Is it possible to encrypt single tiddler?

[calfzhou]

The file level encryption is wonderful. But it might be a little too heavy to encrypt every tiddlers. I wonder if there is anyway to encrypt only selected tiddler?

[rsyqvthv]

yes, love to have this option. :+1:

[grayeul]

I would also like to have this... and have what we had on the classic TiddlyWiki with the encryption plugin, which is allowing different encryption passwords for different groups of one or more tiddlers.... i.e. each tiddler can optionally be encrypted with a password. If more than one tiddler is using the same password, then all of those are available once that password is entered once.

On 12/27/2013 05:44 AM, 2anyone wrote:

yes, love to have this option. :+1:

— Reply to this email directly or view it on GitHub https://github.com/Jermolene/TiddlyWiki5/issues/310#issuecomment-31257595.

[pmario]

@grayeul I'd deffinitely want to have this behaviour as a plugin.

So imo it would be nice if the core has a "nice API" that allows you to call "encryption / decryption" functions from a plugin. This would make it possible to implement different "workflows"

[Jermolene]

I agree that finer grained control over encryption would be useful. There's nothing to stop people now adjusting the templates used for saving to filter which tiddlers are encrypted.

I did full file encryption first because it avoids a tricky UI problem: in an environment with selective encryption it can be hard for users to remain sufficiently aware of what's going to be encrypted. The consequences of inadvertent disclosure of content are pretty sever for many people, so the safest approach was to focus on encrypting the entire wiki.

If performance is your concern, I'd argue that the encryption/decryption is pretty much guaranteed to be faster than other common operations, like saving your wiki to disc, or transmitting it over a network.

[Spangenhelm]

Would definitly love that option for secured password managing / nsfw links ;) Thanks

[danielo515]

I wanted this feature for a long time. After that time I invested some of my time in write a plugin. So, for everyone interested this is possible from a while ago. Just visit http://braintest.tiddlyspot.com/ and search for encrypt plugin (it is in the main index). I think you will be satisfied.

Regards.

[Spangenhelm]

Hello, i have tried danielo's plugin on his website and it looks promising, any news on this feature being integrated directly in tw's development ?

[pmario]

I personally think, that single tiddler encryption should always be a plugin. There are different possible workflows, how to handle single tiddler encryption. So if it is part of the core, we are bound to that one workflow.

Hello, i have tried danielo's plugin on his website and it looks promising,

You wrote, "it looks promising" ... What's missing in your opinion? I think Danielo will be happy to get feedback. ...

[Spangenhelm]

@pmario I understand, and i usually do give feedback, but it doesnt apply in this case. let's detail it a bit: by writing this i meant that it looked promising in case jermolene wanted to add such feature to main version, he could use danielo's plugin instead of creating one himself. Also i did not really pay attention and thought that the plugin was not updated since 5.0.7 so i thought it was obsolete (my mistake sorry), at last i said that because i have no clue if his plugin is actually functionnal (talking about the encryption effectiveness, or any bug that may occur, this kind of thing..) So to me it seems fine but as i am no developper and havent tested it in real situation that is all i can say. In other words: "nice job danielo. jermolene? could you take a look, tell us if it is fine and if it is maybe append it to tw's core"

@danielo515 You have good ideas! I have just added your site to my bookmarks and will dig deeper in the context plugin (really useful and, when coupled with a replace tool..even better) you also now know my interest in your encryption plugin ;-) +++ Spangenhelm +++

[pmario]

So to me it seems fine but as i am no developper and havent tested it in real situation that is all i can say. In other words: "nice job danielo.

You don't need to be a developer to test plugins. ... Feedback from "users" is much more valuable, because a dev sees, what's really missing. ...

So if he gets no beta testers and feedback, how do you think he should improve the plugin?

I'm using most of my TWc plugins for years, because they work for my workflow. Some are still beta. Some are still experimental, because if I don't get feedback from others, I don't know, if there are still bugs. For me they seem to work but this doesn't mean they work in every TW context (combined with other plugins).

So it's a very simple equation: No feedback -> No improvement. No beta testers / users -> No bugfixes.

The plugins are Open Source and free to use but they are not "free" ... Plugin authors invest time, love and a lot of passion into plugins. So I think it is just fair, to request a little bit of your time (to test and give proper feedback) in return.

[Spangenhelm]

You don't need to be a developer to test plugins.

Not exactly right: Feature feedback -> ask the user | Code feedback -> ask a developper so in fact you need both.

and in this case, talking about encryption, no regular user can tell what's inside the code (does the plugin do what it says and nothing else?, is there really no backdoor? is there no weaknesses in code used? etc.. ) so it needs someone "who knows" how this works in order to give appropriate feedback.

So I think it is just fair, to request a little bit of your time (to test and give proper feedback) in return.

As i mentionned in my previous post in this case, as i havent tested it, i just cant provide feedback so i assume you spoke in generally.

[pmario]

and in this case, talking about encryption, no regular user can tell what's inside the code (does the plugin do what it says and nothing else?, is there really no backdoor?

You are right. But then we would need a 3rd party, that does a code review, with security in mind. ... It would also need a security review with every environment, where the SW is running. Our environment is the browser. Different Browsers, FF, Chrome, Safari, Opera, .... So this will never happen.

is there no weaknesses in code used? etc.. ) so it needs someone "who knows" how this works in order to give appropriate feedback.

TiddlyWiki and Danielo's plugin use the Stanford Javascript Crypto Library which in turn use the AES algorithm. AES is considered secure at the moment. ...

But the Algorithm doesn't matter, if the environment and the common workflow is not secure.

There is an interesting article, that discusses javascript security: http://matasano.com/articles/javascript-cryptography/ It some years old and browsers have improved, but there are still some valid concerns. ...

TiddlyWiki is a highly dynamic software. It's always in flux. TiddlyWiki is designed to be shared via the web. TW is designed to use plugins. ... but ... as soon as you expose this system to the web, imo the TW encryption is doomed. As soon, as you load an additional plugin you are doomed. ...

So I think the existing encryption gives the user a false sense of security. Having a look at the goolge goup posts. Our users want to combine the TiddlyWiki Wiki functionality with encryption. They want to store passwords. They want to install plugins. They want to use themes. ... This behaviour is against security.

What if I can use encryption only with a file TW and I'm not allowed to use the stuff that makes TW fancy. .... I'd use a Software that is designed to keep my passwords safe. I'd use a Software that does just that and nothing else. I woudn't use the browser.

[Spangenhelm]

But then we would need a 3rd party, that does a code review, with security in mind.. This what i meant when i said "..jermolene? could you take a look, tell us if it is fine..."

For my part i use tw to store my credentials encrypted since a while, i dont use plugins for this one(no need + security issues involved), i don't share it but i do keep a encrypted copy (of course) synced online this way i can have access to it, in a secure way (as far as i know but as you said we never really do) from whatever platform with no restrictions, and basically i trust more tw than any other password management system (even if it is less convenient because of it's general purpose vs specialized ones)

Personnal question: what do you use to handle your passwords?

[ssokolow]

@Spangenhelm: How do you get around the fact that TiddlyWiki lacks sufficient privileged access to implement some form of auto-fill?

I'd think that using TW as a password store would either encourage weak passwords or be a big hassle when compared to something like KeePass2 which can generate strong passwords for you and auto-type them into anything with distinctive OS-level titlebar text at a single global keybind.

[Spangenhelm]

@ssokolow: hi, in my previous post i admitted that tw was less convenient because it is made for general purpose and not specific credentials handeling, thus, with my tw i don't have any form of auto-fill feature because to do so, as far as i know, you need to "install" something (no matter if it is a toolbar like lastpass or a software like keepass) then comes the problems:

1. which software do i choose ?
2. will it work on every platforms without restrictions?(usually it won't because it is either not supported(like on linux, blackberry phones or whatever to come in the next years) or you need to pay an extra money for it (like in lastpass for mobile app))
3. will it be supported for long time (even keepass or foss software)?
4. about the question 3: what happend if the development stops ? you will need to start a new quest to find its replacement and go back to the first question!

I'd think that using TW as a password store would either encourage weak passwords...

In tw it is possible to add a plugin to generate strong passwords (so far i use the one from lastpass site) or we can use so many of them available (on and offline) so to me having weak password nowadays is of users responsability and there is no more excuses for it. (but once again, until it is available directly within tw it is not convenient i agree)

To be clear i am not "against" any password manager (and i have tried a lot) but in every cases i was going thru the same questions and i felt "stuck" within one system, but with tw i feel more free because it is platform free in a universal format (so far) without the need of installing anything (except for use in mobile maybe? i havent tried yet.)

Last but not least you can actually store datas the way you like it because you can modify not only datas but the software itself that handle them as they are mixed together in one single file! Can you easily do the same with another system?

Thank you for reading it all, +++ Spangenhelm +++

[pmario]

@Spangenhelm

Personnal question: what do you use to handle your passwords?

I'm using keepass http://keepass.info/ It works well with windows and several linux distros. The store is compatible between OSes.

[sukima]

Personally (unsolicited opinion) I use https://lastpass.com/ And this podcast episode has all the reasons why (again, for me).

[Spangenhelm]

@sukima No problem, i'm sure i can speak for others by saying that we are glad when people participate! Sorry for the podcast but tl;dr could you do us a little resume based on my 4 questions above what is your point of view for lastpass?

[oparoz]

I'm glad @danielo515 has created a plugin, but I still think something like this should be integrated in core for people using the server version of Tiddliwiki. It's currently not possible to encrypt those.