True Offline Mode or Encrypted Data

Hi,

I work at a company that doesn’t allow confidential data to be stored in the cloud. However, the company does not offer anything for notetaking that is as compatible with my brain as Dynalist is.

I already voted for [Pro]True Offline Mode, but I wanted to make an alternate suggestion, just in case it might be easier to implement.

I’m not sure how your synchronization works, but would be possible to have a mode where all of the actual text is symmetrically encrypted locally by the browser, but the synchronization mechanisms and data storage are otherwise unaffected? The UI required would be an option to create an encrypted file, plus entering a local password to unlock it. In my case, since I’m using a company computer to edit the data, it would be fine to store that local password locally so that I don’t have to re-enter it each time.

If that were possible, I think it would be OK for me to use, and it would have a nice advantage of still supporting cloud synchronization and storage. Either way is OK with me though.

10 Likes

I can’t say if that can be done, @Shida is more qualified to answer.

Thanks for raising this point! I think many others are in the same boat as you where their companies have policies over these things.

3 Likes

Unfortunately, because synchronization involves conflict resolution, it would be a huge technical challenge to keep everything encrypted end-to-end without the server being able to read the data.

For example, if a user has modified the same document on two different computers before syncing them to the cloud (rare, but a plausible scenario), then there would be no way for the server to be able to merge the changes made by the two computers without decrypting the data. This also applies to a shared Dynalist document.

Even if there was a way to do so without compromising the security, we would still need to rewrite our sync algorithm to support both the end-to-end encrypted version as well as the regular version, which would be a burden to do at the moment.

In comparison, disabling sync for a document (or multiple documents, or all documents) is likely simpler. I would opt to implement that one first before considering the alternative solution.

2 Likes

+1 for encrypting as much as possible end-to-end

@Shida is there a conflict resolution happening on the within-item level? Would encrypting just text of the items allow you to do the merging of edits to different items while keeping their content hidden from the server? Some things like hashtag search and data integration might be tricky with this approach, though, if they are currently handled on the server.

Having a local JS API might actually allow us to write extensions that would hook into document loading/saving routines and do local encryption/decryption on the fly btw.

1 Like

Thanks so much for the super detailed response. What you said makes total sense to me. It seems like in the end-to-end encryption scenario, the server would have to store both versions and have a client handle the resolution at some point in the future (and then tell the server the result). I can see how that would be complicated to implement given the current system.

It’s extremely extremely unlikely to ever get end-to-end encryption for Dynalist. Simply because it then becomes almost impossible as a user, to use more than one device which is a requirement for me at least.

In order to use end-to-end encryption you need a private key. That private key must be on any devices that you want to access your data from. And the important bit is that Dynalist themselves can’t ever have that key, otherwise it’s not end-to-end. So that makes you the end user to be responsible for copying to/from all your devices, making sure it’s backed up safely as if you reset your device and don’t have access to your key, all your Dynalist material is gone.

I’d say that it’s possible to derive a private key from a passphrase you can enter on every device. But yeah, if you lose the key, then all your data is forever gone.

1 Like

@Cliff_Spradlin meanwhile you could try playing around with a Chrome text encryption extension. Something like Quick Encrypt does HTML as well (* not tested/used)

Thanks for the suggestion. However, I don’t think this will be compatible with Dynalist. I’m not trying to protect a specific secret like a password but rather the entire document.

The plugin you suggested does encrypt HTML, but it doesn’t transform the HTML already on the page. Even if it could, the result would be irrelevant because the HTML on the page is just a rendered view of the underlying Javascript-based data model.

An encryption solution that would work for the whole document would need to be more integrated and supported by Dynalist directly. Because merge conflicts are resolved on the server, the server currently needs to see the plaintext of the document. Conflict resolution could conceivably be moved to the client, but that would be significantly more work than the implementation I suggested.

As a side note, many eventually-consistent distributed storage platforms actually require the client to handle conflict resolution because the server usually doesn’t know how to correctly resolve conflicts.

Client-side encryption is always a great feature, but a simpler solution for businesses which require maximum confidentiality is simply to start selling a self-hosted license.

Businesses with these requirements will pay for it. Project management software like ActiveCollab has been doing this model for years and show no signs of losing popularity (and it also looks like they’ve already had the Views feature for a while).

A self-hosted license would be my #1 choice for maintaining privacy as client-side encryption is meaningless unless you open-source the client. Even then many want the server code released e.g. see controversies with Telegram, Wire, Signal etc. At that point it would have been quicker to have gone straight to the self-hosted model.

However there is a third option for confidentiality, and it also is easier than implementing client-side encryption: integration with the remoteStorage open protocol.

remoteStorage-enabled web apps allow users to store and serve their data from a server of their choice - currently you can choose to host your own data on Dropbox, Google Drive or any remoteStorage host (self-hosted or a hosting provider like 5apps).

Laverna (Evernote-alternative) is one such remoteStorage-enabled web app:

This would solve the requirement for confidentiality, as well as the need for integration with cloud storage providers which has been already been noted as useful for true offline mode.

2 Likes

Has there been any new development for end-to-end encryption in Dynalist?

There is another thread asking for the same: Request: Page Encryption

I would really like to see end-to-end encryption in Dynalist and I’m perfectly aware of the usual deal: if I loose my encryption key the data ist lost.

Copying a long encryption key from device to device is preferable to not having encryption at all and password managers are perfect for this job.

I do get the difficulties on server side. Are there any new Ideas to solve this?

One other aspect is search. But search is already done on client side so this should still be possible with encrypted documents.

If I had a wish, Dynalist would be open source and end-to-end encrypted. But I’m fine with the next best thing: closed source and encryption.

I can’t speak for self-hosting companies. But I imagine there are many people using Dynalist who are the only ones in their company. So it doesn’t make sense to self host it. But the company still may allow them to use Dynalist if it were encrypted.

My question is: How hard is it to implement end-to-end encryption in Dynalist? Besides merge conflicts, are there other server side functions that would break? And can’t we outsource those functions to the client apps?

Maybe this isn’t helpful but I’m using Bitwarden as my password manager. It is open source, offers mobile apps and a web app. Obviously it encrypts end to end; but it seems to work and they must have had the same problems.

2 Likes

There is now a feature request on trello for client side encryption, please vote!
https://trello.com/c/5m8S6gWC/180-client-side-document-encryption

4 Likes

Related poll: Client-side encryption poll

I started writing a DIY encryption scheme: DynaCrypt: End-To-End Encryption via Chrome Plugin

Feels like it’s been a long time since we’ve had any update on this! This is the feature that prevents me from using this product or paying for a subscription. Any updates on the priority of a true offline mode?

Vote for it here: https://trello.com/c/46l658SA/146-pro-true-offline-mode

It’s been on the back burner for 5 years though, so I wouldn’t hold your breath.

You’ll probably have more luck bringing it up elsewhere in the outliner community (i.e. Workflowy)

If you scour google maybe you’ll have luck with “local workflowy clone” or “org-mode style outliners” and creative phrasings like that. I found https://www.omnigroup.com/omnioutliner/ for one. I haven’t found anything worth using, personally.

You might want to look at http://moo.do. It is similar to Dynalst (and Workflowy) but has a built in local file system (as well as online files). It isn’t quite as full featured as Dynalist, although some I like some of it’s features better (an easier date searching system, at least for me; the ability to turn on/off markup; panes for viewing multiple iterations of your outliner; a calendar/agenda function; and mirroring - that was just implemented last week, so the developers are actively working on this app). It works similar to Dynalist but is a bit quirky in some of its implementations. There is a paid premium level, but that is for if you want Google sync services, more than five boards (the way you view panes) and the ability to change the display settings.

Sounds the same as Dynalist with regard to local. What’s the difference? We are asking for an app that we can be assured will never transmit data over the internet accidentally, i.e. to meet corporate security policies. Not just a cache for internet outages.

Yes, all of the apps you list work offline and probably have a local copy of your files stored on your computer or phone, but moo.do will store files locally with no syncing to the server. This is at least true with the Window’s app that I’m using. I don’t think this works on their mobile app, though. You can see the blog post here: https://www.moo.do/blog/local-files.

I’m not endorsing moo.do. I’m always interested in new apps and new systems (perhaps to my detriment of getting things done :wink:) so I was giving moo.do a try just to see how it works. So I’m not advocating for this app. I still like my Dynalist… I just wish it had some of the features of other outliner apps (like WYSIWYG and mirroring)! I’m just mentioning this here for those who really need an outliner similar to Dynalist that will store files locally without syncing them.

Wow look at that.

Thank you for bringing this to our attention WebAlstrom. I don’t think you realize how many folks have been waiting for just this app. I have been in dozens of threads where they came up empty. Finally an answer.

image

Hey everyone, download moo do for desktop and click New Local. Totally seems corporate network kosher, and stores data pretty similar to Dynalist json.