Adaptive Content

Peek behind the scenes. See how this page was tailored for you.

Evernote. A More Secure Alternative?

Evernote claim that no note data was accessed, but that user information was. Regardless of whether the data could be read, and whether the intent was nefarious, clearly if user information can be accessed then so can everything. That Evernote, in common with DSC and every other decent development company, store their users' passwords using a form of one-way encryption isn't that relevant. It does mean a hacker getting that Evernote user data can't use it to sign in to your Evernote account, but if they can access that information in the first place then it hardly matters about user credentials. We don't plan to stop using Evernote at the moment, but it gives renewed reason to contemplate further what we've wondered all along - is there a more secure alternative to Evernote?

The short answer is, no. The more correct answer is, yes, but not with the same level of convenience.

Information stored in Evernote is not encrypted (apart from if you choose to explicitly encrypt an individual block of text). Before this weekend, you needed a password to access it, but once you had access, the information is unencumbered with any additional security. A more secure alternative would store this information in an encrypted form, the decryption key for which was not known to anybody other than the owner of the data, not even Evernote. And therein lies the problem. If the Evernote system can't access the data, it can't index it and if it can't index it, it can't search it, and if you can't search Evernote it's close to useless.

How about keeping an unencrypted copy locally on your computer, which could be indexed and searched? That would work, provided you're comfortable with your own level of security that you have for your computer. But you wouldn't be able to use Evernote's web client, nor perhaps more importantly, their mobile device clients to search your data. It might be feasible to have a non-encrypted index on your phone, if your Evernote database isn't too big. It's all moot though, because they don't offer that option.

Encryption would also stop Evernote performing Optical Character Recognition on your scanned images; an otherwise incredibly useful Evernote feature. Various other less important features, like note sharing, etc. would also be lost, or would have to step outside the encrypted realm.

A commonly suggested alternative to Evernote is to encrypt data locally (on a Mac using an encrypted sparse disk image or using TrueCrypt) and then storage that encrypted data on cloud-based storage like Dropbox. It would work. But it's massively less convenient than Evernote and is wholly impractical on mobile devices. It wouldn't do OCR on your scanned documents, it wouldn't allow searching or a myriad of other things that people like about Evernote. Anybody who suggests it as an alternative hasn't really used Evernote before.
There is a nice Open Source application for the Mac called Notational Velocity which works well for taking text notes. These can be stored in encrypted form. For syncing it's back to unencrypted via a third party, or using an encrypted disk image on Dropbox again. It can work quite well for simple formatted documents, but no chance of PDFs let alone OCR to make them searchable. And no solution for mobile devices.

iCloud from Apple works well if you're an Apple user from desktop to mobile device. iCloud does store all data on its server in an encrypted form and relies on the (unencrypted) Spotlight database on your local computer for searching. There is some debate about whether Apple hold a master key which can un-encrypt your data though. The trouble with the iCloud solution is that you're using separate applications for different types of media - Pages or iaWriter or similar for text-based documents, Preview for storing PDFs and GoodReader for viewing them on the device, Notes for short notes, Reminders for todo lists and so on. OCR on scanned images would need external software. And if you use something other than Apple devices, such as an Android tablet, you're left with only email and calendar, because Apple won't even allow web access from a non-Apple browser.

There is nothing stopping someone building something similar to Evernote which does use encryption, with an unencrypted index for local searching or even better an index that is encrypted but unlocked locally. That way the user could choose their own compromise between security and convenience. We are confident that someone will do this very soon. It might even be Evernote themselves.

But for now what's the solution? For us it's keep using Evernote for information that has little value to anybody else. It's a compromise between security and functionality, but everything is. Use 1Password for recording passwords and other sensitive snippets, and use encrypted disk images for storing larger data items which are too sensitive for Evernote.

How about using Google Drive and Keep?