this post was submitted on 23 Sep 2024
51 points (96.4% liked)

Selfhosted

39980 readers
780 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey everyone! :)

I am currently looking to replace Obsidian with a self-hostable alternative (that preferably also uses Markdown - but it's not a must) but instead of storing the files directly on disk has a way to have all the files within in an encrypted vault / binary format.

Reason being I have very very sensitive data that needs to be stored (employee & medically related).

I read that Logseq used to support this feature but it has since been deprecated, some light googling didn't surface any results other than that so I would be delighted if anyone had any suggestions!

Thanks so much in advance for any and all help! :)

edit: Forgot to mention that it needs to support Linux as well as Android

top 27 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 1 month ago (1 children)

Joplin can encrypt and it is selfhostable and uses Markdown

Benefit: apps for every platform

[–] [email protected] 11 points 1 month ago (2 children)

After some more research it seems that Joplin only E2E encrypts notes at transport and not at rest[1]? e.g. it only stores plain text files on the harddrive just like Obsidian does? This sadly makes it not viable for my use case :/

[1] https://discourse.joplinapp.org/t/requesting-encryption-of-local-joplin-data-at-rest-encryption/15145

[–] [email protected] 7 points 1 month ago (1 children)

E2e in transport is https with extra steps 😅

[–] [email protected] 15 points 1 month ago (2 children)

No it is fully encrypted, even on the server. This topic was years old. You can read a good explanation here

[–] [email protected] 7 points 1 month ago

Oh thanks for the heads-up! Will look more into it then.

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago)

Thx but I was simply refering to e2e in transport 😅

[–] [email protected] 0 points 1 month ago

They do encryption at rest too. Really good notes app and it's cross platform too. Only missing a “web” client for when you want to access your notes on a computer without Joplin installed (but that defeats the purpose of the E2EE IMO)

[–] [email protected] 11 points 1 month ago (1 children)

If you are dealing with compliance seek help from a professional

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

This needs to be reiterated. If you need to comply with ANY laws at all do not perform this service yourself. Consult professionals and allow them to assume that risk.

If all you are doing is trying to encrypt notes you are taking then maybe that's a different story. Please just make sure you are not at a legal risk.

[–] [email protected] 8 points 1 month ago* (last edited 1 month ago) (1 children)

if you're encrypting at rest you also have to consider where there encryption key is being stored.

if you're storing the encryption key plaintext on the same drive as the data, there's not much of a point in encrypting.

a TPM/HSM could solve the issue, depending on how far down the rabbit hole you need to go.

EDIT: You could also encrypt the disk of the VM/Server hosting the app. similar situation.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (2 children)

In my mind at least this would be solved by the "vault" needing to be decrypted with a password every time notes are accessed/saved with the password acting as the key? I'm not terribly well educated on encryption though.

[–] [email protected] 3 points 1 month ago (1 children)

The problem is how many random characters can you remember in your head?

A good encryption key would be around 32 characters to form a 256 bit encryption key.

You can do a fun game of encrypt the encryption key with a password but that's just another vulnerability in the chain.

I recommend getting a PGP key stored on a yubikey and then encrypt all your notes with it since it's all in markdown, I store my notes on Google drive and keep them decrypted in memory so that I can still use Obsidian.

[–] [email protected] 7 points 1 month ago (1 children)

Or just use a password manager like keepass where the problem of storing passwords has been solved already...

[–] [email protected] 1 points 1 month ago

As long as you protect that password store with a sufficiently strong password that you store in a password manager that has a sufficiently strong password :P

I joke but yes some sort of password store is what you would use but make sure that password store needs something like a yubikey with a strong private key on it ^⁠_⁠^

[–] [email protected] 2 points 1 month ago

if you want to type the key yourself each time this could work. I'm not aware of an app that does this but it wouldn't be too hard I don't think.

[–] [email protected] 7 points 1 month ago

You can selfhost Standard Notes. The notes are encrypted client side before they reach the server.

[–] [email protected] 6 points 1 month ago
[–] [email protected] 6 points 1 month ago

Recently I stumbled upon nb

[–] [email protected] 5 points 1 month ago (3 children)

If you are storing manly on one device and are looking for a relatively "simple" solution for encryption at rest I would suggest to just encrypt the folder/directory/image the data are living in.

Of course, this way you have to decrypt the data while you are using it. However, it separates the responsibility from the note taking app.

This may or may not be a good solution for your use case, but it should be fast and easy to implement.

I used to do this with some mildly sensitive data using a mac encrypted disk image with plain markdowns files inside. I accessed the files with vscode, but I don't see why it wouldn't work with Obsidian. It may just be a bit of a hassle to open the vault each time.

[–] [email protected] 4 points 1 month ago (1 children)

This is a security risk! Some note taking apps store data outside of the notes directory (e.g. Logseq)

[–] [email protected] 4 points 1 month ago (1 children)

Good to know, but this is a security risk of the note taking app, not of the encryption method itself.

[–] [email protected] 1 points 1 month ago

Since the method is encryption of the notes folder, I would consider it to be one

[–] [email protected] 2 points 1 month ago

I think this is the best answer. Separation of concerns and all. And OP can keep using whatever notes app he is right now or even switch to another, without the additional encryption requirement.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

I wanted to write the same thing. have the notes app do the notes thing and handle encryption elsewhere.

as to apps, I suggest QOwnNotes. it's markdown, highly configurable so you can make it minimalistic AF, stores notes in invidual files and folders. it also has a bunch functionality like syncing to nexctcolud and such, but I'd advise against it, just use it as a notes editor. you don't have to selfhost anything, make it use the e.g. Documents/Notes folder and you can use syncthing to securely replicate it to other devices.

[–] [email protected] 3 points 1 month ago
[–] [email protected] 3 points 1 month ago

If you like the command line you could consider jrnl

https://jrnl.sh/en/stable/

[–] [email protected] 2 points 1 month ago

Maybe Anytype? It kind of fits the description. It's still in beta though.