[Guide][Obsidian.md] My Cloud-Based Encryption Solution

IrreleventIdiot · 2022-07-25 16:33:18

This guide was made for https://obsidian.md, the following was posted for the Obsidian forums. But since this uses gocryptfs, it can be used for general purpose encryption, and need not be confined to Obsidian alone.

---

Hello. I've been strenuously trying to figure out a way to encrypt my notes, so that I can feel free to write down more sensitive information (e.g. password hints) if I want--not to mention preventing any cloud provider (in my case OneDrive) from potentially snooping on my stuff.

I hope this post helps out others wanting a convenient method of encrypting their stuff.

First off, I want to give props to this article for seeding the initial idea: https://aviaryan.com/blog/obsidian-encryption

It's great and all, however there was a drawback to that solution for me personally: It's not automated; you have to manually enter in the command and password every single time. What if I just want to click on Obsidian and have everything ready?

My Scenario also includes the fact that my PC uses Windows, whereas my laptop uses Linux (I use Arch btw )

---

For the Windows setup, it was easy. When you visit the gocryptfs github page, it contains a link to cppcryptfs, which is the Windows Edition of gocryptfs, and is interoperable. It comes with a simple to use GUI.

It also comes with secure password saving, and automounting options.
- You'll probably want to add the cppcryptfs application to your autostart list, so that you don't have to manually launch the application to then have it automount.

---

For Linux however, I had to get creative, since there wasn't an easy pre-made solution.
> I MAKE USE OF GNOME-KEYRING, THERE ARE OTHER SOLUTIONS FOR STORING PASSWORDS, BUT I'M A GNOME USER SO I CHOSE THIS.

- This solution makes use of onedriver, and assumes it is already fully configured.
- This solution should walk you though step by step, but assumes you have knowledge in working with Linux, and can substitute strings and file paths comfortably while reading. Please let me know if I didn't make something clear enough.

## Retrieving Passwords from Gnome Keyring
We first need to store a password in a secure location (which is unlocked for use on user login), and retrieve it for use with gocryptfs. In my case, I have GNOME Keyring,

**Steps**
1. `secret-tool store --label="Label" password gocryptfs_vault_name`
- It will prompt you for the password.
- "password" is the name of the attribute you want to store, it's completely arbitrary.
- "gocryptfs_vault_name" is the lookup key. It is also an arbitrary name (should be unique) to allow you to pull the secret password back out.
2. We'll input this command into the next section. You can run it right away if you want, but it isn't strictly necessary:
`gocryptfs --extpass "secret-tool lookup secret password" crypt mountpoint`

## Systemd Automount from OneDrive
We'll then automount and unlock our gocryptfs vault from Onedrive, upon user login, using systemd's user unit files.

Because I'm using a network mounted location, `/bin/sleep` is used to delay the start of the process to allow for proper mounting of the location to decrypt. There may be a better solution...please let me know if there is a "cleaner" solution to this.

**Steps**
1. Ensure your password is already stored, as per the last section.
2. Create a user unit file: (in `~/.config/systemd/user/`) (any name you want...)
- Description can be anything you want.
- Note well that when using relative paths in user unit files, it's relative to your home directory `~`. If you're uncomfortable you can use absolute paths.

```systemd
[Unit]
Description=Auto-Mount Encrypted Vault from OneDrive
Requires=onedriver@home-sync-location.service
After=onedriver@home-sync-location.service

[Service]
Type=forking
ExecStartPre=/bin/sleep 10
ExecStart=gocryptfs --extpass="secret-tool lookup password gocryptfs_vault_name" path/to/cloud/vault path/to/unlocked/vault

[Install]
WantedBy=default.target
```

3. Enable: `systemctl --user enable service_name.service`

You can also optionally `systemctl --user start service_name.service`, unless you already ran the `gocryptfs` command listed earlier in isolation.

That's it. With this, you'll have an automatically mounted, encrypted-at-rest solution in the cloud. When you mount it, you can mount it locally, so the cloud never sees anything but the encrypted form.

Again, hope this helps someone. Do please leave feedback if there's anything I did wrong for can improve upon. I did ensure to test this solution and use it for myself before I made this write-up.

IrreleventIdiot · 2022-07-25 16:38:45

Forgot to post one drawback: so far as I know, if you're a non-rooted android user, or an iOS/iPadOS user, there is no way to access or decrypt the vault from those devices.

Arch Linux

#1 2022-07-25 16:33:18

[Guide][Obsidian.md] My Cloud-Based Encryption Solution

#2 2022-07-25 16:38:45

Re: [Guide][Obsidian.md] My Cloud-Based Encryption Solution

Board footer