Search
« Maximising Send-to for Evernote | Main | Project Desire 365 1.0 »
Tuesday
Aug102010

Securing Evernote

Evernote is one of my favourite applications on any platform and I use it on several for a huge variety of things. The nature of Evernote is to provide a system that can hold any information and be accessed anywhere. This lends itself to storing just about everything in it. I certainly try to keep as much as possible in it, but this innate power and flexibility also makes Evernote potentially dangerous to use and so I thought I'd write something about securing Evernote. This won't necessarily be a definitive guide of making your Evernote account into Fort Knox, but it will hopefully give you some options to consider in terms of how you use and access Evernote.

Overview

So I thought I'd start with a bit of a discussion about how Evernote works at a high level. As you hopefully know, Evernote is a system that allows you to capture information via a number of applications on various platforms. These include desktop applications (Windows & Mac), mobile (Android, iOS, Blackberry), web and via a number of other applications (various platforms) via the use of the Evernote API (see the Evernote Trunk for some examples). When you enter information into a synchronised notebook, at the next synchronisation the information in the note will be synchronised to and/or from a central repository in the cloud (i.e. to Evernote's servers via the Internet).

Now we have a common basic overview of the nature of the service we'll take a look at the heart of the service (your Evernote account) and work our way out from there.

Securing your Evernote Account

So when you sign up for your Evernote account you are required to choose a user name and a password. So the first thing to consider is choosing a user name that would not be easy to guess but not so difficult for you to remember. This simply makes it a little harder for anyone who might want to hack into your account to do so. The next step is obviouslyn to choose a difficult to guess password.

Password complexity enforcement is pretty standard in the enterprise so think about making you password relatively long and include a mixture of case (upper and lower case characters) as well as some symbols. Try and avoid using words that might appear in a dictionary and remember that even passwords with symbolic substitutions (e.g. "P@$$w0rD") can be cracked with a brute force password hack. Remember as well that changing your password periodically is good practice. The more paranoid you are about someone accessing your data, the more frequently you should change your password.

Something related to this is your Evernote e-mail address. Whilst having the details of this address does not give you access to the account, it does allow people to spam it and fill up your quota, so do make sure you keep this safe and if you do start to receive spam you can always force a new address to be generated.

Data Location

The next thing to consider is what data you are going to store and where it is going to be stored. This I find to probably be the trickiest consideration and it is at the heart of the data everywhere dilemma that Evernote gifts us.

When you store data in Evernote you have two choices as to where to store it. These are synchronised and local notebooks. The content of synchronised notebooks can be accessed on any platform and a centralised copy is stored in the cloud (on Evernote's servers). These notebooks are duplicated on any desktop client and if you have a premium account you may also choose to duplicate to some of the mobile platforms. Local notebooks are available only on a particular desktop device and are not duplicated or synchronised.

So if you have any concerns about passing your data out onto the Internet, then you should certainly consider storing some of your data in a local notebook. The downsides are that you won't be able to access your data anywhere on any platform and you won't be able to take advantage of some of the cloud features such as scanning images for text.

In some cases this may be an appropriate course of action. It is always important to consider when adding any personal information into Evernote what the impact of someone accessing your account might be. The greater the personal risk or loss (e.g. details of your Swiss bank account, recipe for the Colonel's herbs and spices chicken coating, wife's Christmas present list) the more you might consider isolating the data from the cloud.

Some users may choose to use some sort of synchronisation service other than Evernote, to keep local notebooks synchronised between PCs. Services like DropBox and SugarSync provide such an option, but again the data is being stored out in the cloud. Some corporate synchronisation systems may however provide the data control and synchronisation required by some users.

As a final thought it may be that some items of data you may never wish to store in Evernote as you feel it is simply too great a risk. Well as much as I love Evernote, there are a few things I simply wouldn't trust to any storage - I keep them in my first brain.

Encryption of Notes

Of course most of the time you might simply want an extra bit of protection on your notes to ensure that even if someone does get access to your Evernote account, they can't read the most sensitive information held in there. This is where text encryption can come into play.

The Evernote desktop clients (Mac & Windows) have inbuilt options to encrypt text using a password of your choice. So the first things is to not reuse the same password that you use to get into your Evernote account. You can use different passwords for different notes, but be careful not to forget which one it is as there isn't any way to reset it.

The mobile and web platforms do allow you to decrypt encrypted text but they don't currently allow you to encrypt a selection of text so this can be a limitation for the initial capture of information. As a bit of a workaround on these platforms you could use an interim method of using a web page with a Javascript key based encryption to protect the content (e.g. http://www.fourmilab.ch/javascrypt/javascrypt.html). I would recommend then changing it to the inbuilt Evernote encryption when you can next get to a desktop client as this simplifies things to a single step process and does not require you to leave Evernote to carry out the decryption.

Evernote encryption does not allow anything other than text to be encrypted so if you have any additional items embedded in your note then you need to encrypt these separately. This could be via inbuilt password protection for things like word processed documents and spreadsheets or by putting files within an encrytable archive/container file such as ZIP, RAR or 7Z. One thing to consider is that not all platforms support all file types so you may for example have some difficulty accessing an encrypted RAR file on your iPhone.\

Again remember that if you encrypt anything, it can't be read in it's unencrypted form by the Evernote servers and so it can't index the content. So to help you search for any notes containing encrypted text make sure you put appropriate search terms in an unencrypted part of the note.

If you do encrypt text or attachments I would advise that you make god use of unencrypted keywords in the body of the note (and / or tags) to enable you to quickly find the right note using Evernote's search functionality. For example if you have encrypted the username, password and connection details for a system and stored that in a note, make sure the note has the title of the system and maybe some sort of reference to logon details, user account, login instructions, ... whatever terminology would make most sense to you when you were trying to find it.

This is generally good practice all round when using Evernote. For example I occasionally deal with colleagues in an office in Cardiff. This has been referred to as the Cardiff office, the Welsh office, the Wales office, a regional office, a nation office, a national office, and probably a few more I can't recall. I try to make sure that I have appropriate keywords such as Cardiff, Wales, Welsh, regional, nation and office to help make sure that when I search, no matter which term might be in my head at the time, I'm able to find it.

Database Encryption

As well as encryption of a single note, you can also opt to encrypt the entire Evernote database on your local clients. This isn't practical on all clients, but it is straight forward enough on the desktop clients. Using some sort of encryption software to create an encrypted container file that can be mounted as an additional 'virtual' hard drive is a common enough approach across many applications. Tutorials on how to do this are easy enough to find on the Internet, but DocumentSnap.com has articles covering how you can do this on both Mac and Windows specifically around Evernote (second part of each article after the how to on encrypting text inside a note).

On the mobile clients this is a little more difficult and in some cases impossible with current operating system restrictions. The direct purchase of Tasker for Android will let you do a number of nifty tasks including on the fly encryption and decryption of files based on application launching and closing. So if you want to secure your Android Evernote I'd suggest taking a closer look at this. In fact if you use Android just go and take a look at this fantastic power user application.

Device Security

With the exception of the web client, Evernote is running on a specific device. Such devices often have security safeguards that mirror what we've highlighted so far. For example you can have encrypted file systems on a desktop computer (e.g. Bit Locker). You can also have user IDs and passwords to logon and perhaps even before logon through the use of boot-up passwords, and security software. You may even have biometric access or two step processes involving something such as a smart card or RSA key. These all add extra levels of security to your Evernote information on your local device.

Mobile devices haven't developed to this level of sophistication yet, but each of them allows a password, pass code or in some cases a pass-gesture to be set before someone is able to access data on the device. Of course remote wiping of devices is also now common place, so whilst it won't necessarily maintain the integrity of your data, it is a highly effective option for keeping your data secure should you lose your device.

As a final point on this, physical security is also a noteworthy precaution. If someone else can't physically gain access to your mobile device, then it will make it significantly harder to get to Evernote. Whilst spyware might provide an alternative way in on some devices, the use of appropriate anti-virus and anti-spyware software should be standard practice for all computer users.

Data Traffic Security

Whilst the logon process for Evernote is carried out using encryption protocols (SSL), the transfer of data for a basic (freemium) user account is currently unencrypted (UPDATE - freemium account traffic is now passed using SSL). Premium users however enjoy the benefit of all data traffic being encrypted. This in effect means that people can't monitor network or Internet traffic and read the content of your notes when they are being synchronised between the Evernote server and your client device. This is particularly beneficial for users who connect to more open networks such as those in coffee shops and restaurants where it is often easier for criminals and hackers to snoop on the packets of data whizzing around that network.

Conclusion

So we've worked our way up from securing the Evernote account through to location of the data, the content of the data and protecting the storage that the data is held on. We've looked at securing the devices that you might be running an Evernote client on and securing the traffic that passes between the Evernote server and your client. There are lots of options out there on how to secure Evernote at a variety of levels.

Evernote themselves provide additional information relating to security and privacy in their privacy policy that is also worth a read.

Hopefully you now have a few ideas on the sort of protection and practices you can apply in and around Evernote to protect your data. If you have any other tips on securing Evernote (particularly on specific platforms and devices), please add a comment and share your idea.

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (6)

UPDATE: SSL is now applied to both free and premium accounts.

February 7, 2011 | Registered CommenterStephen Millard

I am using Evernote from a long time, it makes so easy to remember all valuable things in my life, and in other words I am great fan of it. Using it with computer as well as phone make it a remarkable tool. Also I am so admired for its all security features. I think it is the best tool I ever used to updating and holding my information in anywhere.

Relatively speaking Evernote doesn't provide huge quantities of security features, just a key few. In desktop app encryption of data is there, traffic encryption over SSL (including freemium accounts now) and username/password credentials for account access.

This size of security feature set is why I wrote this post in order to show where some of the weakest links in the security chain could be strengthened by user actions. I keep a lot of information in Evernote and whilst I perhaps don't trust it to keep my most private data secure I do have a lot in there that I don't want publicly available. Adopting the approaches outlined above and considering what you store, and how you access it will hopefully help keep your data safe and sound.

February 13, 2011 | Registered CommenterStephen Millard

On the 19th of April, Evernote released an Android client update that includes an option (for premium subscribers) to set a PIN on the application as an additional level of security. According to a post on the Evernote forums, a similar approach is planned for the iOS client.

May 1, 2011 | Registered CommenterStephen Millard

Nice article.

I'd personally like to see an option to encrypt an entire notebook, even if it means I have to enter a separate password when I access it from any client and/or can't access it via the web for some reason.

Encrypting only certain text seems way too tedious for me, as things like bank statements should be able to be encrypted as a whole.

I am hoping they add this or some other more substantial security features.

Thx. JB

October 20, 2011 | Unregistered CommenterJB

The encryption in Evernote is a double edged sword which I guess is why they don't focus on providing various granular levels of security for text, notes, notebooks, stacks, accounts, clients, ....

The issue I think they have is that if you encrypt something it is inaccessible to Evernote to scan through. Now I don't mean this maliciously, but more that a core feature of Evernote is to index and search all of your notes. Once you go beyond encrypting the content of a note, Evernote starts to have some fuzziness around you wanting to title or tag a note. At a notebook level, the Evernote architecture I assume might start having issues about working out how many notes you have in the notebook.

The best approach might be (and I'm assuming this is what you would really want) is to be able to automatically select a notebook to encrypt the content (and not the meta-data) of every note that is created in it. I guess the fact that some of the mobile clients can't handle the encryption side of things yet and there's no encryption currently available for attached/embedded files like images or documents. I guess there's maybe a few intermediate steps that would need to be taken before ubiquitous automated client-side encryption could be applied.

... but I think that would be a cool feature too ;-)

October 22, 2011 | Registered CommenterStephen Millard

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>