Feature request: Provide my own master keys?

[ghost]

Operating system

• Windows
• macOS
• Linux
• Android
• iOS

Application

• Desktop
• Mobile
• Terminal

Kudos

First of all, awesome product! I tried working with the Simplenote team about a year ago to add E2EE to their protocol and apps (even provided a POC patch and had it working on Android), but they said they were not interested and didn't think it would integrate well with Simplenote's other goals. (I can't believe that security isn't designed into these products from day 1.) So, kudos to you for designing Joplin with security in mind!

Issue

However, the biggest security hole I see is the transmitting and storage of the encrypted master keys. (I admit I have not read the code to see how they are encrypted using the password -- which would be nice to point out in the docs -- but ...) Handling this in other ways seems to be more secure, no?

Recommended Solutions

Can we have a feature where we can paste in our own base64-encoded master keys (like from PGP)?

Or, better yet, how about integration with a tool that is already designed to handle this for us ... like Open Keychain (Android) / GnuPG, etc.?

Thanks!

[laurent22]

No plan for this at the moment, but a button to export/import a master key, and a checkbox to disable syncing of master keys could be an option. Doc is on the website.

[ghost]

I found the doc that describes sort-of how the encryption works, but it does not say how it encrypts the master keys with the password (algorithm, etc.), right?

This would be valuable to know without having to dig into the code, I think.

Thanks!