Evernote Logo

The Evernote Blog

The Evernote Blog

Evernote Privacy and Security

Our Notes | By Dave Engberg
36 comments
featgreen

Security and privacy are extremely important topics for Evernote users, and for good reason. Evernote would like to provide a single service to manage your memories for many years. To achieve this, we must provide a very high level of system and data security while offering users a variety of choices to manage their own privacy requirements. Here is a high-level overview of some of the ways in which your data is protected by Evernote.

When you add a note to the service, it is secured like your email would be at a high-end email provider. This means that your notes are stored in a private, locked cage at a guarded data center that can only be accessed by a small number of Evernote operations personnel. Administrative maintenance on these servers can only be performed through secure, encrypted communications by the same set of people. All network access to these servers is similarly protected by a set of firewalls and hardened servers. Your data is only transmitted to the servers in encrypted form over SSL, and your passwords are not directly stored on any of our systems.

We also offer enhanced privacy options that would not be available from services like email:

If you have sensitive text that you would like to remember (passwords, PINs, credit card numbers), you can encrypt that text in our Windows and Mac clients using a passphrase that is never transmitted to Evernote. This encrypted text can only be decrypted and read on one of your computers after you’ve re-entered the encryption passphrase. The sensitive text is not readable on our servers or on your computer by anyone who does not know the passphrase.

If you have some notes that you only want to access from a single computer, you can place these into a “Local Notebook” on our Windows or Mac client. Notes in a Local Notebook are never transmitted to our service, so they aren’t accessible from the web, or from your other computers. This may allow a greater level of privacy for some notes, at the expense of the accessibility and reliability you would get from a private note on the service.

Evernote recognizes that user choice is an important component of privacy and security. We believe that no single option is going to meet the needs of all users, so we aim to offer a set of tools that let people balance their needs for accessibility, privacy and control.

Update: How to encrypt and decrypt text in Evernote

You may also like

  1. Security Notice: Service-wide Password Reset
    Security Notice: Service-wide...
  2. featbeige
    Evernote’s Three Laws of Data...
  3. ThinkWasabi interview with Evernote CEO, Phil Libin
    ThinkWasabi interview with Evernote...
Older Comments
  • http://www.jeffpickell.com Jeff

    Dave Engberg~

    So I’ve put my money where my mouth is and have been using Evernote extensively over the last couple of months. (I’ve become a true convert of tagging vs sub-directories for organizing and visualizing my data)

    The more I use Evernote, the more uses I find for it, though I still refuse to put sensitive information there – yes I realize I can encrypt bits of a note, but I find that to be way too cumbersome when I have literally a hundred or more notes that I would prefer were encrypted in their entirety. I still maintain that it would become my one true information store if only the back-end were encrypted.

    In your response above you stated:
    “Unfortunately, if we only stored an opaque encrypted backup of your database file on our server, we couldn’t provide most of the features that our users love.”

    How about giving me a choice of all the nifty tools/interfaces/methods OR a secure back-end? That would seem to satisfy almost everyone (of course once you did this, then we’d be clamoring for all the bells and whistles PLUS the back-end encryption!)

    If you were to implement a public encryption algorithm such as blowfish (www.schneier.com/blowfish.html) then it could be used on the client to encrypt entire notebooks, and also on the web interface (perhaps via javascript – it’s been done before) then the web interface could still be useful.

    I would gladly sacrifice those bells and whistles for the sake of strong (pgp/gpg, et al) encryption on the back-end.

    I use Evernote on my Macs, my Windows machines as well as my iPhone; I think it is a great tool that is getting better all the time (Hello, Evernote for iPhone version 3??? Great upgrade there, thanks!) so for me (and I expect that many Evernote users as well) I don’t need all those extra methods for getting info into Evernote; with all the versions I just install it everywhere. What I really want more than anything is security in the cloud.

    Please re-consider strong encryption for our data on your servers.

  • Dave Engberg

    When I said that “we couldn’t provide most of the features” if we just stored a completely encrypted blob of data for each user, I was actually putting it mildly. To really achieve what you suggest, we wouldn’t even be able to implement incremental synchronization of your account, since this requires visibility at a level of granularity which would give away too much information about the contents of your notes.

    There’s always a trade-off between security and functionality, and truly complete encryption of your account (so we can’t see any of the metadata or structure of your notes) just loses far too much of the functionality that you like. At that point, it’s not really “Evernote” any more.

    There are a few options for people who don’t want the functionality of Evernote, but just want an encrypted backup of files on their computer. You can, of course, just make notes in Local notebooks and then back up your hard drive with something like Iron Mountain’s encrypted backup service. (There are others, but I’m familiar with this one from a past job.)

  • Greg

    I’d like to add a bit to Jeff’s comments above, taking into account what Dave has said with regards to the architecture. While not a developer, per se, I can certainly appreciate what Dave’s saying with regards to the sync and other functionality being dependent on the byte-level visibility of the contents. I can also appreciate my colleague Jeff’s points about data security being important.

    I would add that from my perspective (and possibly this goes for most of the folks that have spoken up for encryption), I find quite a bit of value in all of the ways that Evernote is accessible for most of my note data. I do find that there are some types of data (passwords, contacts, and maybe a couple others) that I would gladly forego having all of the features that rely on an un-encrypted back-end; if that meant I could store all the data in the Evernote Application.

    Dave has hinted that we can use local notebooks, and indeed, I’ve experimented with that. However, it appears at this moment that it’s an “all-or-nothing” solution: In order to manually sync or backup the local notebooks, I have to essentially bypass the synchronization built in to Evernote and manually copy the .exb file everywhere I want it. One of the only things I have a slight issue with, architecturally, is that while Evernote allows me to choose to have notebooks that are synchronized or not, it keeps them all IN THE SAME FILE. That is one feature that I feel is better handled in Microsoft OneNote. (My apologies: that is the first time I’ve publicly said anything positive about Microsoft, and I promise it won’t soon happen again!). But all comedy aside, with OneNote, each notebook is a separate file. If we implemented this concept in Evernote (even just separating the “Synchronized notebooks” from the “Local notebooks” into two distinct files), then we could easily have a service where we could choose between Encrypted/Local and Un-Encrypted/Synchronized and be able to have the best of both worlds. In fact, this could be an ideal “premium” feature: The Encrypted notebooks could be replicated (in their entirety) via the service for an additional fee, which I think most of us would gladly pay.

    One other security related feature request: At least allow us to “lock” the client with a password. This wouldn’t probably be all that traumatic to implement, and I’m not suggesting that we have to be able to login to the server in order to open the application, more like a local login using a cached hash of our online password. This would keep casual “prying eyes” from opening our local Evernote files yet still allow disconnected use.

    All things considered, I still think Evernote is an extremely useful and well thought out service/application. I’m just suggesting that adding some of this type of functionality would broaden it’s install base.

  • Dave Engberg

    If you’re concerned about someone accessing your personal PC, I’d recommend using the screen lock feature in the OS and a file system encryption solution like TrueCrypt. This is a much more comprehensive solution to protecting your private data on your own computer than separate screen lock and file encryption in every application you use (word processor, mail client, note taking software, etc.)

  • Michael Fischer

    Dave says:

    “To really achieve what you suggest, we wouldn’t even be able to implement incremental synchronization of your account, since this requires visibility at a level of granularity which would give away too much information about the contents of your notes.”

    Not so. If the data is structured as an append-only log, synchronization becomes trivial, even if stored as an opaque blob.

  • Kurt

    Is it really encrypting the data? I don’t see the point of all this based on what I have discovered (I’m no security expert, but still this is enough to make me feel insecure)

    I did the following:
    1. Wrote a simple note with 2 checkboxes, with the text “FirstBox” and “SecondBox”.
    2. Opened the database with Notepad++, and looked for these 2 strings. Interestingly enough, these text were all over the place.
    3. Encrypt the text “FirstBox”
    4. Opened the database again with Notepad++. I can see the “html” portion of the database shows the text is encrypted:

    Pha2/hePKsU=

    However, the string “FirstBox” is still searchable elsewhere in the database.

    What is the point of encrypting the GUI side of it, when the database side of it is not encrypted (granted, the string’s location seems random, but still, it is in plain text. If it were to be a social security number, an intruder can recognize it easily).

    I guess the best way is to use it is in USB mode, and put it inside a truecrypt container.

    It would be nice if the database itself is encrypted — prevents things like “intruder copying the database file and enjoying the data at home”.

    All in all, an interesting program. If it is more secure than this, I will go for the premium and use it extensively.

Older Comments
Back to Top