mirror of
https://github.com/zadam/trilium.git
synced 2024-12-25 00:34:08 +08:00
Page:
Protected notes
Pages
Advanced showcases
Anonymized database
Apache proxy setup
Archived notes
Attachments
Attribute inheritance
Attributes
Backup
Book note
Bookmarks
Canvas note
Cloning notes
Code notes
Custom request handler
Custom widget
Data directory
Day notes
Default note title
Desktop installation
Docker server installation
Document
ETAPI
Error logs
Events
Evernote import
FAQ
Frontend Basics
Home
Images
Keyboard shortcuts
Kubernetes server installation
Link map
Links
Manual server installation
Markdown
Mobile frontend
Nginx proxy setup
NixOS server installation
Note hoisting
Note map
Note navigation
Note revisions
Note
Onenote
Packaged server installation
Patterns of personal knowledge base
Privacy policy
Promoted attributes
Protected notes
Read only note
Relation map
Release notes v0.48
Saved search
Screenshot tour
Script API
Scripts
Search
Server installation
Sharing
Sorting
Synchronization
TLS configuration
Task manager
Template
Text notes
Theme Gallery
Themes
Tree concepts
Tree manipulation
Troubleshooting
Upgrading Trilium
Web clipper
Weight tracker
Widget Basics
Workspace
No results
7
Protected notes
ThetaEdra edited this page 2022-06-12 13:42:51 +02:00
Table of Contents
Trilium is meant to store all kinds of data - including potentially sensitive data like journals or credentials etc.
For such sensitive data Trilium can protect these notes which essentially means:
- encrypting the note with encryption key based on your password.
- This means that without your password, protected notes are not decipherable so even if somebody managed to steal your Trilium document, your protected notes could not be read.
- time-limited access to protected notes
- To first access protected notes you need to enter your password which will decrypt the note and allow you to read / write them. But after certain time period (by default 10 minutes) this decrypted note is unloaded from memory and to read it again you need to enter your password again.
- This time limit counts from the last interaction with protected session - so e.g. if you continuously write into a protected note, session is getting extended automatically, and you are not kicked out. Once you change to an unprotected note, expiration starts counting and session ends in 10 minutes (unless you again interact with protected notes).
- This protects against a possible scenario where you leave your computer unlocked for a long time and somebody can access your Trilium application.
- To first access protected notes you need to enter your password which will decrypt the note and allow you to read / write them. But after certain time period (by default 10 minutes) this decrypted note is unloaded from memory and to read it again you need to enter your password again.
- protected notes protect only confidentiality and partially integrity of the notes. User outside the protected sessions can still e.g. delete the protected notes or move them to a new location.
How to use protected notes
Notes are by default unprotected. If you want your note to be protected, click on shield icon next to the note title as seen here:
What is encrypted
In principle Trilium encrypts data, but doesn't encrypt metadata. This specifically means:
Encrypted:
- note title
- note content
- images
- file attachments
Not encrypted:
- structure of the notes - i.e. you can still see that there are protected notes.
- various metadata - e.g. date of last modification
- attributes
Encryption details
... how we get from password to decrypted note:
- User enters password
- Password is put into scrypt algorithm together with "password verification" salt to verify that password is correct
- Password is put into scrypt algorithm together with "encryption" salt which produces a hash
- here we use scrypt for key stretching
- Hash produced in the last step is used to decrypt actual data encryption key
- We use data encryption key to decrypt actual data - note title and content.
- encryption used is again AES-128 with CBC chaining. Unique IV is generated with every encryption operation and stored together with the cipher text.
Sharing
Please note that protected notes cannot be shared like regular notes.
- Screenshot tour
- Basic concepts
- Installation & setup
- Advanced usage
- Developer guides
- FAQ
- Troubleshooting
Back to Overview