[GH-ISSUE #519] Protect a note with a password #258

New issue

Closed

opened 2026-03-03 00:19:43 +03:00 by kerem · 10 comments

kerem commented 2026-03-03 00:19:43 +03:00

Owner

Copy link

Originally created by @mnmami on GitHub (Jul 2, 2020).
Original GitHub issue: https://github.com/BoostIO/BoostNote-App/issues/519

This is a feature request/wish. It would be really awesome if it was possible to protect access to a note (perhaps also folder). A simple password would do.

Originally created by @mnmami on GitHub (Jul 2, 2020). Original GitHub issue: https://github.com/BoostIO/BoostNote-App/issues/519 This is a feature request/wish. It would be really awesome if it was possible to protect access to a note (perhaps also folder). A simple password would do.

kerem 2026-03-03 00:19:43 +03:00

• closed this issue
• added the
  feature request 🌟
  label

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@huzibizi commented on GitHub (Jul 22, 2020):

it would be even better if it could be encrypted with the password, with a good strong encryption like AES. it would make the files hard/impossible to recover if you forget the password - but it would be great having it available as an option.

Option 1) Unsecured

Option 2) Secured with password only

Option 3) Secured with password and encryption

Maybe something like that. (for now you can just store your boostnote storages on a partition encrypted with Veracrypt or something similar though i guess, or something like boxcryptor if you're using a cloud service)

It would be cool if the user could choose the encryption method too but not necessary,

<!-- gh-comment-id:662579821 --> @huzibizi commented on GitHub (Jul 22, 2020): it would be even better if it could be encrypted with the password, with a good strong encryption like AES. it would make the files hard/impossible to recover if you forget the password - but it would be great having it available as an option. > **Option 1) Unsecured** > > **Option 2) Secured with password only** > > **Option 3) Secured with password and encryption** Maybe something like that. (for now you can just store your boostnote storages on a partition encrypted with Veracrypt or something similar though i guess, or something like boxcryptor if you're using a cloud service) It would be cool if the user could choose the encryption method too but not necessary,

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@Rokt33r commented on GitHub (Aug 23, 2021):

@mnmami How much security level do you need?

1. HTTP API data payload encryption: Our backend will send document data after encrypt. Pretty safe from XSS attack until you unlock the documents. Still visible from BoostIO, service provider so we can provide search functionality.
2. E2E data encryption: We store encrypted data. No one, including BoostIO, cannot access the content without its password. You cannot search encrypted documents from our app anymore since we cannot make them indexable. Pretty safe from data breaching from our backend database.

<!-- gh-comment-id:903624429 --> @Rokt33r commented on GitHub (Aug 23, 2021): @mnmami How much security level do you need? 1. HTTP API data payload encryption: Our backend will send document data after encrypt. Pretty safe from XSS attack until you unlock the documents. Still visible from BoostIO, service provider so we can provide search functionality. 2. E2E data encryption: We store encrypted data. No one, including BoostIO, cannot access the content without its password. You cannot search encrypted documents from our app anymore since we cannot make them indexable. Pretty safe from data breaching from our backend database.

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@Rokt33r commented on GitHub (Aug 23, 2021):

You can suggest other options. We just want to know how many security measures do people need.

<!-- gh-comment-id:903624941 --> @Rokt33r commented on GitHub (Aug 23, 2021): You can suggest other options. We just want to know how many security measures do people need.

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@mnmami commented on GitHub (Aug 23, 2021):

Thanks, @Rokt33r. Among the two options, I would like to have E2E data encryption.

You can suggest other options. We just want to know how many security measures do people need.

I'm no expert in the field, but I can also think of access token-based authentication, e.g. SSL private key (is it option 1 from above?), an app-specific authenticator file, some standardized authenticator provided by third parties e.g. Google, Microsoft, etc.

<!-- gh-comment-id:903998165 --> @mnmami commented on GitHub (Aug 23, 2021): Thanks, @Rokt33r. Among the two options, I would like to have E2E data encryption. > You can suggest other options. We just want to know how many security measures do people need. I'm no expert in the field, but I can also think of access token-based authentication, e.g. SSL private key (is it option 1 from above?), an app-specific authenticator file, some standardized authenticator provided by third parties e.g. Google, Microsoft, etc.

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@Rokt33r commented on GitHub (Aug 24, 2021):

I'm no expert in the field, but I can also think of access token-based authentication, e.g. SSL private key (is it option 1 from above?), an app-specific authenticator file, some standardized authenticator provided by third parties e.g. Google, Microsoft, etc.

@mnmami I don't understand what you exactly want to have. Do you want us to implement somewhat 2-factor verification for an individual document?

<!-- gh-comment-id:904228935 --> @Rokt33r commented on GitHub (Aug 24, 2021): >I'm no expert in the field, but I can also think of access token-based authentication, e.g. SSL private key (is it option 1 from above?), an app-specific authenticator file, some standardized authenticator provided by third parties e.g. Google, Microsoft, etc. @mnmami I don't understand what you exactly want to have. Do you want us to implement somewhat 2-factor verification for an individual document?

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@huzibizi commented on GitHub (Aug 24, 2021):

What joplin does is perfect, if you could replicate their end to end encryption functionality that would be great, i use it with nextcloud and it encrypts all my notes synced there, works very well: https://joplinapp.org/spec/e2ee/

Functionality allowing the user to protect and encrypt a note stored locally (that wouldn't otherwise be encrypted with e2ee) would be useful too, but i guess less important, because to encrypt those local notes the user could just encrypt their system drive instead.

<!-- gh-comment-id:904244062 --> @huzibizi commented on GitHub (Aug 24, 2021): What joplin does is perfect, if you could replicate their end to end encryption functionality that would be great, i use it with nextcloud and it encrypts all my notes synced there, works very well: https://joplinapp.org/spec/e2ee/ Functionality allowing the user to protect and encrypt a note stored locally (that wouldn't otherwise be encrypted with e2ee) would be useful too, but i guess less important, because to encrypt those local notes the user could just encrypt their system drive instead.

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@mnmami commented on GitHub (Aug 24, 2021):

Sorry @Rokt33r for the confusion. Please see the updated comment with the intended quote.

<!-- gh-comment-id:904494446 --> @mnmami commented on GitHub (Aug 24, 2021): Sorry @Rokt33r for the confusion. Please see the updated comment with the intended quote.

kerem commented 2026-03-03 00:19:44 +03:00

Author

Owner

Copy link

@Rokt33r commented on GitHub (Aug 31, 2021):

@huzibizi I don't think we can provide the same feature of Joplin app.

1. Our app is not replicating the whole data of storage for each client.

It seems Joplin syncs the whole data and decrypted it from each client. But our service is sending data on demand. So our server needs to understand what the client requests. It means our app needs to understand the storage structure of the user's storage. Also, the OP is asking about protecting a single note, not encrypting the whole storage.

2. Our backend needs to handle real-time collaborative writing.

Quite similar to the first reason. Our real-time server needs to read changes from clients to resolve any conflicts among them and generate revisions.

So I think we need a different approach. What experience do you exactly want to have?

1. Although It's not E2EE, we can still send encrypted payload for every HTTP request and web socket communication. But our backend still needs to read the data to provide the basic functionality, navigating, authoring, and anything else.

2. We can also introduce a new feature like "encrypted blocks" which can be embedded on a document but cannot open until further authentication is done. It can be E2EE. Its contents are completely unreadable from our backend. So we cannot provide real-time editing for the blocks.

<!-- gh-comment-id:909085712 --> @Rokt33r commented on GitHub (Aug 31, 2021): @huzibizi I don't think we can provide the same feature of Joplin app. 1. Our app is not replicating the whole data of storage for each client. It seems Joplin syncs the whole data and decrypted it from each client. But our service is sending data on demand. So our server needs to understand what the client requests. It means our app needs to understand the storage structure of the user's storage. Also, the OP is asking about protecting a single note, not encrypting the whole storage. 2. Our backend needs to handle real-time collaborative writing. Quite similar to the first reason. Our real-time server needs to read changes from clients to resolve any conflicts among them and generate revisions. So I think we need a different approach. What experience do you exactly want to have? 1. Although It's not E2EE, we can still send encrypted payload for every HTTP request and web socket communication. But our backend still needs to read the data to provide the basic functionality, navigating, authoring, and anything else. 2. We can also introduce a new feature like "encrypted blocks" which can be embedded on a document but cannot open until further authentication is done. It can be E2EE. Its contents are completely unreadable from our backend. So we cannot provide real-time editing for the blocks.

kerem commented 2026-03-03 00:19:45 +03:00

Author

Owner

Copy link

@Rokt33r commented on GitHub (Aug 31, 2021):

@mnmami How do you think about the idea, "Encrypted blocks" in https://github.com/BoostIO/BoostNote-App/issues/519#issuecomment-909085712

<!-- gh-comment-id:909086023 --> @Rokt33r commented on GitHub (Aug 31, 2021): @mnmami How do you think about the idea, "Encrypted blocks" in https://github.com/BoostIO/BoostNote-App/issues/519#issuecomment-909085712

kerem commented 2026-03-03 00:19:45 +03:00

Author

Owner

Copy link

@mnmami commented on GitHub (Sep 1, 2021):

@Rokt33r yes, also a very good idea.

<!-- gh-comment-id:910280674 --> @mnmami commented on GitHub (Sep 1, 2021): @Rokt33r yes, also a very good idea.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/npm_and_yarn/braintree/sanitize-url-and-mermaid-6.0.2

dependabot/npm_and_yarn/http-cache-semantics-4.1.1

dependabot/npm_and_yarn/json5-and-json5-and-json5-and-html-webpack-plugin-2.2.3

dependabot/npm_and_yarn/express-4.18.2

dependabot/npm_and_yarn/qs-6.5.3

dependabot/npm_and_yarn/decode-uri-component-0.2.2

dependabot/npm_and_yarn/electron-18.3.7

dependabot/npm_and_yarn/file-type-16.5.4

dependabot/npm_and_yarn/terser-4.8.1

dependabot/npm_and_yarn/got-11.8.5

dependabot/npm_and_yarn/jsdom-16.7.0

dependabot/npm_and_yarn/eventsource-1.1.1

feature/add-attachment-prompt-dialog

display-trial-length

feature/add-kanban-url-clickable

refactor/request-optimisation

refactor/align-endpoints

feature/improve-code-block-path-showcase

feature/fix-kanban-context-menu-on-long-title

fix/view-filters

automations/ast-impl

automations/input-typed-restrictions

automations/logs

automations/remove-env

ui/kanban-flex

feature/make-kanban-headers-sticky

feat/beta-automations

bug/navigation-view-selector

fix-ja

feature/add-evernote-migration

feature/fix-mock-handlers

feature/add-doc-drag-and-drop

feature/add-keymap-customization

feature/add-doc-save-status

feature/add-toolbar-in-edit-mode-select

bug/speed-improvement

blocks/input-streams

fix/blocks-beta-release

fix/workspace-visibility

pr/1090

fix/space-switcher-description

fix/migration-tab

feat/add-betaprogram-sidebar

feat/doc-page-renewal

ui-fix-shared

ui-settings-tmp

features/doc-props

feat/comments

ui-polish-settings

revert-917-reorganize-v2

ui-border-color

feat/doc-state-while-resync

fix/nav-tree

fix-descriptions

fix-description

ui/background-migration-text

ui-copy-btn

ui-timeline-header

bug/shared-collab-auth

ui-improve-sidebar

deprecated-web-app

v10

temp

ui-fix-border

lp-update-info

Flexo013/about/update_slack_2020

lp-update-boosthub

Flexo013-readme-mobile-links

improve-note-page2

legacy

gh-pages

cloud-1.58.4

cloud-1.57.1

cloud-1.57.0

cloud-1.56.5

cloud-1.56.4

cloud-1.56.3

cloud-1.56.2

cloud-1.56.1

cloud-1.56.0

cloud-1.55.1

cloud-1.55.0

cloud-1.54.5

cloud-1.54.6

cloud-1.54.4

cloud-1.54.3

cloud-1.54.1

cloud-1.54.2

cloud-1.54.0

cloud-1.53.9

cloud-1.53.8

cloud-1.53.6

cloud-1.53.5

cloud-1.53.4

cloud-1.53.3

cloud-1.53.1

cloud-1.53.0

cloud-1.52.6

cloud-1.52.7

v0.23.1

cloud-1.52.3

cloud-1.52.2

cloud-1.52.1

v0.23.0

cloud-1.52.0

cloud-1.51.3

cloud-1.51.2

cloud-1.51.1

cloud-1.51.0

cloud-1.50.7

cloud-1.50.6

cloud-1.50.5

cloud-1.50.4

cloud-1.50.3

cloud-1.50.1

v0.22.0

cloud-1.50.0

cloud-1.49.3

cloud-1.49.2

cloud-1.49.1

cloud-1.49.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-0

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.18.0-1

v0.18.0-0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.16.0-0

v0.15.1

v0.15.0

v0.15.0-0

v0.14.3

v0.14.3-0

v0.14.2

v0.14.2-1

v0.14.2-0

v0.14.1

v0.14.0

v0.14.0-1

v0.14.0-0

v0.13.2

v0.13.1

v0.13.0

v0.12.5-1

v0.12.5-0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.0

v0.6.1

v0.6.0

v0.5.0

v0.4.1

v0.4.0

v0.3.0

v0.2.1

v0.2.0

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.1.0-13

v0.1.0-12

v0.1.0-11

v0.1.0-10

v0.1.0-9

v0.1.0-8

v0.1.0-7

v0.1.0-6

v0.1.0-5

v0.1.0-4

v0.1.0-3

v0.1.0-2

v0.1.0-1

v0.1.0-0

v0.1.0-pre

Labels

Clear labels   

android 🤖

  

assigned to core 🦹

  

bug 🐛

  

documentation 📚

  

documentation 📚

  

duplicate 🚫

  

external issue 🔼

  

external issue 🔼

  

feature request 🌟

  

funded on issuehunt 💵

  

help wanted 🆘

  

improvement request 🔨

  

improvement request 🔨

  

ios 🍎

  

mobile 📱

  

needs investigation 🔬

  

needs more info ℹ️

  

needs specs 📐

  

plugin idea 🔌

  

plugin idea 🔌

  

poll 🗳️

  

pull-request

Mirrored from GitHub Pull Request

  

question ❓

  

rewarded on issuehunt 🎁

  

security issue 🔑

  

won’t fix ❌

No labels

android 🤖

assigned to core 🦹

bug 🐛

documentation 📚

documentation 📚

duplicate 🚫

external issue 🔼

external issue 🔼

feature request 🌟

funded on issuehunt 💵

help wanted 🆘

improvement request 🔨

improvement request 🔨

ios 🍎

mobile 📱

needs investigation 🔬

needs more info ℹ️

needs specs 📐

plugin idea 🔌

plugin idea 🔌

poll 🗳️

pull-request

question ❓

rewarded on issuehunt 🎁

security issue 🔑

won’t fix ❌

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/BoostNote-App#258

No description provided.