Sunday, December 2, 2012

Zim with Truecrypt and Dropbox : The Final solution for Secure Personal Notes

Skip the first two paras if you need to go read about the technical part of setting up Zim with Truecrypt and Dropbox.

I realized one day that there is so much we are consuming these days due to overflow of information that our mind fails to filter out what has to be saved in our brains. I'd been learning many things, many ideas used to pop up in my mind but all of it used to vanish into nothingness. I realized that perhaps it was time I started keeping a journal.

I started off with a physical journal: the pen and paper diary. Over time, they got too many in number and not as portable. I then realized that perhaps it was time to use an e-journal. Thus, started a search for the perfect one. I started with usual LibreOffice doc files. For private diary notes, I'd encrypt them (they use Blowfish and now AES, so pretty safe). All this would remain synchronized with Dropbox. Later, I came to know about Evernote. It was good but not for secret notes, b'coz if anybody hacked into Evernote server or my evernote account, it'd be all out. So, my secret notes would still stay in doc files. And then I found Zim. It appeared initially as a very weak solution to my needs. But then, slowly I started loving it. And now I love it so much that I am even ditching Evernote for this pretty thing.

Zim basically is a wiki like notebook software which stores your data in files in a given folder. So, what I did was create a truecrypt container in a Dropbox folder, and mount it somewhere and then create a Zim notebook in that mounted location. So, before starting Zim, I'd everytime mount that Trucrypt container and then start Zim and write my notes. After closing Zim, I'd unmount that container and Dropbox would synchronize it. What was cool was that Dropbox wouldn't synchronize the whole Truecrypt container everytime. Rather only those bits which were changed (Note that you need to have the option "Preserve Modification Timestamp of the Containers" checked yes in the "Truecrypt Preferences"). 

But what sucked was that this process of mounting container everytime and then unmounting it was too cumbersome. So, I wrote a quick bash script for this.

truecrypt ~/Dropbox/zim/container /media/truecrypt5  # mount the container using truecrypt
zim  #start zim after mounting container

PID=($(pidof -x zim))   #extract the PIDs of all Zim processes and save them in an array
while ps -p ${PID[*]}; do sleep 1; done ; truecrypt -d /media/truecrypt5     #keep a watch on whether Zim is runnning or not; as soon as it gets closed, unmount the container

Note that I had configured Zim to use the default Notebook folder as /media/truecrypt5 during the first launch. Change it to whatever you did.

Now, eveytime, I'd just run this script. After running this script, it'd first ask me a password for my container. After entering in the password, it 'd mount the container and open Zim. After editing in Zim and closing it, the script would automatically unmount the container and it'd get synchronize with Dropbox.

How secure is it?
This probably isn't fool-proof but still the best option. The thing is that Dropbox will keep revisions for your container for past 30 days. So, if someone gains access to your Dropbox, they can get the keyfile using these different versions. And they can then crack the password of the container. However, if your password is too long then it'd be tough for them. So, still it's pretty secure if you're having a long password for your container.

Please comment on the security vulnerabilities if you can think of any. I'm only a noob concerning security and encryption. 

 I am writing an updated script. The above mentioned script might fail some time.

#filename: "zimdiary"
#this script using "pgrep" is more robust than the previous one using "pidof"

truecrypt ~/Dropbox/zim/container /media/truecrypt5

zim Diary #given that the notebook's name is "Diary"

PIDzim=($(pgrep -f zim))
PIDzimdiary=($(pgrep -f zimdiary))    

#this gets the PIDs for this script itself (which is named as zimdiary), this is done because PIDzim contains PIDs for both "zim" and "zimdiary"

while ps -p ${PIDzim[*]} && [ ${#PIDzim[*]} != ${#PIDzimdiary[*]} ];
        sleep 1
        PIDzim=($(pgrep -f zim))
        PIDzimdiary=($(pgrep -f zimdiary))

truecrypt -d /media/truecrypt5


  1. Interesting article. This is the same solution I am leaning towards to.
    BTW, what was wrong with Libreoffice approach?

    1. @Alexander: Well, libreoffice was good but I've come to realize that for knowledge management, a wiki is far superior than managing multiple doc files. Over time, my doc files grew more and more in number and it was becoming unmanageable. So, I embraced wiki.

      So essentially it was knowledge management that made me leave libreoffice. Security-wise, both are okay.