Jump to content
  • 2
doex

encryption for all notes by default

Idea

I think encryption is very important.

At the moment it is not possible to encrypt notes on a mobile device and the way notes can be encrypted is really complicated.
So from my point of view everything stored in evernote must be encrypted directly when it is stored. On all devices.

 

What do you think?

Share this post


Link to post

6 replies to this idea

Recommended Posts

  • 0
1 hour ago, doex said:

At the moment it is not possible to encrypt notes on a mobile device and the way notes can be encrypted is really complicated. So from my point of view everything stored in evernote must be encrypted directly when it is stored. On all devices.What do you think?

Are you aware of the current FBI court case against Apple dealing with encryption on the iPhone?  Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the ash storage and main system memory The point; data in IOS is already encrypted - even the FBI has problems accessing it. 

An issue with encryption - it interferes with the search indexing.
Personally I would not want all my data encrypted - I like to to be selective.

I do wish Evernote would expand the encryption feature - its currently only available on the desktop platforms (IOS does offer decryption)
However, I don't want to be locked into Evernote by encryption.
I usually do my encryption externally in the form of encrypted pdfs - its a better solution for mobility.

Share this post


Link to post
  • 0

Sorry for the late response. :-(

No, I am aware of the day when somebody corrupts the evernote infrastructure and steals all customers data. And the best way to reduce the "damage" would be an encryption by default.

Share this post


Link to post
  • 0
On 2017-04-11 at 오전 0시 28분, doex said:

No, I am aware of the day when somebody corrupts the evernote infrastructure and steals all customers data. And the best way to reduce the "damage" would be an encryption by default.

You'll be happy to know that Evernote has implemented "encryption at rest" on their servers

  • Like 1

Share this post


Link to post
  • 0

Just googled "encryption at rest". Sounds good. Thank you for the feedback.

Best regards

 

Share this post


Link to post
  • 0

Google's Encryption At Rest feature is only protection against a certain attack, the attack where the attacker is only trying to access the data on the hard drive and is not using the Evernote application/architecture/API.

They've made a system where outside of the application (and by application I mean anything in the the whole Evernote Server/Client architecture)... So, they've made a system, where if I try and hack at it from outside the application I'm going to find encrypted data. But, if I hack at it from within the application, I can get at anything.

For example, I can use an encrypted hard drive to store my database and I can use an encrypted communication layer between my server and my client, but if I, as an administrator, log into the database, I can access all the data within the database.

An administrator at Evernote, has access to the keys. They can use their internal tools to retrieve my data. If this was all "so secure", they wouldn't have added a feature to encrypt individual notes, because it would have been completely unnecessary. What they need to do is add a feature (better yet, set it as default) where everything I store is encrypted by my key in their filestore/database on the live server (not just at rest). Most hackers don't get into your system through hole in the OS, they get at it through the hole in your application. They take advantage of things like XSS (Cross Site Scripting), SQL injection, etc.) If the application sees the data in the clear, always, then so will the hacker. If the application needs a "key" to make the data "clear", then the hacker will also need that "key".

My worry isn't just some outside attacker, it's also some non-scrupulous Evernote employee, or the case where Evernote sells to some company with a different view on privacy. Or, Evernote goes into receivership and someone buys all the EN IP, solely for the purpose of data mining. My list could go on and on.

Share this post


Link to post
  • 0
8 hours ago, LittleMonkeyMojo said:

They can use their internal tools to retrieve my data.

Personally I encrypt my data if I want to keep it private.  No one is is retrieving that data

My other data is being processed by Evernote; OCR ...

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...