DanielDe / org-web

org-mode on the web, built with React, optimized for mobile, synced with Dropbox and Google Drive
https://org-web.org
The Unlicense
1.39k stars 83 forks source link

Xsalsa20 with poly1305 #132

Open Jirido opened 2 years ago

Jirido commented 2 years ago

Hi. Ahh so happy to find your program.. I do use google drive for storing my org-files but I do in principe always mount the g-drive with rclone and then I mount an encryption layer ( https://rclone.org/crypt/ ) over that , as I am a fairly political figure that aren't overly trusting. This encryption is Xsalsa20 with poly1305 done with https://godoc.org/golang.org/x/crypto/nacl/secretbox

I would love to use your app all of the time as I love org-mode but I am just not comfortable with google having plain-text access to my files. I'm no te**orist or such but just cautious and a secretive person. The world look more and more mad by the day to me.

How would you think about implementing a decryption - encryption layer ? The key could be stored locally or in a good open source password manager like KeePassXC that have good integration features.. I have a folder that contain the encrypted files (also names if files and folders) so maybe it could be good with a setting for what folder and if only the content or also filenames or also even folder names are encrypted.

This seam to be some library for secret box: https://github.com/little-core-labs/secretbox-encoding

Just a suggestion. I wish I had programming skills and just could offer a pull request.. But sadly Texts are my thing.

Any how. Lovely app you have there. It will go a long way for sure !

DanielDe commented 2 years ago

Hey @Jirido, I think supporting encryption/decryption in org-web is a great idea, but unfortunately it's not something I have the bandwidth to work on myself at the moment. Hopefully that changes one day, or someone else comes along to implement this themselves!

Jirido commented 2 years ago

Right. If i find some solution that seems to fit, I will tell. Here is some dude that may be a candidate co coder.. Or is it a gang? https://github.com/little-core-labs/secretbox-encoding/issues/3
I hunt an other solution also to hotlink encrypted files from google or elsewhere and get them decrypted in the client browser by js.

Jirido commented 2 years ago

Hi @DanielDe Here it seems to be some easy implementable and maybe suitable web solutions I look in to for my web project https://tweetnacl.js.org/#/secretbox https://github.com/dchest/tweetnacl-js#secret-key-authenticated-encryption-secretbox https://stackoverflow.com/questions/18279141/javascript-string-encryption-and-decryption You would need some key vault under the account login key thou.

Another idea would to have a hot-link generator for the g-drive files in the present folder (in encrypted or un-encrypted state and in case of encrypted files, with their plain names being the added as the link text ) that drop the list in to an org file like index.org or something https://drive.google.com/file/d/1XTdx-8Iu_pt6Su0n7FqzCNb1BnVVrn37/view?usp=sharing (provided by google) vs https://drive.google.com/uc?id=1XTdx-8Iu_pt6Su0n7FqzCNb1BnVVrn37 (hot linkable) probably also doable by .json call and some parsing

Also sweet would be some internal rendering of, or a link to, a decrypt .js that is easy to use on a homesite against an, on the links, applied class. Maybe a div or css class like .SecretBox

The "share with the world" flag, g-drive use, would be needed to be able to be set from your app by the .json API i guess

The same tweetnacl-js could also encrypt files in the account and your app generate a password file suitable for use by both the site decryption js and rclone´s crypt mount scheme.

A file upload function from the local drive or an URI would also fit right in.

Like would a org-file to html rendering library/function. https://github.com/orgapp/orgajs an flexible org-mode parser in js.

All this would make your app a hit for a big grass root (more or less political) community that like or need (homeless or living on the road or sea, like me) to work from their phone/tablet(5v usb charging) with text and publish their writings and pictures on free shared servers (with little space and traffic limitations) But still people are not comfortable with an eventual scan of their material by corporations that has their encryption keys. Closed source.

Maybe I just rant here but It would some how close the circle and kind of ad so much feeling of security from automatic scans in this times of an ever increasing political madness and lack of corporate and governmental oversight.

When you have experienced an obvious un-fairness and been put out in the rain by some screwed narratives from self indulging institutions, the first thing that evaporate is trust. Trust of true goodwill. It of course is paranoia 99.9% of the time but that paranoia is very subjectively real and do stifle creativity in the very lack of access to digital storage resources that feels secure from giving your eventual opponent in an political conflict the unfair advantage of having access to being able to scan your material for descent and in before hand know arguments, intellectual and legal constructions and thought processes that truly are meant to be presented at the moment of discourse or eventual publication.

As a economically poor person searching freedom rather than success or as a person that are a searcher for something new, like a less wasteful lifestyle, one is often refereed to hack together something together from the freely available systems. One might lack a credit card, address, money etc. But still carry a valid human viewpoint one think should be considered in the formation of the "system" or be able to sediment as a contribution to the vast repository of stories of life that form our collective understanding of life and the human condition.

So in essence it is the diversity of expressions of the diverse experience of life I refer to as being the protection object of my vision of your program. Lol.

It is a quite heavy load I put on your young shoulders I guess.. And sure I could fork web-org and try to engage some script kids and old emacs wizards and so on but I would rather see this functions grow here as it is your app and it is you that have put all the effort in to making, what I can recognize is an real good product.

If I can help in some way, maybe by hunting talent or with discussing ideas or debugging from my old devices.. just tell me. I'm not shy.

This is my home Tiinuska https://imgur.com/a/xuReX4u Best of all to you for your efforts. Ivano your hunter from the north..