn't). To do that, open System Preferences, open the Keyboard preference pane, open the Keyboard Shortcuts tab, click on Services, and scroll through the list until you see the "Make Symbolic Link" service. If the service is checked, then it will appear in the Finder. If it isn't, then it won't.

3) Download Knox. Knox will create a fixed-size protected volume which will only be accessible by password. I choose 8.0 GB because this will fit on a dual-layer DVD. Configure Knox before creating the protected volume. I choose to create a new vault on my desktop, allow Knox to start on login and to show the Knox icon in the Menu bar.

4) Create a "New Vault" in Knox. Once the name is created and you have created an alias with SymbolicLinker, DO NOT change the name of the Vault. If the file names of the original files are re-named then the symlinks become USELESS because they no longer point to the correct folder.

5) Move the following two file locations below into the newly-created Knox protected volume.

~/Library/Application Support/Evernote

~Library/Caches/Metadata/com.evernote.Evernote

6) Within the Knox protected volume, right click (with 10.5) or open SymbolicLinker app (with 10.6) to create a Symbolic Link of each folder locations. These are Evernote's critical data files:

Ex: Evernote symlink or com.evernote.Evernote symlink

7) Move both symlink aliases into the location of the original files. Make sure to remove the "symlink" ending so the aliases have the exact title as the original files. Move the original files to another location or your trash.

Ex. Evernote symlink becomes Evernote

8) Do extensive testing to make sure the symlinks are working correctly and Evernote is only accessible if its data files are successfully unlocked via the Knox protected volume.

Ex: If Knox has successfully locked Evernote's data files, Evernote should open and an message saying "The file name is invalid." will be displayed.

Ex: If Knox has unlocked Evernote's data files then Evernote should open normally.

9) Make sure you delete your original copies of the folders in the trash can.

Feedback: since I haven't seen any other walkthroughs to this length except for TrueCrypt please tell me if I am missing any steps or need to make adjustments to my instructions.

Thanks.

Share this post


Link to post

I'm just a normal Evernote user. I would not feel comfortable encrypting all my Evernote data, even though it will make it safer.

I have confidence in the physical security systems at Evernote. What does concern me is the integrity of my data. My personal feeling is that Evernote is stretching too far to accommodate every Tom, Dick and Harry request. All these add-ons demands from left-field are putting more and more pressure on the fundamental software code that runs Evernote. I believe this is creating a shaky situation, and I would not want to further complicate the database with 3rd party encryption software.

Share this post


Link to post

Thanks for passing this along. I looked into Knox for my own laptop a few months ago, but the interaction with Time Machine was a bit confusing. I.e. you couldn't use Time Machine's smooth incremental backup mechanism if you used any sort of encrypted storage mechanism (including Apple's own). You could do something ugly involving sparse files and block-level backup, but that lost a lot of the magic of Time Machine.

Thanks

Share this post


Link to post

Is there anything on the road map for having an encrypted notebook which is encrypted on the client side and then sent to the server?

Share this post


Link to post

You're welcome to make a local-only notebook on your PC, and you can use various solutions like TrueCrypt to encrypt part or all of your hard drive (including your database directory). You can back up that file or encrypted partition using standard desktop backup or network-based backup solutions.

But Evernote's service is based around doing useful things with the contents of your notes, such as web-based searching/sorting, image processing, etc. Evernote isn't really about bulk backup of encrypted bits from your hard drive.

Share this post


Link to post
You're welcome to make a local-only notebook on your PC, and you can use various solutions like TrueCrypt to encrypt part or all of your hard drive (including your database directory). You can back up that file or encrypted partition using standard desktop backup or network-based backup solutions.

But Evernote's service is based around doing useful things with the contents of your notes, such as web-based searching/sorting, image processing, etc. Evernote isn't really about bulk backup of encrypted bits from your hard drive.

Hi Dave,

first of, congratulations on your work in the technical field for Evernote. It is simply amazing what you guys have put together!!!

You mentioning this comes in hand because I've been reading in the forum for a while about security, privacy, etc. I'm considering taking all my notes off the cloud and storing them into TC containers but first I would like to know what I potentially lose when doing so. I've read that image recognition won't work anymore, same for iPhone access, etc. What other features would also be disabled? Could you point me to the right source of information so I can make my decision?

What if I allow you to index the data by leaving the note for a while on the cloud but after, say 1 day, I take it off and sotre it locally by using a combination of TC and Dropbox?

Your last statement makes your point rather clear but I can't bite my tongue: I know this might represent quite a burden - implementationwise, performancewise, etc - but ain't it that difficult to introduce user certificates on both ends? I mean, the Evernote server does not need to modify my data, right? therefore accessing my data in read-only mode using my public key would probably suffice, right? if that's the case, generating a public+private certificate thing would most probably eliminate all the security concerns and most users wouldn't mind providing you guys with the public key while they keep the private one on their clients...

I'm sure things are not as easy as I'm describing here but I'm truly concerned about the privacy level on the things that I store in my Evernote account. I do undestand that you need access to my data in order to index it and stuff but I don't agree that Evernote deserves the same security and privacy level as my email does: in the end, when I send an email, I talk "virtually" while you guys are keeping real information from a real person.

Sorry if any language mistake was made or if you want me to elaborate a little more on any idea I've just thrown into this reply. This is not stuff I regularly talk about in a foreign language :(

Best wishes,

my 2 cents

Share this post


Link to post

If you only use a single PC, then a local notebook with a secure backup solution (e.g. I used Iron Mountain's encrypted backup at a past job) would work fine. The only drawback would be synchronization ... this wouldn't really allow you to easily go between multiple PCs with separate desktop clients.

And no web UI, obviously.

Share this post


Link to post
If you only use a single PC, then a local notebook with a secure backup solution (e.g. I used Iron Mountain's encrypted backup at a past job) would work fine. The only drawback would be synchronization ... this wouldn't really allow you to easily go between multiple PCs with separate desktop clients.

And no web UI, obviously.

Obviously...

Dave, can you please share with us what are the funcionalities that are lost by only using local notebooks? I'm not saying I will do it, I just want to know the information so I can make a reasonable choice...

THanks

Share this post


Link to post
You're welcome to make a local-only notebook on your PC, and you can use various solutions like TrueCrypt to encrypt part or all of your hard drive (including your database directory). You can back up that file or encrypted partition using standard desktop backup or network-based backup solutions.

Seems like this defeats the purpose of storing stuff in the cloud. I would rather know that my data if safe and if your servers get hacked, that nobody can read it. Not sure why the client can't encrypt and send? I get that we can select text to encrypt but that is a pain.

But Evernote's service is based around doing useful things with the contents of your notes, such as web-based searching/sorting, image processing, etc. Evernote isn't really about bulk backup of encrypted bits from your hard drive.

My hard drive is already encrypted, I am more worried about where and how it is stored on your infrastructure.

Share this post


Link to post
I would rather know that my data if safe and if your servers get hacked, that nobody can read it. Not sure why the client can't encrypt and send?

That's exactly my point:

but ain't it that difficult to introduce user certificates on both ends? I mean, the Evernote server does not need to modify my data, right? therefore accessing my data in read-only mode using my public key would probably suffice, right? if that's the case, generating a public+private certificate thing would most probably eliminate all the security concerns and most users wouldn't mind providing you guys with the public key while they keep the private one on their clients...

If your infrastructure ever gets hacked - God not willing - nobody can read/access my data (as long as the keys are stored somewhere elese of course.

My hard drive is already encrypted, I am more worried about where and how it is stored on your infrastructure.

Same here. Having all my data "username+password" away from the world is far from perfect to my humble opinion. I stress that:

I don't agree that Evernote deserves the same security and privacy level as my email does: in the end, when I send an email, I talk "virtually" while you guys are keeping real information from a real person.

Share this post


Link to post
My hard drive is already encrypted, I am more worried about where and how it is stored on your infrastructure.

Same here. Having all my data "username+password" away from the world is far from perfect to my humble opinion. I stress that:

I don't agree that Evernote deserves the same security and privacy level as my email does: in the end, when I send an email, I talk "virtually" while you guys are keeping real information from a real person.

Share this post


Link to post

This has been discussed a lot. CliffNotes version: if you wouldn't send it via email, don't put it in Evernote. If you want to read more on the subject, please search the board on the word 'security." The wide open databases is a good thread. It's a bit lengthy but covers pretty much everything on the subject.

Share this post


Link to post

I've read both

viewtopic.php?f=30&t=16789&start=0

and

viewtopic.php?f=30&t=9583&hilit=wide+open+databases&start=50

and I must say, I don't know what to do and I'm not even sure I 100% understand what is being discussed.

I would very much appreciate a comparison between local notebooks and synced notebooks when it comes to the added value features that Evernote provides.

Part of my notes are already stored on local notebooks. Those notebooks are encrypted using TC and that encrypted information is synced using Dropbox... it is a real pain to sync my containers once I added one new note or I just changed one word for the whole file needs to be synced.

I'm not saying that what I suggested is easy or even possible (that's up to Dave's crew I suppose), but Evernote is not on par with email as I said. Moving everyting off the cloud has major impact in terms of performance, flexibility, etc and that's why I ask you guys to provide me with the information as to make a reasonable choice.

Thanks,

Share this post


Link to post
I would very much appreciate a comparison between local notebooks and synced notebooks when it comes to the added value features that Evernote provides.

From someone else who uses local notebooks:

1. Obviously, the contents of said local notebooks are one one machine. No cloud goodness.

2. You have to make sure you do your own backups. Using EN 3.1, I use the enscript.exe to export the contents of my local notebooks.

3. No OCR of any images that you put into that local notebook. I don't know about the indexing of PDFs that you attach.

4. You can't email directly into those particular notebooks, which makes sense, because the evernote magic that allows for mailing directly to a notebook doesn't know about them. (What happens is that you can send an email with @ to your EN account; the email goes through, but will end up in your default notebook.)

Off the top of my head, those are the only bits of functionality that you miss by using local notebooks. Fully half of my notes are in local notebooks (for work reasons), and I find I don't miss any of the functionality, except maybe the last one.

Hope this helps.

Share this post


Link to post

OK so I have read these threads and I guess the only thing that I need to say is that people should be VERY aware that they shouldn't expect any privacy while using this service. Any data that they put up on this service could be exposed. Any notes, documents..etc should be considered NOT SECURED. I know these are strong words but it sounds like Evernote is making the business decision not to protect users data even thought it is their responsibility to protect this data. In many countries, it is up to the company, not the user and the company is legally liable. Evernote should realize that they cannot control the data put in their service, this is the problem.

This seems like a pretty easy solution, select a new notebook, ask for a password, and before you send the blob to the server, encrypt and send the encrypted blob. Now it is stored in the database encrypted. In order to open up the note on the other end, you will need the key. If you lose the key, you lose your data. Portable devices, you might opt to just decrypt and view only, not encrypt. This really isn't a new concept and there are other cloud services which are doing this.

It is pretty clear from these threads that there is concern about privacy and security. People are putting personal data and just using SSL isn't security. I would also consider this service much different than email. So I would think you guys would want to fix this even from an exposure standpoint.

Share this post


Link to post
OK so I have read these threads and I guess the only thing that I need to say is that people should be VERY aware that they shouldn't expect any privacy while using this service. Any data that they put up on this service could be exposed. Any notes, documents..etc should be considered NOT SECURED. I know these are strong words but it sounds like Evernote is making the business decision not to protect users data even thought it is their responsibility to protect this data. In many countries, it is up to the company, not the user and the company is legally liable. Evernote should realize that they cannot control the data put in their service, this is the problem.

This seems like a pretty easy solution, select a new notebook, ask for a password, and before you send the blob to the server, encrypt and send the encrypted blob. Now it is stored in the database encrypted. In order to open up the note on the other end, you will need the key. If you lose the key, you lose your data. Portable devices, you might opt to just decrypt and view only, not encrypt. This really isn't a new concept and there are other cloud services which are doing this.

It is pretty clear from these threads that there is concern about privacy and security. People are putting personal data and just using SSL isn't security. I would also consider this service much different than email. So I would think you guys would want to fix this even from an exposure standpoint.

This is pretty thoroughly discussed in the "wide open database" thread. Since I'm really not into rehashing stuff that's been previously discussed, I will do a little bit. EN's security is that of email. If you wouldn't sent the info via email, don't put it in EN or else encrypt it. There are advantages to not having your notes encrypted (the search function!) Evernote is not a secure backup service. (Duh!) The more people use & rely upon computers & digital records. the more important it is for each of us to inform ourselves of the various levels of security. Much like insurance/tire rotation/oil changes/etc are to being an owner of an automobile. Yes, I'm an EN Evangelist. I have a few thousand notes in my database. I have it running pretty much 24/7 on my computers. (Plural) But I don't have one single bank statement or credit card statement in EN.

Evernote should realize that they cannot control the data put in their service, this is the problem.

Huh...??? Either I'm misinterpreting or this certainly falls under the category of "please protect me from myself." It's not up to EN to know anything about the data that is put in their app. They are very straightforward about the security. If you use the search function (it's a great tool, FYI), you'll find a post where Dave says their security is that of email. Would you send your SSN via email? I would hope not. So don't store your SSN in Evernote unless it's encrypted. Is there a bunch of other stuff that I would send via email & therefore is Evernote worthy? Indeed.

Share this post


Link to post
clyon said:

OK so I have read these threads and I guess the only thing that I need to say is that people should be VERY aware that they shouldn't expect any privacy while using this service. Any data that they put up on this service could be exposed. Any notes, documents..etc should be considered NOT SECURED. I know these are strong words but it sounds like Evernote is making the business decision not to protect users data even thought it is their responsibility to protect this data. In many countries, it is up to the company, not the user and the company is legally liable. Evernote should realize that they cannot control the data put in their service, this is the problem.

Kicking a dead horse!

http://goo.gl/n5vf :D

This has been discussed over and over again.

The analogy that I have seen is the security level using Evernote is the same as using Gmail.

Share this post


Link to post

Thanks for the feedback.

We're not saying that an enterprise-grade encrypted backup service would be a bad product, we're just saying that this wouldn't be "Evernote", since it would lack most of the features that make people want to use Evernote. If such a service is actually secure, it would have a lot fewer features and be a lot less convenient (e.g. no quick lookups from a browser or mobile phone). What you're describing isn't the ubiquitous consumer memory aide that is "Evernote."

Luckily, if what you really want is secured network backup of a local database, you can set that up today by using only local notebooks on your PC or Mac and then pay someone (e.g. Iron Mountain $8.95/month) to back up your local database files.

Share this post


Link to post

My 2 cents:

...We're just saying that this wouldn't be "Evernote", since it would lack most of the features that make people want to use Evernote

Sorry Dave, I disagree. I tried to make my point previously but as it seems I didn't manage to. Phil recently said (http://blog.evernote.com/2010/04/27/thi ... hil-libin/):

"I think of Evernote as my “external brain”. Anything I can use my brain for, I should be able to do better with Evernote."

and to my humble opinion that is not on par with intending to compare Evernote to email... let's put it other way, though I don't rely on my brain I DO trust it.

...it would have a lot fewer features and be a lot less convenient

I disagree. I don't see why all our data couldn't be kept encrypted while all the accesses would need to unencrypt the data. As I previously said:

the Evernote server does not need to modify my data, right? therefore accessing my data in read-only mode using my public key would probably suffice, right? if that's the case, generating a public+private certificate thing would most probably eliminate all the security concerns and most users wouldn't mind providing you guys with the public key while they keep the private one on their clients...

I'm more than fine with my SSL access to Evernote, that's probably enough for secure WAN access to your resources. The problem is once we already get to your resources, we have a major problem with our data kept unencrypted in your servers.

if you wouldn't send it via email, don't put it in Evernote.

So you need Evernote for unimportant stuff and product Acme for important stuff? do you feel confortable with having to look across different resources when you look for X material? I don't, and that's, to my humble opinion, far from ideal.

3. No OCR of any images that you put into that local notebook.

Are you sure about that? here http://blog.evernote.com/2008/04/15/evernote-privacy-and-security/ is stated otherwise for at least the windows client

“The Windows desktop client includes local image processing capabilities, so you can process text in images in Local Notebooks on Windows. The Mac client does not yet have local image recognition, so text in images on the Mac would not be recognized in Local Notebooks, although you could still organize and find these images through other features (tags, dates, contents, origin, etc.)”

Evernote please, could you publish a comprehensive comparison between synced and local networks or point us the it if it has already been published?

In many countries, it is up to the company, not the user and the company is legally liable

I don't think the user is not to blame in any country if personal information is accidentally disclosed.

If you wouldn't sent the info via email, don't put it in EN or else encrypt it.

if this is the case, Evernote disappoints me and I truly love it :(

But I don't have one single bank statement or credit card statement in EN.[

so you need another application for your important stuff... that is far from ideal. I'm fine if you're fine with it but I may start looking for another tool that ensures privacy and that's gonna hurt 'casue I love Evernote.

Kicking a dead horse!
yeah, I guess you are right but just think about it: if it has been thoroughly discussed many times it's just because people are unconfortable with what is supposed to be their external brains: Where there's smoke, there's fire

If Evernote does nothing about what is being requested by its users (whether many of them or just a few), the product itself is being pushed into a merely Browser bookmarker or irrelevant information well and that is not what I would have expected when I first looked into Evernote. I really think that there should be a section on the main site with an extensive explanation about this because it's a very important issue.

if what you really want is secured network backup of a local database

this is not the case Dave. I do make sure that my local data is safe and encrypted using TrueCrypt and RAID1 NAS, thanks, and I'm just asking you to do the same. This is not an off-scope request... well I might be wrong if in the end it turns out that Evernote is by design as secure as Gmail while I was thinking it was meant to be my external brain... see, those two definitions create a conflict. I wouldn't trust Google with personal stuff but I thought I could trust you :(

As it looks you could say this is not a 2 cent post, sorry for the lenght!!! :(

/kitus

Share this post


Link to post

I'm not going to pretend to understand the technology between public keys/private keys, etc. A couple of features that I would love to see, which would satisfy my concerns:

1) A quick "encrypt this note" right-click menu option, which would include the encryption of pdf's and other files (right now, as I understand it, all we can do is encrypt text). I understand that the content of the note wouldn't be searchable, and other features would be lost, but that would let Evernote really be my external brain, not "my external brain, minus certain information I need but don't feel comfortable putting in here." Good tagging of a note by the end user could overcome some of the lost features.

2) Something that has been discussed to death here and on the podcast - a password protected local install. The comments on a recent podcast demonstrate that the EN guys really don't understand the use case for this. The comments were along the lines of "there are other tools for this, such as TrueCrypt, or locking your computer when you leave." In fact, if you look at my sig, I wrote about a way to use TrueCrypt. It shouldn't be that hard for end users, though. At my office, people of my level are permitted to install programs of our own, so I have EN installed. I can lock my PC, but our IT guy still has access to my PC, and all the PC's in the office. So, even though EN is permitted, I still want it secure. I've password-protected it using the method in my signature, but it shouldn't be that hard. As an example of a way to do it, I use a Quicken alternative, Moneydance, which has an optional password option. If you opt to use a password, the database file is encrypted, and when you start the program, you enter your password and then the database is decrypted and the program opens. When you exit the program, the database is automatically encrypted before the program closes.

Anyway, I love Evernote, and the responsiveness of the EN team, but these two features would be nice.

Share this post


Link to post
Thanks for the feedback.

I think all of this feedback is valid and if there was a data breach, it could be very painful. A major data breach might also change your opinion and I don't think anybody wants that. Don't get me wrong, I get all the use cases around searching, ocr..etc., but ultimately, if a user is putting up data on the server and wants it to be private vs public, they should have that choice. Privacy laws are starting to be written in ways where it is the company/service providers obligation to protect the users from themselves. So just beware

As a premium user, I support you guys and would like to see privacy features added. If you ever want to discuss I am just on Castro and would be more than happy to meet for lunch.

Share this post


Link to post
Thanks for the feedback.

Did we manage to change, if only a bit, your opinion on this? I would be glad if so...

Thanks Dave

Share this post


Link to post

I'd like to jump into this fray. On the one hand I hear Dave saying that the powers that be at EN have a vision of what EN is supposed to do. On the other hand, I hear a bunch of users saying that EN is a great tool that can be used in ways that you, EN staff, aren't envisioning. I believe that both can be satisfied.

I appear to be one of the people that use EN in ways the staff wasn't envisioning. I'm NOT looking for a good backup mechanism; I have that. I'm looking for a way to make my information available to me whether I'm on my home computer (Ubuntu), office computer (Mac), smartphone or, in an emergency, some other computer (probably Windows). In addition I want to be able to search for what I need. EN is the best solution I have found so far for both those needs. The rub comes in because I have info that should not be available to anyone other than me. Of course I could find another mechanism for storing that info but then I'd have to maintain two sets of data & two programs. What I am suggesting, and what I think others here have suggested, is that there ought to be a way to do both--use it the way EN envisions if you want & protect some data if you want and are willing to give up certain features, such as searching. I don't see that offering that to the users who want it would endanger the focus that EN wants to maintain. And what it might mean is that it's a solution that's valuable to even more users!

For me, I don't care a lot what the mechanism is. I think the encrypted notebook where the index is maintained locally so that the notebook could be encrypted and still searched, is the best solution. Next best would be an encrypted notebook that is not searchable. But I'm fine with the encryption of individual notes. What's not working for me right now (aside from the bug that puts tons of blank lines in an encrypted note) is the process of having to decrypt a note every few seconds. I can choose to decrypt permanently but then I have to remember to reencrypt when I'm done. Or I have to decrypt every few seconds. If EN isn't going to implement the notebook idea, at least provide a way to choose the amount of time before something is re-encrypted including an option to leave unencrypted until you exit the particular note. (For example in preferences you could select a # of seconds or 0 which would mean leave unencrypted until closing the note).

I really like EN. I hope that someday soon I can stop wasting time looking for a solution that gives me what EN does now AND gives me good security.

Thanks for listening and thanks, EN, for the great product.

Share this post


Link to post
I appear to be one of the people that use EN in ways the staff wasn't envisioning. I'm NOT looking for a good backup mechanism; I have that. I'm looking for a way to make my information available to me whether I'm on my home computer (Ubuntu), office computer (Mac), smartphone or, in an emergency, some other computer (probably Windows).

That's what I use my backup (Jungle Disk which allows me to access my encrypted files with any web browser & my password) as well as Logmein (an alternate access to my sensitive data by accessing my home computer (on 24/7) where it's stored in a Truecrypted drive.) Yeah, it's one more app to use, but that's pretty much part of life, IME. No one app does everything so I use the best app for the task. I use Quicken for some things, Evernote for some things, regular ol' PDF scanning for some things just I use Word for some things, Excel for some things, Dreamweaver for some things.

IMO, when I'm out or traveling, there's probably not going to be a big demand for me to produce my bank statement from three months ago or last year's taxes right then & there. So it's NBD to not have it in Evernote. OTOH, if I did find myself in an unusual situation where I did need to produce something like that, I can get it via Logmein (either using a web browser or my iPhone) or Jungle Disk (any web browser or iPhone - supposedly - I've not dl'd the app yet.)

Share this post


Link to post

I use the encryption feature on a few of my notes. My problem is that I switch between notes fairly frequently and every time I return to an encrypted note I must enter the password again. I imagine that this could be solved if I changed my UI so that multiple notes were open at once, but I like my current UI arrangement and would prefer to not have to do that.

How about if EN had an option to remember my password for the current session (where a session ends when I put my notebook to sleep or exit EN)?

Moving on, I skimmed this thread and something caught my attention. Let me apologize in advance, though, as I haven't read this thread closely and the answer to my concern is probably already there.

I see a number of references to the idea that EN is not secure - that the security is equivalent to e-mail. That is good to know and even more reason for me to use encrypted notes.

But I also saw it written that my encrypted notes are not encrypted on my client. If so then I made the wrong assumption. Actually, it's not like I've done a scientific poll or anything, but I would think that is what most people would assume.

If my notes were encrypted on the client then I would know that my notes and my password were secure. If they are not, then I better get more information about this feature. Looking now I don't see anything in the manual or the F.A.Q's. Have I missed it?

Share this post


Link to post
But I also saw it written that my encrypted notes are not encrypted on my client. If so then I made the wrong assumption. Actually, it's not like I've done a scientific poll or anything, but I would think that is what most people would assume.

If my notes were encrypted on the client then I would know that my notes and my password were secure. If they are not, then I better get more information about this feature. Looking now I don't see anything in the manual or the F.A.Q's. Have I missed it?

Unless otherwise noted, one should assume all data stored on your hard drive is not encrypted or even secure. IE, password protected Word documents are easily hacked into & not a good place to store your PINs, SSNs, passwords, etc. (I use a true password manager that stores the data in an encrypted file.) If I steal your computer, I don't have to log onto it. I can take the hard drive out & put it into my computer & get to your data. That's why I use Truecrypt to encrypt the data on my hard drive. Without my encryption password, they cannot get into my encrypted drive. Sure, they could "brute force" their way into it. But that takes a lot of time & cpu cycles & my background & financial resources would put me on their "not enough return on the investment" list.

Additionally, the data stored on the Evernote servers is not encrypted. If someone hacked into EN's servers (slim chance, but certainly possible), the hacker can access your data. That's why I rarely store any sensitive data in EN & what I do is encrypted in the note.

Share this post


Link to post

It would be nice if you could add an option to the iphone/ipad app where you could enable a 4 digit passcode to access previously entered notes. I have a passcode on my phone but I don't keep one on my ipad. When other people use my ipad I don't want them to have access to my notes as I keep personal information in there. I would not want the passcode on login since that would delay data entry.

Just a suggestion. I am not sure if others feel the same way but I think it would be a nice feature.

Share this post


Link to post
Great Application Evernote - just please give us some security for those of us with family ipads/logins.

Not really, it will just give the impression of security. People will think that since their family members can't figure out how to access the data, it must be secure. That is a very wrong assumption.

Share this post


Link to post

I don't really understand. Are you saying that my other apps that are password protected such as 1Password, Moneydance etc are not secure?

This is a surprise as these apps sell themselves on their security.

I would be very grateful if you could spare the time to elaborate.

Share this post


Link to post

If those other programs are really secure, then the data is stored in an encrypted format. This is very difficult (close to impossible) to hack.

But for Evernote to utilize its character recognition capability, search, sync, and other features, it has to send the data unencrypted over a secure SSL line.

The local database can be hacked by simply bypassing the access code. For the majority of stuff, this is not a problem. Evernote is appropriate to store things that you'd be willing to send over email via a high-end email provider.

If security is an issue, you should use a 3rd party encryption software program like TrueCrypt.

Share this post


Link to post

Thanks for sharing your knowledge with us and explaining why we can't encrypt evernote.

Personally I don't need 256 bit encryption or whatever for my family.

I just need a simple way to stop my dear Son snooping around in my "secondary brain". A simple Pin code would suffice as I am sure he doesn't have the knowledge to hack the iPad.

I'll just have to give up the hope of accessing my notes on the family iPad.

Share this post


Link to post

Yes, I understand and agree that super high security is not needed for your family.

I don't work for Evernote, but I bet the following scenario has crossed their mind:

If Evernote added a 4 digit passcode to restrict access to the program, a lot of people would misconstrue the capabilities and assume it would protect their truly private records, including financial stuff.

Other, more knowledgeable customers would start off by ridiculing the security feature, then elevate to complaints, then ratchet up to a steady stream of demands for fixes, and finally some hot-shot will get an ambulance chaser to file a class action suit.

Yeah, it seems ridiculous, but look at Judge Roy Pearson who sued a small mom-and-pop dry cleaner for $54 million for misplacing his pants, or the lady who got millions for spilling coffee on her lap, or "when the gloves don't fit, you must acquit".

Share this post


Link to post

I'm a long time Evernote paid user (Going back to the old 2.x versions), and I have to agree with ghelton. I want some way to lock down evernote. I use Evernote to capture EVERYTHING. Some of this material I just want to keep private - like my journal entries. Now the problem is that some of my devices get shared occasionally like my PC and my iPad - especially the iPad. I don't want someone to just be able to startup Evernote and have immediate access to all my private thoughts, receipts, etc.

It is really a very reasonable request to put an 'optional' simple pin / password on launch. It is a quick feature to implement. It doesn't have to be bullet proof, just keep the honest people honest. I really don't understand why Evernote is so resistant to this. I also don't understand why so many users are defending their position.

Share this post


Link to post

Thanks johnnullstream, since posting this a while back I am still using Evernote more than ever. But I have had to take it off my work machine due to these privacy issues and the fact that I cant be selective about which notebooks get synced. I would gladly subscribe again if I could use it for work, as my personal needs dont necessitate a subscription.

Share this post


Link to post

I'm a new premium user, and within the first minutes of trying out Evernote was bothered by the lack of this feature. In my search for a journaling and general holding-stuff app over the years, I've found it pretty common for apps to leave off security features. The best I've found is MacJournal, where you can lock individual notebooks (and they have folders, so you can lock by folder as well), but in all other respects I prefer Evernote. I decided that since neither met the conditions of what I wanted, I would use Evernote for everything, but draw the line at things that I would be really upset if somebody else saw, such as journal entries, and keep that for MacJournal.

Here's the problem, which is a use case that I don't think the devs are considering: it's not about unauthorized access to my computer. It's that when I'm showing somebody something on my computer, at work or wherever, and I perform a search (maybe in Evernote, maybe just with Spotlight), I don't want there to be any way for those private entries to come up. I don't want them unencrypted anywhere on my machine. However, I do want access and indexing of all my other files and Evernote entries, so for this to work, the distinction between private and less-private has to be made by Evernote, not by an overall OS setting.

I think Evernote is a great product, and I don't mind if the end result is that it's too much work in a direction the devs don't want to go, but everything I've read on the subject and heard in the podcasts seems to indicate that they have a misconception of why some people are asking for this feature.

Share this post


Link to post

In my opinion, basic security has been a big problem for Evernote for a while. I think I posted about this a year ago and got no reasonable solution.

For any program designed to store such great amounts of data across multiple devices, you need some way to lock it down.

I'm not talking about DoD level security/encryption. If you have notes that are that sensitive, then they probably shouldn't be placed in EN.

I'm just talking about preventing wandering eyes from being able to access everything you have in EN simply because they can access your computer, smartphone and iPad.

What I believe is essential:

1) a PIN to protect the EN client on each of the mobile platforms (much like the Mint application allows you to require a PIN before the app will launch).

2) the ability to require the input of a PIN/password to view any note in EN. Either configure it so you only have to enter the PIN/password once per session, or include a timeout function so after a defined period of inactivity, you are prompted to re-enter the PIN/password.

What would be nice:

1) In addition to above, the ability to assign a PIN/password to a specific notebook. To view anything in that notebook, you need to enter the password/PIN (again either once per EN session or include a defined period of inactivity that resets the password status).

Please, please, please implement this functionality.

Share this post


Link to post

I agree 100%.

Security on Evernote has been discussed on this forum many times. Unfortunately the 3 wise men (Podcast listeners know who I mean) at Evernote don't seem to want to develop basic security such as MacJournal already has. Symbolic links and Truecrypt have been mentioned by Dave but this doesn't stop prying eyes on the ipad which in our house is for family use.

Yet it was discussed on a Podcast a while ago and it was said that if people kept asking for security. It would be looked at again.

Judging by the amount of times that the question of security comes up I would have thought it was indeed time to look at security again. Maybe do it for Premium Users so that there is another reason to upgrade.

SO PLEASE EVERNOTE GIVE SECURITY ANOTHER THOUGHT.

Share this post


Link to post

Agree. I am (trying to) switch from OneNote and, personally, the inability to password-protect a notebook is an issue. It seems like a trivially basic concept.

Love everything else about the program, though.

Share this post


Link to post

I upgraded to a Premium Subscriber status over a year ago. I believe the security procedures implemented by Evernote are satisfactory. If higher levels of security will affect the OCR and search capabilities, then count me out. For the folks who want to store information that they would not trust with a high-end email provider, well, they should find another program.

But for me along with the majority of 4 million Evernote users, the security fills the bill. Login info is sent over SSL. I use the encrypted pass phrase option to protect some of my info. The local non-sync'd notebooks can protect my other important data and not expose it to anyone. Evernote has a tight internal protection system.

Evernote has some helpful information on privacy and security on their blog

http://blog.evernote.com/2008/04/15/evernote-privacy-and-security/

Share this post


Link to post

This is an interesting thread, with a lot of great thoughts, but the one I keep having is, why put all that sensitive information on EN in the first place? Is it really necessary to have access to your old bank statements on every device you use? Really?

I am just getting started with the "paperless" approach. I downloaded some Amex statements, and only 3 of the 8 pages are useful. But the pdf download files are password protected? Why? It's just a digital copy of a paper statement. They couldn't tell me. Took me all of 5 minutes to download a free utility to removed pdf passwords, so I could remove the 5 useless pages in each statement.

Then I noticed, that despite only using the last 4 digits of the acct number on the pages headers, at the bottom of page 1 is the "payment slip", with the full account number fully visible. Since I own the Pro version of Adobe, I can manually redact that pretty easily, and I'm pretty comfortable with then uploading that to EN. But why do I need to? Why not just tuck that file away on encrypted hard drives, locally?

No disrespect inteneded, but I think some EN users just go way to far with putting stuff on EN..... "because I can" is not reason enough to do something.

Share this post


Link to post
Rustyc said:

No disrespect inteneded, but I think some EN users just go way to far with putting stuff on EN..... "because I can" is not reason enough to do something.

Reminds me of my grandfather wondering why people were switching from snail mail to email. "Why in my day, we had no problems with writing letters with a pen (quill) and ink".

Share this post


Link to post
This is an interesting thread, with a lot of great thoughts, but the one I keep having is, why put all that sensitive information on EN in the first place? Is it really necessary to have access to your old bank statements on every device you use? Really?

(snip)

No disrespect inteneded, but I think some EN users just go way to far with putting stuff on EN..... "because I can" is not reason enough to do something.

I ABSOLUTELY AGREE!

Although I use EN a LOT, I've repeatedly stated I don't put sensitive info in Evernote. IME, there's normally not a time when I need to produce a sensitive document right then. You can usually go old school & say, "I'll have to get it to you when I get home." If it is a rare situation where I really, really, really have to have it right then, I can use Logmein to access my home computer (on 24/7) and/or access my Jungle Disk account (my main cloud backup.) (So I guess I do have all my sensitive info available from other computers/devices...but I don't need them in Evernote. If files on the EN servers were encrypted, would I add them? Probably so. But since that interferes with the indexing of notes, it's NBD to store/organize them in other apps & use EN for notes that are not of a sensitive nature.)

I do have a small bit of sensitive info I want to have at the ready such as my elderly mom's insurance info (in case she doesn't have her card with her) & such. I put that in Dropbox & can quickly pull them up on my iPhone. But since all files stored on the Dropbox servers are encrypted, they are not "searchable" but I don't need them to be.

Also, regarding Dropbox, I'm really not sure how "unhackable" their encryption is. But since only your login password is required, that means there's no "2nd key" (IE 2 keys to open a bank safe deposit box) so I don't think their encryption is on the same level as Jungle Disk. Jungle Disk allows you to encrypt buckets & they warn you that if you forget your password, your encrypted data is unrecoverable. So I don't store things like SSNs, passwords, etc in Dropbox either. BUT...you can create a Truecrypted container in your Dropbox account that would be secure. I want to try that to see how it works with my iPhone...when I get the time. ;-)

Share this post


Link to post

Evernote is a helpful tool to help you remember things. You should definitely make your own decision about what sorts of things you want to put into it. Some people will draw the line differently than others, just like some people will send things via email that other people would not. Everyone can choose their own balance between convenience and security.

Share this post


Link to post

Back to the OP's original question, how difficult would it be to put a challenge passphrase when launching the app? A lot of us are not talking about military grade security here, we just want to have some basic security in place to keep prying eyes from looking at our stuff if we lend our computer to someone to check their e-mail.

The same goes for mobile clients. Evernote needs a pincode. Dropbox offers this, a lot of different mobile writing apps offer this, the Evernote position on this just really baffles me. Device level security is NOT enough. If you lend your phone to someone to make a call or play a game, you do not want them accessing your Evernote library without a challenge.Yes, we know it can be hacked. Anything can be hacked with enough time. That's not what a lot us of are talking about here. We just don't want all of our thoughts and memories wide open to whoever may happen to sit down in front of our computer or use our phone.

This just seems really basic. Evernote's consistent refusal to do anything about it makes me want to stop storing things of any consequence with the service. If it's just going to serve as a collection of web clips, then what do I need a Premium subscription for?

Share this post


Link to post

I agree. I don't need an encrypted database or anything. What i need is just a simple password check to start Evernote, so people at work can't snoop around in my personal stuff, when i'm not at my desk.

Share this post


Link to post

My screen-saver with password check automatically kicks in after 5 minutes of no activity.

Not only does it protect Evernote, but it protects everything else.

A simple password gets things running again.

Share this post


Link to post

Yup I have RedHand on my Mac that allows me to quickly lock my machine whenever I'm not in front of it - will even take a photo of someone trying to login and getting my password wrong :)

PIN number on my iPhone does a similar thing.

Seriously, if you are going to give your phone to someone to make a call and you can't trust them not to snoop through your stuff, do you really want to lend them your phone in the first place?

Share this post


Link to post

At the moment i get my screensaver after 30 minutes of inactivity too, but i have a little problem with that.

I often have to connect to my PC via VNC and i can't connect to my PC while the screensaver is running.

But even if that would work. I don't want to protect my entire system, because my co workers technically must have access to my PC. I'm not allowed to protect it. The only thing that should be protected is Evernote. It can't be that hard to implement the same kind of pin/passwort protection, that you have on your phone or the screensaver, into Evernote.

Share this post


Link to post
I don't want to protect my entire system, because my co workers technically must have access to my PC. I'm not allowed to protect it. The only thing that should be protected is Evernote.

Then, as I've said before, in other posts, get a program that allows you to add a PIN to individual programs. There are a few out there & even some free ones (Gameprotector - Windows only.)

http://www.gameprotector.com/

Share this post


Link to post

Well, i guess that works with version 4, since a new instance of Evernote is startet everytime you click the Evernote Icon, but with version 3.5 that wouldn't work, as it's always running in the background.

So the protector would only ask once while booting the system (starting Evernote) and not every time i double click the tray-icon when maximizing Evernote.

I'll try it out with version 4, then. I hope it works. Thanks for the tip. I didn't see you mention it before. Sorry. Although i still think such features should be integrated into Evernote, so that i don't have to jump through hoops to achive the same thing. I don't think that i'm the only one, that is interested in this "feature".

Share this post


Link to post
Well, i guess that works with version 4, since a new instance of Evernote is startet everytime you click the Evernote Icon, but with version 3.5 that wouldn't work, as it's always running in the background.

So the protector would only ask once while booting the system (starting Evernote) and not every time i double click the tray-icon when maximizing Evernote.

I'll try it out with version 4, then. I hope it works. Thanks for the tip. I didn't see you mention it before. Sorry. Although i still think such features should be integrated into Evernote, so that i don't have to jump through hoops to achive the same thing. I don't think that i'm the only one, that is interested in this "feature".

You can exit EN3.5 by right clicking the icon in the system tray. No reboot required.

I don't want to protect my entire system, because my co workers technically must have access to my PC. I'm not allowed to protect it.

Then I guess you have to weigh the "inconvenience" of running a personal program on your employer's computer.

Share this post


Link to post

Of course i can. It's not necessarily a question of what i can or can not do. It's a question of convenience.

I don't want do start and exit Evernote every time i want to use it. Besides. Some features like the auto-import wouldn't work while Evernote isn't running in the background.

My point is. There is just no easy way to achive an access protection to Evernote if it's not build into the application itself and it would be nice if the developers would consider implementing this.

If not i could try to write a software myself which works similar to the gameprotector, but instead of preventing the application from starting it should prevent Evernote from maximizing. I don't know if this is possible or how to achive this, but i could give it a try.

Share this post


Link to post
I don't want do start and exit Evernote every time i want to use it. Besides. Some features like the auto-import wouldn't work while Evernote isn't running in the background.

My point is, if your employer requires you to leave your computer unlocked so other workers can use it, they probably don't want you using programs for your personal use on it. If you elect to go ahead & install something for personal use anyway, then it seems exiting EN each time you leave the computer sounds like it's your only option to keep others out of your personal EN. IE if you installed Quicken on your work computer to use for personal use, you'd have to exit Quicken each time you left your computer unattended, so that another user would not be able to get into it w/o entering the Quicken PIN.

Your situation is similar to someone installing EN desktop client on a public computer, even if a PIN was on EN. Anyone with enough tech knowledge can sit down at your computer & copy off your exb file & take it to another computer & read it, should they want to. IMO, if you don't want anyone to gain access to your EN data, then don't have it on your work computer, since you are required to let others use it, too. Stick with the web version & log out, each time you leave the computer for the day, lunch, etc.

Share this post


Link to post

I know that. That's why i said, that the protection hasn't have to be perfect. Most of my co workers don't have any tech knowledge at all. Some don't even understand the difference between a foreground and background window. Thoses people don't even know what files are.

Only a few colleagues have to have access to my PC in a case of an emergency. If i'm on vacation for example. The last time this happend was several years ago. Otherwise the PCs are pretty much our own private PCs and everyone has their private stuff on it.

Anyways. I've looked into the possibility to prevent other applications from beeing maximized or brought into the foreground. Don't know how to do it yet. It's possible to catch the messages from other applications, but to supress them until you typed in your password is a whole other ballgame.

Share this post


Link to post
I would very much appreciate a comparison between local notebooks and synced notebooks when it comes to the added value features that Evernote provides.

Part of my notes are already stored on local notebooks. Those notebooks are encrypted using TC and that encrypted information is synced using Dropbox... it is a real pain to sync my containers once I added one new note or I just changed one word for the whole file needs to be synced.

Could anybody provide the info I requested a while back? Dropbox + TC is a burden and makes things too cumbersome :(

Share this post


Link to post
I would very much appreciate a comparison between local notebooks and synced notebooks when it comes to the added value features that Evernote provides.

Part of my notes are already stored on local notebooks. Those notebooks are encrypted using TC and that encrypted information is synced using Dropbox... it is a real pain to sync my containers once I added one new note or I just changed one word for the whole file needs to be synced.

Could anybody provide the info I requested a while back? Dropbox + TC is a burden and makes things too cumbersome :(

I would very much appreciate a comparison between local notebooks and synced notebooks when it comes to the added value features that Evernote provides.

From someone else who uses local notebooks:

1. Obviously, the contents of said local notebooks are one one machine. No cloud goodness.

2. You have to make sure you do your own backups. Using EN 3.1, I use the enscript.exe to export the contents of my local notebooks.

3. No OCR of any images that you put into that local notebook. I don't know about the indexing of PDFs that you attach.

4. You can't email directly into those particular notebooks, which makes sense, because the evernote magic that allows for mailing directly to a notebook doesn't know about them. (What happens is that you can send an email with @ to your EN account; the email goes through, but will end up in your default notebook.)

Off the top of my head, those are the only bits of functionality that you miss by using local notebooks. Fully half of my notes are in local notebooks (for work reasons), and I find I don't miss any of the functionality, except maybe the last one.

Hope this helps.

Share this post


Link to post

Does anyone know how secure Evernote is on a local LAN? If I'm using the Windows client software both at home and at work, and I have evernote notebooks that are personal, can the data being synced be viewed by my work's IT department? Via a packet sniffer or something?

Also, I log out at the end of each day - can the local database file be accessed without my login password, or is the data encrypted?

Cheers,

Dan.

Share this post


Link to post

Databases are not encrypted unless you put the database in something like a TrueCrypt volume or encrypt it with some other type of program. Your password isn't needed to access your local database when you start the program.

Your userid & password are sent encrypted, but the note contents themselves are sent in the clear if you are a non-premium user so a packet sniffer could read the contents of a note. If you are a premium member then everything is sent via HTTPS so a packet sniffer wouldn't be able to decipher the text of a note.

Share this post


Link to post

The Windows client actually uses HTTPS for all traffic, so it's not visible on the LAN.

Share this post


Link to post

Premium users are guaranteed to get SSL on every client. The WinInet networking stack is too much of a mess to open some SSL connections (port 443) and some HTTP connections (port 80) without hitting random undocumented limits on some configurations/firewalls/proxies/etc. So we stick to "no more than two connections, https only, per process" on Windows.

Share this post


Link to post

I have EN 4.0 on multiple computers, one of which is a work laptop that I would like to password protect / require a password to launch EN. I can't seem to find the setting for this, can anyone help? I just want EN to require a password everytime it is launched.

Thanks!

Share this post


Link to post
Stimulatedboredom wrote:

I just want EN to require a password everytime it is launched.

Sign off after using Evernote

>Tools

>Sign Out

Otherwise, use the Forum search feature for Password

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...