Set password for cloud sync encryption

timo

I'm currently working on implementing the fundamental building blocks of this feature.
One question that came into my mind that I wanted to ask your opinion for: When setting up the end-to-end-encryption, should the user be able to make up his own encryption password, or should the user have to remember/store an app-created password? The latter would generally be more secure (as the password is stronger) and easier to implement, but users would certainly have to somehow backup the password as it's almost impossible to remember it.
Also, should users be able to see what password they have created and is in use after setting up the sync or not?

Most password apps (Bitwarden, Enpass, LastPass, 1Password) seem to allow user-created passwords while Day One only seems to support an app-created password that needs to be backed up.

What do you think?

EAPTCB

timo should the user be able to make up his own encryption password, or should the user have to remember/store an app-created password? The latter would generally be more secure (as the password is stronger) and easier to implement, but users would certainly have to somehow backup the password as it's almost impossible to remember it.

When you say "The latter would generally be more secure" do you mean it will be more secure simply because it will be a longer password length with special characters and numbers etc? if this is the case then arguably I could create a more secure password using my password manager (up to 100 characters with numbers and special symbols, if Diarium would support that long a password!) or do you mean that it would be more secure because of another reason?

Ultimately, the whole point of end to end encryption is privacy and security therefore I would like the MOST SECURE and the MOST PRIVATE option which is available.

timo Also, should users be able to see what password they have created and is in use after setting up the sync or not?

I would say no. There is no point in the user being able to do either of these. Your password should be so long and
unmemorable that even if you could see it, it just wouldn't be of any help to the user.

timo Most password apps (Bitwarden, Enpass, LastPass, 1Password) seem to allow user-created passwords while Day One only seems to support an app-created password that needs to be backed up.

What do you think?

A password manager which supports attachments is perfect for this. When I was with Day One and you turn on E2E encryption, it generates a "secret key" which is printable/salvable it has a QR code and your secret key (password) with instructions. I saved a copy of this in digital form inside my password manger, and printed a copy to keep in my safe and another copy was kept off-site at a family member's house.

Ultimately for me timo, the how it works is up to you, as a user the only thing I would ask for is the MOST SECURE and the MOST PRIVATE way you as a developer can think of - it is up to the user to remember their password/key/etc and the responsibility would rest entirely on the user with no onus or repercussions on you.

Max

timo

Apart from the pro's and con's of both options, I am a big fan of creating my own password.

Ideally I could think of the following:

The user can create an own password
The field where the password is entered, has a button next to it which can create a strong password
The user has the option to store the password in the iOS, macOS keychain
For any other user, the password can be copied, so they can store it in their favorite password manager, or just print it.
The encryption dialog cannot be finished unless the user has completed either number 3 or 4
Exposing the password at any time in the app, does not make any sense as far as I can see from a security perspective.

Let me know if you have any questions

PS. Not sure, on any keychain equivalent managing password in Windows.

timo

Thanks for your input!

I said "the latter would be more secure" because a pseudo-random password (as one generated by a password manager) is longer, has more special character, is more random and therefore has more entropy, which makes cracking it harder.

Day One allows users to see their encryption password, without any further checks (like it is not protected by biometrics or anything, you can just go in the settings and view it). I think the idea is that they want to prevent users to lose access to their journal if they don't write it down and don't want to bother/scare them with too many alerts and warnings ala "You will lose your journal if your forget your password!!".

EAPTCB I would ask for is the MOST SECURE and the MOST PRIVATE way you as a developer can think of

I don't know if this is what I want to aim to achieve. "Most secure" also comes with drawbacks, for users and developers. For users, they sync speed could decrease or setting up the sync could be more complicated (or even too complicated for some). There's no benefit in having the most secure algorithm if users lose access to their journal as a consequence.
And for me as a developer, the "latest and greatest" decryption algorithm isn't necessarily available out-of-the box with the technology stack I am using. I would have to search for well-tested implementations that also are expected to be around in a couple of years and not abandoned. Many crypto experts are writing in their blogs, that PBKDF2 isn't the state of the art any more (but Argon2 is) and one should rather use AES265-GCM instead of AES265-CBC. However, it appears that both PBKDF2 and AES265-CBC are available out-of-the box in Microsofts .NET framework and popular apps are using those exact algorithms (Day One, Bitwarden, Enpass, LastPass), so it cannot be that insecure.

EAPTCB

timo Very good and valid points Timo (regarding “most secure”) but what I meant by that was the most secure from the two options you suggested. 😊

timo

Thanks for your input Max! I am currently working on the implementation of the new feature and I think I will require the user to create a password and not have one created automatically.
I might add some extra features (ability to copy password, create strong password or show estimated password strength) in later updates.
I hope to have a very early beta version of the new sync encryption available in the upcoming weeks (which will be hidden for "normal" users, you will have to manually "un-hide" the feature) - please check back in this thread where I will post any updates of the progress

timo

The new app update 3.0.5 (which will roll out slowly over the next days), there is a very first implementation of the end-to-end encryption.

Opt-in & beta

The end-to-end encryption feature is opt-in at the moment, not mentioned in the app and it is very possible, that I will change the implementation again before publicly releasing it (which would mean that you have to re-do the steps setting up the sync as described below)!
To opt-in to/unlock the end-to-end encryption, you need to open any entry, put the text ENABLE E2EE into the heading field and save the entry. A small info toast should show up, informing you have successfully unlocked the feature. This does not yet mean that the sync is now encrypting all your data, it only makes the end-to-end encryption available when freshly setting up the sync (more on that below).
Similarly, if you want to opt-out again, do the same with the text DISABLE E2EE

New "v5 sync"

Currently, when you look in the Diarium folder on your Cloud storage (unless you are using iCloud, in which case the folder is not visible to you), you see that Diarium stores files & folders that are called "v4_database", "v4_mediaindex" and "v4_Media". In order to have a clear separation between the old sync and the new sync, the new files created with the new syncing implementation will use the "v5" prefix instead of the "v4" prefix.
"v5 sync" does not only support the new end-to-end encryption for which a user has to provide a password, it also aims to build a foundation to make future changes to sync easier to facilitate - e.g. when potentially introducing the "multiple journals" feature request or when adding new encryption algorithms.
The default sync mode changes as well - instead of using a hard-coded password that encrypts the data, the data will not be encrypted at all, which can lead to faster sync speeds.

Migration from "v4 sync" to "v5 sync"

In the long run, the goal is to migrate all users to the new "v5 sync", however there are difficulties:

Users could already have large databases uploaded to their cloud, potentially multiple gigabytes. Migrating to v5 would mean to re-upload (& re-encrypt) all that data.
Users upgrade the apps on their devices at different times

Updating apps should be as seamless as possible, and for users who are happy with the sync, nothing should change (for now). Therefore, the new "v5 sync" will only be offered to users when the app does not find an existing "v4_database" file on the Cloud storage. At some point in the future, if features like "multiple journals" require it, upgrading to the "v5 sync" might be required and I might have to introduce a "migration assistant UI" into the app, that guides the user through the process and also deletes the unneeded "v4" files from the Cloud after the migration was successful. Until then, this flow chart shows how the app should decide if to use "v4 sync" or "v5 sync":

Testing the "v5 sync"

Before starting, please create a backup of your database in the app settings!
In order to test the "v5 sync" with E2EE you need to go through the following steps:

Update the app to min. 3.0.2 on all your devices
Save an entry with ENABLE E2EE as the header on all your devices
Delete all files from your Diarium folder in your Cloud
Start sync on one device -> The app should display the dialog allowing you to choose between "default" mode and "end-to-end encryption"
Start sync on other devices -> App should download the v5_database and ask for the password if needed (no password needed if E2EE is not used)

Technical details

For both "default" and "e2ee" mode, the first 2 bytes of the "v5_database" file contain meta information:

The first byte is the "sync version". At the moment, "0" is the only valid value for it. In the future, it might be incremented to support additional features like "multiple journals" for which the rest of the file data might have a different structure
The second byte is the "encryption mode". The value "0" stands for "no encryption", the value "1" stands for "e2ee" which is described in more detail below. Other values are currently not supported, but may be added in the future.
For the "no encryption" mode, the rest of the file data is the ZIP-compressed SQLite database, not encrypted.
For the "e2ee" mode, the first 16 bytes after the 2 "version bytes" are the PBKDF salt (16 bytes), the HMAC (32 bytes), the encryption IV (16 bytes) and the encrypted master key (48 bytes). This data is used to decrypt the master key using the user password, if needed. These 114 bytes are the "database header" and store on the user device. The same header is prepended for each database upload. For more details on how these salts/IVs/HMACs are generated, see below. After the "database header", there is another HMAC (32 bytes) and IV (16 bytes) used for decryption of the database.
The media files aren't compressed. When using the "e2ee" mode, they are encrypted with the master key and contain the 32 byte HMAC and 16 IV for the AES-CBC-HMAC decryption before the payload
The mediaindex file is compressed, but never encrypted (as it doesn't contain confidential information)

When the user enters a password, the app uses 600.000 rounds of PBKDF2-HMAC-SHA256 and a 16 byte salt (600.000 rounds is a recommendation of OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) to derive an 32 byte AES key. This AES key is used to encrypt the master key (which is generated in the next step) - the encrypted master key is part of the "database header" which is prepended to the "v5_database" before upload.
The 32 byte master key is created using a cryptographically strong random number generator - this is the master key used to encrypt/decrypt all the journal data. This master key is stored in a secure location on the user device, together with the "database header" (e.g. the Keychain on iOS/macOS).

AES265-CBC is used as encryption algorithm, in an "Encrypt-then-MAC" mode. Before the app attempts to decrypt the master key, the database or a media file, it first checks if the corresponding HMAC of the IV + ciphertext is correct. If not, the sync errors out right away. This prevents oracle attacks, even though they wouldn't be likely in the usage scenario of Diarium anyways. In order to not use the same key for both HMAC-SHA256 and the AES256, the HKDF algorithm is used with SHA256 in order to derive two individual keys - The encryption key (for AES256) is derived using the "info" parameter of the UTF8 representation of the string "e" while the authentication key (for HMAC-SHA256) is derived using the "info" parameter of the UTF8-representation of the string "a".

One more thing worth mentioning: If a user would encrypt & upload files (incl. media), then delete the "v5_database", then set up the sync again with a different password & master key, the previously uploaded media files would be incompatible (not decryptable) with the new master key. Diarium wouldn't immediately detect that, as it cannot download and check all the files on every sync. Diarium would simply see that there are media files already present and would not re-upload and encrypt with the correct, new key. In order to prevent this problem from happening, Diarium will upload the "v5_mediaindex" and the "v5_Media" folder with a suffix that is generated from the master key. More specifically, the suffix is the first 8 characters of the SHA256 hash of the master key. If there is no master key (when using the "non-e2ee" sync), then the string "6e340b9c" is used as suffix. This suffix ensures that Diarium doesn't "see" those files when querying available media files and instead re-uploads them, encrypted with the right key.

Your feedback is important

Please let me know if you have any questions or suggestions on how to improve the feature. This is perhaps the biggest change I have done in the sync ever so it's important that I will find and fix all bugs before releasing it publicly. Also, if you think that some description in the app is too technical, please let me know. Many of Diarium's users have no technical background, e.g. don't know what "end-to-end encryption" means. I don't want to confuse or scare away those users.

EAPTCB

timo A small info toast should show up, informing you have successfully unlocked the feature.

This did not happen on Windows nor on iPad. But I followed along regardless and I am happy to report that everything was smooth sailing and my Diarium Journal is now End To End Encrypted! 🙂 This was very easy to do. I have not tested out the iCloud sync since I have the "Advanced Data Protection" and security keys. if you remember from other previous post on the topic you were unable to do anything about it

For anyone else reading timo's in-depth explanations and instructions and thinking it all sounds too complicated, or overwhelming, fear not! it's really easy if you just follow the instructions. You do not have to understand all the wonderful technical language or flow charts- just know that if you want to test E2EE (End to End Encryption) and you BACK UP your journal nothing can go wrong.

EAPTCB

Wow! timo, thanks for the in-depth post and explanations; I am so excited to see the beginning of the much anticipated E2E encryption feature coming to life! I can see you have been working very hard on this and its greatly appreciated.

I would love to help with testing and reporting bugs etc, but fear I may somehow mess things up with migrating over to "v5_database" and lose my journal!

With this concern in mind, I was wondering if the following scenario would be possible; I have an iOS licence and a Windows licence too, would I be able to delete Diarium form my iPad and windows (but keep my iPhone version of Diarium "as is" with no changes and fully backed up to iCloud) then reinstall Diarium on my iPad and windows, but this time use a different cloud provider (than that of my iPhone) just for testing purposes? At the moment (my) Diarium is backed up to iCloud I was thinking to use Google Drive for testing purposes.

My thinking is that I could create a few random/fake entries in the V4 and sync back and forth between windows and my iPad to populate some data for testing purposes then attempt to migrate over to V5 using your instructions above this way my original journal would not be effected should something goes wrong. The only caveat would be that I won't be able to test it on iCloud which is ultimately where my journal would be backed up to.

timo

Yes, you can totally use different a Cloud space to test the new sync. You don't have to reinstall the app, you can simply select the different cloud in the app settings.
I am also afraid that many users will be afraid to migrate to the new sync 😃. But I hope that eventually, everyone will switch. At some point, Diarium probably will only support "v5 sync" and only a "v4 sync download" option for backwards compatibility in case the app hasn't been used for a very long time. That migration is currently causing the biggest headache to me, because it means that users will have to re-upload all their data with the new encryption (or no encryption at all). This can be very time consuming with larger databases and users would have to keep open the app for the entire process. And then, at the end of successful migration, Diarium ideally would delete the old "v4" sync data to not consume double the needed Cloud storage space.

Let me know about your experience during the test. If you want to test iCloud, you can also do that. If you backup your journal in the app settings beforehand, you don't have to fear anything. And you could always disable the v5 sync again and switch back

timo

EAPTCB This did not happen on Windows nor on iPad.

The toast should show up when saving the entry with the "ENABLE E2EE" text. Maybe it was too short for you to see? Just to confirm you have actually enabled the e2ee, you were prompted to enter a password, on both devices? 😃
Glad everything seems to be working as expected so far.

Hope for the other users who were interested in this feature to test it out as well! 🙂

EAPTCB

timo The toast should show up when saving the entry with the "ENABLE E2EE" text. Maybe it was too short for you to see?

I definitely did not see any message box pop up if that's what is meant my "The toast" if a message did pop up then it must of been VERY fast as I saw nothing, I tried this on Windows and on my iPad without any kind of notification or message appearing.

timo Just to confirm you have actually enabled the e2ee, you were prompted to enter a password, on both devices? 😃

Yes, indeed! I followed the instructions and after deleting all v4 files from my Diarium folder in the Cloud I started a new sync and I was asked if I wanted to choose between normal mode or E2EE mode. I obviously went for the latter and I was asked to choose a password with a red warning message not to forget my password as there is no way to retrieve it. The sync started and my data was being encrypted! yay!

When my Windows machine had finished the process, I opened up Diarium on my iPad and a different message popped up saying that the sync files are password protected and I need to enter a password first in order to enable sync to my iPad (sorry about the vague message description, in all the excitement I forgot what it said word for word) I entered my password and BAM! my trusty iPad started syncing all my journal entries using "End To End Encryption" 😎 Thank you timo for the feeling of safety and privacy you have given us! This feature request was a long time coming and worth the wait - I can't wait for the final release so that everyone can benefit from this.

username

Thanks for this, i will also set it up and start using it and report back. My android app is on 2.9.84 so i guess i need to wait for it update.

EAPTCB

So, I just tried to sync my entire journal (not the test one, my actual Journal) and this time I opted for Dropbox as the sync destination of choice. I followed the steps as outlined previously, and after confirming that I want End To End Encryption and choosing a password, Diarium was uploading thousands of "local attachments" I could see it would take some time so I left my Windows PC to do it's thing.

After an hour or so, I returned to find the following error message:

The message is pretty self-explanatory, and I wasn't too concerned since I knew it was some kind of time-out error. I'm not sure if this is a Dropbox issue or not. (It defiantly is NOT my internet speed as we have very fast up/down) I am just about to open Diarium on my iPhone 14 Pro Max and sync with Dropbox (instead of iCloud) FINALLY, my PC and iPhone are now going to be in sync all the time! 😃
(Previously, and due to "Advanced Data Protection" limitations, I could not keep Windows and iPhone in sync,) Incidentally, On my iPhone 14 Pro Max, after entering "ENABLE E2EE" I DID receive a toast message! telling me that E2EE was now activated, but still nothing on windows again...

EAPTCB

EAPTCB I am just about to open Diarium on my iPhone 14 Pro Max

Phew! Things were not as straight forward on the iPhone 14 Pro Max running iOS 17.0.3 and Diarium v3.0.8.

After opening Diarium on my iPhone and going to the sync options and choosing Dropbox, I was greeted with the (now familiar) message telling me that my data is encrypted and that I need to unlock my data with the password 😀

So after entering the password, Diarium started to download all my files, it nearly got to the end when an error message popped up (the same one as Windows error message above) and nothing was downloaded. This happened several times and it was REALLY frustrating, incidentally, unlike the windows version of Diarium, (which carried on where it left off) the iPhone version of Diarium started from Zero each time! This made for a very unpleasant time, however, I persevered and tried again and it failed again but this time I got a REALLY LONG error message which I had to break down into two separate screenshots.

I tried one last time to sync again but this time I turned off WIFI and used 5G to sync. It worked! The only this I can think of is that maybe there were too many people in my household all using the WiFi at the same time (even though I have really fast WiFi)

There are a couple of observations/suggestions I would like to make for the iOS version of the E2EE process; first and foremost, the sync should carry on from where it left off in case of an error (just like windows did, I only needed to click retry and it finished off from where it stopped) secondly, Diarium should stop the iPhone from going to sleep/auto locking or at least a pop up message advising the user to make temporary changes to the Lock Screen , this will stop unnecessary failed syncs and error messages. Lastly, I think the wording needs changing during syncing, at the moment while it syncs Diarium states that it’s “Downloading Local Attachments” this to me means all the photos, videos etc ONLY I was thinking at one point what about my journal entries?

I have created test entries from Windows (with attachments) which have synced over WIFI to my iPhone without issues. I did the same on my iPhone to Windows and again, no more issues to report. I think that maybe the syncing process for very large databases needs further refinement, but hey, I have my journal on Dropbox and it’s fully end to end encrypted 😎 this is wonderful news!

timo

Thanks for the feedback.
I think both errors are network-related and as I use the same network requests for both normal and e2ee, I think they could have happened with the "v4 sync" as well. It's probably because so much data was up- & downloaded that those problems get more likely to happen (and a lot of users will up- & download a lot once this feature rolls out so I want to check if there's anything I can improve).
So the first error shows when the upload aborts/times out after I think 100 seconds. The upload checks what attachment files are present in the Cloud when resuming uploading, so it can resume where it left off. The same is not true for the download, where the download has to start from scratch if it didn't complete. Will think about if it's possible to do "partial" downloads but this would add even more complexity which I kind of try to avoid.

The second (long) error ("The network connection was lost") is from iOS. The error description. Maybe Dropbox cancelled the connection because there was too much load. I will try to reproduce this myself, but from my experience this is nothing that should happen regularly in a stable internet connection. What I could do here is to re-try individual requests so that a single connection disconnect is less likely to cancel the whole sync. This might be more easy to implement.

EAPTCB Diarium should stop the iPhone from going to sleep/auto locking

Good point, will try to add that!

EAPTCB Diarium states that it’s “Downloading Local Attachments”

The text is "Downloading remote attachments" but I understand what you mean. The entries are downloaded in one go and much faster than downloading media (because compressed text is very small in size). When Diarium does do that, it shows "Downloading remote database", but probably only very shortly as it is so fast.

EAPTCB I think that maybe the syncing process for very large databases needs further refinement

Yes I will test that, especially the Dropbox sync. How many attachment files are in your journal and how large is it overall?

EAPTCB

timo How many attachment files are in your journal and how large is it overall?

There are (total) : 4,351 attachments (mixed, photo, video, audio and files)
Database size : 2929.92 MB

I'm not sure if the E2EE password length would have an impact on the sync performance since I don't know how its implemented by Diarium (just once to 'unlock the database' and perform the sync, or is each file of the upload/download process unlocked/locked "on the fly"?) I'm obviously no expert, but if it's the latter, my password length may have caused some of those error messages…

timo

@EAPTCB no, the password length has absolutely nothing to do with the sync performance as every password will result in an 32 byte long encryption key.

With the next update, I made some changes based on your suggestions: on iOS, the screen will no longer turn off automatically and also, when there is a network error (e.g. because the app was put to sleep when backgrounded or the screen being turned off), the app will retry the request. This should make the sync more resilient, especially when there is a lot of data to sync

EAPTCB

Thanks timo! This is one feature request which I am so excited about and in all honesty, I’m a little dumbfounded with the lack of interaction from the rest of the community.

When this subject matter was discussed as a possible feature request all that time ago the thread was full of people giving you a hundred and one reasons why E2EE is “a must” and how “important” it is etc etc and now, when it’s a working reality, nobody is helping by trying the pre-release and help with reporting bugs/opinions etc

Come on Diarium community! Let’s give timo some feedback on this feature which was so eagerly requested, he’s been working hard to make this feature request a reality and without more people trying it out and giving feedback it cannot progress to the final release.

Remember, timo does not have to make every feature request a reality so if we don’t show some kind of interest about something as big as E2EE what incentive would he have to make any other feature requests a reality?

Crossoni

I can throw in my opinion about the matter. I could care less about encryption or security. If someone gets access to my personal diary then so be it. I try to live my life by the grace of God in a way that I don't have to hide anything. If someone is so eager to get to know my personal life by hacking my data, all I can say is what a waste of his / her time. I hope that the hacker who gets access to my data would at least learn something about the mistakes and shameful things that I have done.

All I hope is that this encryption thing does not add anything annoying to the app, like force me to write my password every few weeks.

« Previous Page Next Page »