Using Joplin More Securely

01_using-joplin-more-securely.md

Using Joplin More Securely

I recently watched a digital security training and I learned a few things about the software that I use on a day to day basis. One of the links listed for further readings included this link Beyond pen and paper: Secure note-taking apps for journalists.

Joplin has geo location information enabled by default and sync is not encrypted end to end by default.

Oops!

02_disable-geo-location.md

Disable Geolocation

for all new notes

To disable geolocation for all new notes, you can set the setting as described here: Disable location in Note properties.

for existing notes

Now, this DOES NOT remove the geolocation for all of your previously stored notes, which is annoying. I haven't found a super user friendly way to do this. It does require a working python install and enabling the Web API (also called Web Clipper) inside the Joplin UI.

Enable the Joplin API

Unfortunately, the API is confusingly called "Web Clipper" in options and not just API.

Follow the instructions here: Where do I find Web Clipper options in the Joplin desktop app

Take note of the API key that's provided, as you'll need it for the following steps.

Install Python

Follow instructions for your device: How to install Python on your System.

Setup a virtualenv

cd
mkdir joplin-joppy-remove-geolocation
cd joplin-joppy-remove-geolocation
python -m venv .
source bin/activate

Run the script

pip install joppy
wget
https://raw.githubusercontent.com/marph91/joppy/refs/heads/master/examples/remove_geolocation_info.py
--output ./remove_geolocation_info.py
API_TOKEN=<TOKEN> python remove_geolocation_info.py

This is super fast, runs almost instantly.

That's it!

03_enable-encryption.md

Enable encryption

This is something that you should setup as well. Its not enabled by default. If you have a lot of notes, you'll want to take a backup first.

Take a current backup

See notes on the project's GitHub documentation: Joplin Plugin: Backup.

Disable sync on other devices

So that your Joplin DB doesn't get garbled up, disable sync on all other devices where you might have sync setup.

See documentation around Synchronization: Synchronisation

Enable encryption

This should prevent eavesdropping on the line regardless of your transmission medium (i.e. if you're not using HTTPS) and prevent folks from gathering your data wholesale from your cloud provider.

Note that Joplin only stores data encrypted on the remote server you sync to/from. Your notes are always stored decrypted on your local device.

To enable Encryption follow the instructions here: End-To-End Encryption (E2EE)

Caveats and Gotchas

0. Not sure if this has to be said: Back up your database before starting this journey

• I'm so glad I have the option of restoring from backup, if I want to.

2. Joplin has some weird af encryption defaults.

• AES-128 is the default for now. Unless you explicitly specify "Use beta Encryption," which will enable AES-256. This setting is under "Synchronization" tab instead of the "Encryption" sub-tab. 😲 (side note: Its kinda interesting why there are three different levels of AES key sizes)

3. Note history is not re-encrypted when you enable encryption.

• This isn't great for security if you have it enabled. According to Note history historical notes are not deleted until the next interval.

5. Re-synchronization is anxiety inducing on your secondary devices.

• The instructions say you should disable synchronization on all secondary devices before enabling encryption.
• Then on your main device, enable encryption.
• Finally, I ran "Re-encrypt data."
• Once everything was re-synced to my remote, I enabled synchronization on my secondary device. For this, you need to add your "master key" to your secondary devices.
• The anxiety inducing part was that my "Conflicts" tab filled up with many many files. In hindsight, I should've removed existing conflicts before starting my encryption journey. It was easy enough to select all and delete.

6. Even after all that, I still had leftover note histories on my remote.

• I just manually removed them after taking a backup. 🤷