November 20, 2015 will

Deploy Encrypted Notes 1.0.0 to Heroku

A few weeks ago I built a little web application to store notes, which encrypts your notes in the browser and stores them in the cloud (yeah, I hate that term). The idea was that even if the server was compromised, nobody could read the notes without a password.

From the server logs it looks like a few people at least are actively using it, even though there is a big warning saying it is for testing only. No idea for what of course, because even in the admin all I can see is a string of random characters.

This is how notes are stored in the database.

New Version

I've jumped straight to version 1.0.0 with the latest release, since it has been running quite happily for quite some time with no issues. It's still 'use at your own risk', but it is such a simple application that there is so little to go wrong.

Deploying to Heroku

There is an element of trust here, in that it would be possible for whoever runs the notes server to serve compromised Javascript that grabs passwords for example. So for the paranoid, it would be best to run the server yourself. The code has always been open source, so you could host it on your own web server, or even a RaspberryPi in your living room. Alternatively, you can use the button below to set up a server on Heroku automatically:

Deploy

A self hosted server is more trustworthy, but you will of course have to trust Heroku. The data would be on their system and they could serve a compromised version of the Javascript if they had the motivation to do so. Not that I think that is likely, unless they are compelled to do it. Who knows, in a post Snowden world. But your notes would be at least as secure as any other note taking app.

More Security?

The most secure solution would be to use a desktop application to do the encryption, rather than Javascript. The encrypted notes server has a JSONRPC back-end, which a desktop or command line application could make use of. I don't have the motivation to write that, but it would be amazing if somebody wanted to contribute.

Then of course, you have to trust your own computer. If an attacker has installed a key-logger on your computer it can record your password, or your notes as you write them. Ultimately, if you are that paranoid, you might just want to keep your notes in your head.

Use Markdown for formatting
*Italic* **Bold** `inline code` Links to [Google](http://www.google.com) > This is a quote > ```python import this ```
your comment will be previewed here
gravatar
Lukasz Herok

How do you store the notes? In the database in the files?

gravatar
Will McGugan

As encrypted text fields in the database...