Home / GitHub Page

New user - just a couple questions


#1

Hi,

I’m trying to move away from Onenote.

I investigated Joplin but still have a couple questions

  1. there was a discussion on Reddit where it was mentioned that Joplin stores the password in plaintext format in SQLite database, and relies on OS encryption instead, is this true ? AFAIK Windows 10 Home doesn’t even provide encryption.

  2. Can the default location of the database in Windows be changed? I find that Joplin portable takes too long to start up when placed in Veracrypt container. The default install to C drive is fast but I don’t seem to have any control over database location.

  3. When syncing to Dropbox or Onedrive, isn’t the database encrypted both in transit and at rest ? So I assume it’s also encrypted in Dropbox folder in Windows? Can’t Joplin just use this encrypted data file ?

Thanks


#2

The data is stored in an SQLite file so if someone has access to your computer they can indeed extract the password if they know where to look.

Note that it’s true of many programs - if someone has unrestricted access to your computer, they can probably check your emails, impersonate you at your bank, change your passwords on various services, etc. Even if Joplin was encrypting the password, it would still has to be plain text in memory (to allow sync without asking for the password every time) so someone can still get it from there. There’s just no simple solution to this problem, which is why it’s currently not implemented.

You can start the executable with the --profile option followed by the path to the profile dir. For example, joplin.exe --profile e:\encrypted_container\joplin. Or you can use the portable version and put it directly on the encrypted container.

It’s encrypted in transit and on the sync target. Locally, in the SQLite database, it’s decrypted.


Export encrypted backup file + 2FA?