Wish: Encryption

Eh, GnuPG agent would be fine (not find) as well.

Johan, would it be sufficient to only encode the file contents ? In the past
I rejected this feature request with the consideration that it would be
difficult to encrypt file names etc. as well. So security will be limited as
node names can already tell a lot about the content.

Of course there are options like encfs to put the notebook on an encrypted
filesystem. This will encode both the content and the file names. (Btw. I'm
still planning an "automount" plugin to handle encfs encrypted notebooks,
but didn't get around it yet.)

Cheers,

Jaap

[Quoting Jaap Karssenberg, on July 17 2011, 09:48, in "Re: [Bug 811666] Re:"]
> Johan, would it be sufficient to only encode the file contents?

Hi Jaap,

Yes, that's exactly what I mean.

From Zim you can see the document names/tites, but when opening the
document you need to supply a password (or reuse a keyring password).

Thanks,

-- Johan

This would be a nice feature. I can see how both the GnuPG and EncFS options would be useful.

How would it affect indexing? It'd be easy to leak data into the index. Also, what about temp files? I recall seeing some ~new~ files popping up and disappearing. (I don't know much about Zim's internals.)

On Wed, Aug 10, 2011 at 2:04 AM, Adam Porter <email address hidden>wrote:

> This would be a nice feature. I can see how both the GnuPG and EncFS
> options would be useful.
>

This is about GnuPG only - based on encryption per page. In this case indeed
the index will have at least page names and maybe also tasks etc. that are
no encrypted. So it is not perfect.

The way to go for full encryption is to use e.g. EncFS. In that case you
encrypt the whole folder on filesystem level and everything is protected.
This you can already do, just store a zim notebook on a EncFS mount.

-- Jaap

Since the last discussion on this request the automount plugin has become available. I use it myself to mount the encrypted folder whenever I start zim. This should work with any solution that encrypts full folder structures, and allows mounting them as unencrypted folders - like EncFS.

I had a look at encrypting individual pages, but need to further investigate what (python) library to use for this. Now I'm wondering if there is not already a (unix) tool that we can just use as a filter when reading the page. That would make it quite easy to patch this is as a plugin, without having to read up on the fine details of encryption libraries and how to use them. If the tool supports the gnome key ring, it would be even better - otherwise zim needs to keep the password in memory.

Keep in mind though that any data in the index (page names, tags, and including tasks if you use the tasklist) will not be safe this way.

GPG can pipe in/out. Password management can be handled via GPG Agent.

As far as I am concerned, index information is not sensitive.

@johan: can you refer me to a tutorial on how to do single file encryption? Googled a bit already, but most seem to focus on encrypting with public / private keys, which means you have to have certificates etc. I suppose there is also a stand-alone mode to encrypt individual files with a password - or do you always need a certificate? If so how do you deal with certificates - e.g. the risk of loosing them and thereby being locked out of the data ?

I am not Johan, but maybe it is worth to have a look at the gpg interface[1] of duplicity [2]. Duplicity is backup software (written in python), which allows to encrypt the backup files using gpg.

[1] http://bazaar.launchpad.net/~duplicity-team/duplicity/0.6-series/view/head:/duplicity/gpg.py
[2] https://launchpad.net/duplicity

and for password based encryption with gnupg the commandline option
--symmetric
can be used.

Here is a tutorial on single file encryption using PyCrypto. This feature would be awesome!

http://eli.thegreenplace.net/2010/06/25/aes-encryption-of-files-in-python-with-pycrypto/

@marcus: thanks for the link! Looks like something I could add
without too much hassle.

On Wed, Apr 24, 2013 at 8:40 PM, Marcus <email address hidden> wrote:
> Here is a tutorial on single file encryption using PyCrypto. This
> feature would be awesome!
>
> http://eli.thegreenplace.net/2010/06/25/aes-encryption-of-files-in-
> python-with-pycrypto/
>
> --
> You received this bug notification because you are subscribed to Zim.
> https://bugs.launchpad.net/bugs/811666
>
> Title:
> Wish: Encryption
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/zim/+bug/811666/+subscriptions

Hi,

I find zim near-perfect for my usage, this is really a great peace of software !
About encryption, I use for several years and find it very usefull this plugin for Tiddlywiki :

http://www.Remotely-Helpful.com/TiddlyWiki/TiddlerEncryptionPlugin.html

This is exactly the behavior I'm waiting for :
- Encrypts only the content
- No indexing (this is an option but I don't really see the point of indexing encrypted content)
- Page/page (tiddler/tiddler) encryption, different password possible for each.
- The encrypted tiddler is replaced by a button "Decrypt"

I'll try the ENCFS +mount solution in the mean time but an TiddlerEncryptionPlugin-like solution would be ideal for me.

FYI, I changed a bit my encryption tools and I found a new acceptable workaround for the lack of page-level encryption in zim : I now use zim files whose content is AES-256 encrypted data and I use [1] from a browser window to decrypt or re-encrypt changed text. I use copy/paste functions of my OS between zim and the browser.

This is slighly better than my previous system using tiddlywiki because the TiddlerEncryptionPlugin uses a broken algorithm (TEA) and because I now have all my notes, even the encrypted ones in my single zim notebook.

Obvisouly, it would be perfect to have this kind of page-level encryption/decryption using a strong algorithm directly from zim...

Thanks again

[1] http://www.vincentcheung.ca/jsencryption/instructions.html

With current architecture of zim it makes more sense to have encryption implemented as an plugin object that can be embedded in pages rather than encrypting on the page level.