search

federicoiosue / Omni-Notes

Open source note-taking application for Android
https://omninotes.app
GNU General Public License v3.0
2.69k stars 1.11k forks source link

Backup: "include settings and password" - what does that mean? #823

Closed tdbe closed 3 years ago

tdbe commented 3 years ago

Asking about the password part. Does it include your password into the backup? Which one? the one you lock some of your notes within omni notes with? Why does it need to include it - it's not like I can see it later, no? It's included but encrypted?

Most importantly, if I back up without "include settings and password", will I be able to restore ALL my notes later/on another device, provided I know my password?

I just don't want my omni notes backups to be hackable and potentially leak my password.

federicoiosue commented 3 years ago

Hi there,

password must be included into backups because when a note is "locked" it'll be DES encrypted (a task to update security algorithm is here) and you would not be able to restore it after a backup-restore process without performing a password check with the original password.

Both password and secuirty answer are stores as not reversible hashes into the settings file.

Most importantly, if I back up without "include settings and password", will I be able to restore ALL my notes later/on another device, provided I know my password?

This is quite interesting: without keeping the settings notes could not be restored. So I'm thinkning, there could be a reason to not wanting to include settings into backups? I think not, so the option to include them or not could be removed. Any thought?

tdbe commented 3 years ago

Ah, thanks! Well for my case, this cleared it up and solved my problem: always check the box, got it. I guess when/if you change the encryption method you can revisit the backup methodology.

This is quite interesting: without keeping the settings notes could not be restored.

You mean NONE of the notes could be restored if you don't keep the settings? Interesting. My 2 cents is: What my instinct would be (with other apps) would be to use a backup program such as Titanium Backup to back up the apk + data (being sure that includes the settings), and then always also export the (notes) data from the app itself to back that up too. This works for K-9 Mail for example, and then it just asks for the POP/IMAP password after restore. (but in OmniNotes' case, and considering the wording of the "include settings and password" message, I would have not ticked that checkbox - because who wants to "include their password" in their backup folder)

I believe you should leave the checkbox on and also hide it for now, unless there is a need for a technical user to NOT have that box checked. Maybe just have some details info on that screen and the option to not check it only if you know what you're doing.

federicoiosue commented 3 years ago

I perfectly agree with you, I suppose the original reason for that behavior was to leave to the user the decision about eventually clearing up the app settings but keep the notes' data.

I can't see any reason to leave there a possibily dangerous choose so I've removed that.