Will the encrypted note being stored decrypted in vault due to Obsidian caching?

[mrhalf]

Hi team,

I really love this plugin which enables an end-to-end encryption experience. Reading thru the source code, looks like the notes are always encrypted before saving to disk within this plugin's scope. However I noticed you have mentioned that Obsidian caching or coredumping might store plaintext info on disk. I tried to search but failed to get a comprehensive understanding on how Obsidian caching works. Could you please elaborate and provide a bit more details regarding this matter (e.g. under what circumstance that plaintext would be stored on disk / is it stored in vault or some other default path / how can we repo)

Would really apprecaite if you can help me understand this matter better. Thanks in advance for your time reading thru the issue!

Thanks,

[tejado]

Hi @mrhalf Great first issue 💪 and a very good question. I researched a little bit regrding this. As Obsidian is written in Electron, there might be some content cached by it or Chromium. This depends also on the implementation of Obsidian. I was not able to find anything in the cache regarding note content but it doesn't mean that this can't/will not happen or is done on a different level. At least the Electron cache can be cleared from the Web Developer console. Third-party plugins ight have their own cache for various reasons.

Coredumps I guess is obvious: the plaintext notes have to be kept in memory, e.g. when displayed. When the Obisidian or OS will produce a coredump, there is a good chance that it contains plaintext notes. To mitigate this, coredumps can be disabled but this is OS specific.

A third point is the file recovery. I guess I handled this well but it might still contain data in plaintext if a note was not encrypted from the beginning.

Hope this helps a little bit!

[mrhalf]

Hi @tejado,

Thanks for this detailed explaination, that's super helpful!

I was asking about the caching mainly because of my current setup:

1. I use Obsidian cross different platforms (Mac / iOS / Windows)
2. I store the file vault in iCloud for sync purpose with encryptions.

After reading through Electron documents, looks like all the cache file will be stored in a fixed system path separatly from file vaults (e.g. in Mac, it's stored in ~/Library/Application Support/obsidian). Looks to me that the '.obsidian' folder under the file vault wouldn't store any cache nor sensitive informations. My main concern about caching was whether those cached content/core dumps will be stored unencrypted AND got synced to iCloud. I guess this might be safe if my assumption about separated cache/vault storage is true. Could you please help me vet my understanding here?

Also a side question: would you consider to switch to some other open sourced alternative solutions (e.g. logseq) instead of Obsidian for better implementation clarity and transparency (e.g. caching)?

[tejado]

The Obsidian vault should be normally on a different location than the electron runtime profile. So if you didn't overlapp somehow the paths, it should be fine.

I can't give you a suggestion as this really depends on your risks. For me Obsidian with my gpgCrypt plugin is good enough. I just started using Obsidian so and it looks like it doesn't leak any notes per default on a stable system - but I will monitor this.

[mrhalf]

That make sense, thank you so much for clarifying the details! I will close this out as of now and come back if i've got new findings