GNOME Bugzilla – Bug 417316
Encrypted note support
Last modified: 2017-07-31 12:45:11 UTC
It would be cool if you could encrypt Tomboy notes. Attaching patch from Roger Nesbitt, sent to tomboy-list on 12/4/2006. We seem to have issues with tomboy-list archives, so I wanted to save this somewhere. Below is the text of the email from Roger: Hi all, Here's the latest code. I've implemented AES encryption, and the only thing left to do is how we get passwords from the user. At the moment all notes are encrypted with the password "test". Anyone want to stick up for gnome-keyring as a method of storing and retrieving passwords? Otherwise I'll quickly stick in the two dialogs required to have passwords entered from the app itself. I still can't really see the benefit in gnome-keyring, but don't want to cause Alex any maintenance headaches... Also, any graphical artists out there? We need a version of the tomboy yellow note paper icon that has a little lock in the middle. I haven't found any suitable stock Gnome icon for the "encrypt" button either. Cheers, Roger
Created attachment 84409 [details] [review] Encryption Manager
Created attachment 84410 [details] [review] Patch to existing Tomboy code, adding support for encrypted notes. Remember, this was created 12/04/2006, so it probably doesn't apply cleanly to the latest code.
For the record, Alex's response: Cool! Great work Roger. I haven't given this close review yet, but I think the encrypt button should probably be listed in the Tools menu in the toolbar. I don't think it's a common enough action to warrant being constantly visible. Again, I'd prefer to leave password maintenence outside of Tomboy. Also, given that Tomboy is now an official Gnome app, we're sure to get some push-back for not using the Gnome technologies intended to solve exactly this problem. -Alex
Why would you need to encryt notes ? Can't this be done with a more generic approach like encfs or luks ?
A simple use case is this: 1. You register for a new account on some website. 2. You pick a new password that you're afraid you'll forget, so you want to note it down for awhile. 3. You put your new account information with password in a Tomboy note, because that's the way you like to keep track of notes. 4. You want it to be secure, so you encrypt *just* that note in Tomboy (either with a known password, or with gnome-keyring, or something). You can adapt this story to be about any other private information. The point is, a user might want a really brain-dead easy way to encrypt one note.
Then use a special purpose application like revelation http://oss.codepoet.no/revelation/ ? Because what if i don't want to store in Tomboy but instead in gedit, abiword, openoffice, evolution memo, etc ? I think it would be far better to have a special-purpose application or a safe place / encrypted folder.
Benoit, the password example was just an example. You can replace it with any other private information you might need to store (account numbers, confirmation numbers, coordinates of Jimmy Hoffa's body, love letters, porn links, etc). Everyone has different techniques for storing such data. You seem to prefer storing files in a safe/encrypted folder, or just encrypting flat files. That's fine. But a lot of users don't like dealing with folders and files for such things, which is why they use Tomboy in the first place. What do you propose for such users? That they learn two or three ways of doing the same thing (taking a note) because of implementation details on our side? I'm not saying Tomboy should be some huge store of all information a user has. We're just trying to meet the note-taking needs of our users, and many users have requested this feature. That being said, we don't have a design in mind, which is one reason this is a suggested Summer of Code project (where development would not happen on the trunk). So while we have no plans to implement this feature in the short term, I'd like to leave this enhancement bug open to track any development that may take place. But please continue leaving any comments you may have on this bug. It's really helpful to see everybody's opinions on this, and also to know what people are currently doing to solve these problems.
(In reply to comment #7) > Benoit, the password example was just an example. You can replace it with any > other private information you might need to store (account numbers, > confirmation numbers, coordinates of Jimmy Hoffa's body, love letters, porn > links, etc). revelation perfectly handles most of (numbers, links, coords). But you pointed something right : say i want to store love letters, photos and videos of my new girlfriend. Tomboy would only be able to deal with the love letters (which i guess i would have copied from an email). What about pictures and videos ? Does this mean that EOG has to handle encrypted pictures or that tomboy should have picture support ? I think a general approach is needed. Not per application / per filetype. Think GNOME. > Everyone has different techniques for storing such data. You seem to prefer > storing files in a safe/encrypted folder, or just encrypting flat files. > That's fine. > These techniques don't require any knowlegde at all about GPG keys. You only need a password, which may be handled by PAM / gnome-keyring / gnome-volume-manager. > But a lot of users don't like dealing with folders and files for such things, > which is why they use Tomboy in the first place. What do you propose for such > users? That they learn two or three ways of doing the same thing (taking a > note) because of implementation details on our side? > > I'm not saying Tomboy should be some huge store of all information a user has. > We're just trying to meet the note-taking needs of our users, and many users > have requested this feature. > Since when tomboy has became a confidential data store ? I though it was a post-it program. I am just afraid of a 'my application can save documents encrypted' race. And afraid of password prompts. IMHO, if i had confidential data, i wouldn't write it on my post-it block. This is the difference i make between a 'simple note-taking application' and other applications. I think locking my account is enough for normal data. Bank Account numbers are way too important to be saved on a post-it. I don't think i would ever think 'this note is really important, i need to encrypt it' (unless i discover cold fusion). So i don't think this feature would be useful to me. Keep tomboy simple. And gnome-keyring is a must. Thanks.
*** Bug 356779 has been marked as a duplicate of this bug. ***
Setting the default assignee and QA Contact to "tomboy-maint@gnome.bugs".
*** Bug 533533 has been marked as a duplicate of this bug. ***
Created attachment 128333 [details] [review] Tomboy 0.12 Addin, uses Seahorse (dbus) to gpg encrypt single Notes Hi, My tomboy now contains over 350 notes which I share over multiple computers. Very few of these notes deal with private matters, like doctor appointments, money and the like. I'd like to encrypt these notes. The attached patch creates a tomboy addin which uses seahorse via dbus to encrypt/decrypt a single note. You'll need a running seahorse daemon and a pgp key which is set as the "default key" in seahorse preferences. Currently no automatic detection of encrypted notes is included, they will just appear as ascii armored text.
Sandy, As requested on #Tomboy, here's some 'needs' myself and others would have for encryption, as I see it: Please use GPG as the back-end, as users can easily use that on MacOS, Linux, and Windows. Please allow the use of both password (symmetric), and key encryption. It appears that some people would like the possibility of encryption by-note, and have asked for it. I think users might find it easier to just have all their notebooks encrypted wholesale. Either way would provide the usability I'm looking for though. Again, Thanks so much for the great project. I'm finding new uses for it every week.
It would be nice if you could specifically force notes to be encrypted before they go out to any of your sync destinations. I for one would feel more comfortable storing my notes on a cloud resource (i.e. Ubuntu One) if they were not world-readable there. fwiw, I like the idea of integrating this feature with Seahorse. It already has access to my PGP keys, might as well make use of that.
From a sync point of view, I'm thinking of doing this on a per-notebook basis (as far as the user sees), and only doing the encryption/decryption at sync time, only encrypting the content (not the title or tags or anything else), and using only symmetric encryption to make it easier to implement in JavaScript for Snowy's HTML5 offline client. Working on a proposed spec for it, and trying to work out some details on implementation.
I changed my mind about only doing encryption/decryption at sync time. Now want to do it in saved content. Here is a braindump from my note on work in progress: Encrypting/decrypting notes during sync is a bad idea...introduces a bunch of likely failure scenarios that degrade the sync experience. Better to just encrypt directly in .note file. Some notes on this: • Need to sync from stored data, not from in-memory note, to get encrypted content. • In most scenarios, user will auto-encrypt/decrypt, so encryption will happen on every save. Maybe best to only write note content when it's known that it changed (and not just a tag or cursor position or whatever). • What is the impact on search? Well, clearly we need to decrypt automatically on note content load, not just on note open. • How to tell if a note is encrypted? Trust tags: ‣ system:encryption:algorithm:AES ‣ system:encryption:IV:;lasjfdl;s ‣ system:encryption:salt:l;ajsdfs ‣ etc etc ‣ maybe use system:encryption:encryptonvsave to tell Tomboy to use encryption storage engine? ‣ If no system:encryption tags exist, the note should be treated as unencrypted. • Other gotchas? To do this cleanly, we really need to abstract our note storage much better. We need a StorageEngine add-in endpoint. An encrypted storage engine could just extend another engine. This could work like a pipeline, though how we expose this to the user I don't really know. Will probably need to do signficant cleanup to the difference between NoteData and Note classes, though maybe not? Will see. Good opportunity to experiment with a sqlite storage engine, btw. Encryption User Experience: • Auto-encryption should be focus, but what about outside of that? • What do prefs look like for this? • What happens when decryption fails? • To what degree can we integrate with Seahorse/gnome-keyring and native equivalents on other platforms?
How's this looking for Tomboy 1.6?
Too late in the cycle now, we should bump to 1.8. I'll make a new milestone.
Comment on attachment 128333 [details] [review] Tomboy 0.12 Addin, uses Seahorse (dbus) to gpg encrypt single Notes Greg is creating a whole new Encryption scheme that will work with Sync services.
Bump... What's the status of this addin? I have Tomboy 1.10.0 and I haven't been able to find any new info re note encryption.
Aaron, Maybe we can talk about this in the next planning meeting.
Bump... again :) I'm on Tomboy 1.11.5 now and don't see an addin for encryption. Incidentally, some are using tools like EncryptFs which apparently encrypt the folder where the notes are stored and this also makes encrypted synchronization possible. Example: http://www.codemonkeyninja.com/blog/?p=598
Some crafty fellows at "Fachhochschule Hagenberg" (University of Upper Austria) have created a "PrivateNotes" plugin [1] for Tomboy which implements note encryption. It may or may not resolve this bug. [1] http://privatenotes.dyndns-server.com/wiki/doku.php
The Tomboy team has moved from GNOME Bugzilla to GitHub for bug reports and feature requests: https://github.com/tomboy-notes/tomboy/issues/ Closing this report as NOTGNOME as part of Bugzilla Housekeeping (bug 781054) to keep tasks in one place. Please feel free to transfer this task to GitHub if this task is still valid in a recent Tomboy version. We are sorry for the inconvenience.