I’ve long been looking for a solution for syncing OneNote between laptops, iphone and iPad, with complete security – ie. “Trust No One”, or client-side encryption. The concept here, is that if you never provide any means of decrypting your data to the cloud provider (ie. they don’t hold your keys), then there’s no way that data can ever be leaked or stolen without your say-so (or mess-up).
OneNote 2013 does offer strong encryption, and in fact this is TNO. You can enter a password for a section in any of the Windows/iphone/iPad apps, and the section will be encrypted on the client side. The downside, and it is a big downside, is that you have to do this for each section individually.. not notebook, or section group, but each section. If you have tens or hundreds of sections in your notebook, as I do, that means typing the password for each one when you want to open it!
It also means that you can’t search or index that section while it’s locked – it’s only when you open it, that it can be read. This is equivalent to encrypting each file on disk (since OneNote does indeed use a file for each section).
So – I tried this for a while, and immediately found it a pain to use.. I have a section for each client, product, project, and doing a ‘search all’ would take ten minutes just to temporarily unlock each one. Ideally, they would allow a password to be bulk-applied to multiple sections, so you can unlock the lot in a single action, but they don’t.
So – I tried something else today; I recently signed up to SpiderOak, which does provide TNO encryption for files shared between systems, including Laptops and iOS devices. This means I can securely get the file on iOS (although the key is held in memory on the server briefly).
Thus, if I sync the storage folders of OneNote that I want to protect via SpiderOak, then those files will be accessible in the iOS SpiderOak app, and I can download them unencrypted. The question is, can I then open them in OneNote for iOS?
Well… yes and no:
- If I click the file in SpiderOak and use the Action to open in OneNote, then it doesn’t understand the file, and treats it as a generic file that it simply attaches to a new OneNote document! Useless
- HOWEVER – if I open it in a OneNote-alternative app (Outline+ on the iPad, no iPhone version available), then it DOES treat the OneNote binary file correctly, and opens it as a native format ‘imported’ OneNote section in Outline+.
The problem is, once you’ve imported this file, you can’t export it again. Outline+ will read .one files from other apps like Spideroak, but then can’t export them back to those apps – it insists on converting to PDF first. Hence this is an individual section, one-way arrangement – also not useful.
So – there you have it. I think the ideal situation, would be for OneNote Windows/iOS/other apps, to automatically apply a password to any other protected sections to see if it’ll unlock them… this way, you can decrypt an entire workbook at once. It would also most likely mean no back-end changes for SkyDrive, OneNote storage locations, backups, etc – just a minor UI and front-end change.
I believe this approach is used elsewhere and isn’t considered particularly more insecure, since if an attacker guesses one password, you can pretty much expect they’d try it on all other notebooks themselves anyway, so doing so automatically is no big deal.
We have a Canon MX870. I love it – in fact, before it, I had an MX860. They’re compact, well-built, and fully featured. I love the fact I can scan to an SD card even when all the PCs in the house are off, with no need for PC drivers/apps, and also, that this scan to SD card can scan a multipage duplex document straight to a multipage PDF far faster than if it was writing to a PC via network or USB.
In fact, I like it so much, that I’m reluctant to drop it for the newer cloud-enabled and network-enabled MFDs, such as the HP Officejet Pro series. I’ve briefly owned one myself, so did discover many of the cool features this can offer such as iOS apps to scan directly to the cloud, or the ability to AirPrint from an iPhone to a printer – something the MX870 can’t do.
However – we have a pain. That pain is that whenever we scan to SD card, we then have to remove the SD card, insert it into a laptop, and move the contents across before organising them. It often leads to the card going missing in one of the PCs, and needing to be found before the next scan can happen. It also often means duplicate files, if one of us copies rather than moves the files on the SD card, so that the next person to use the SD card copies all the files again.
So – I set about hacking together a solution.
What I had to work with, was an HP Microserver that’s always-on, running Windows Home Server 2011. That gives me the ability to run all sorts of windows apps, and have an always-on OS, storage and networking in the house.
In short, the process I have running is this:
- I scan a multipage document to SD card as PDF
- SyncBackSE is running as a frequent Scheduled Task on the microserver with Fast Backup enabled, to sync any new files on the Canon MX870 network share of the SD card contents, to a datestamped folder on the server
- The top-level PC folder for the scans is monitored by Sugarsync, which syncs any new/changed files in real-time to all our PCs and the cloud
- We then edit, delete, OCR and rename the scan files, and move them off to their final resting place in our documents archive folders
- Every now and then, I remove the SD card and wipe it
Going into detail on each one of these.
Scan to PDF on SD card
This works as before – I run the scan, it gets written to the SD card, and done.
SyncbackSE sync from printer to microserver
This is the clever bit. The printer offers the contents of the SD card as a network or USB mounted drive; you can go to \\printer_ip\canon and see the PDFs, and copy them off. However – you can only copy, you can’t move – which means that if you were syncing files, and then renaming them on the PC as you go, then the old files would be copied again (since no sync system could really track that a file had been renamed, particularly if the size or hash is changed due to OCRing or editing). Thus you would get repeated duplicates.
Now – the network mount for the SD card is read only, so you can’t move/delete edited files. Well, you can, but you have to set this on the physical printer panel, and it is lost when you switch it off. Having to re-set this every time you turn the printer on sucks, so there needs to be a better way.
Enter SyncBackSE and its Fast Backup feature. This is designed to be fast, by remembering which files were synced, and thus not even checking the destination at the next job. This suits us fine, since we don’t want it to check – as we might have renamed or edited the destination. Hence, it might sync files SCAN_001 to SCAN_009, and I can then go and rename, delete, or edit those – but it will be unaware, and it won’t even attempt to sync those back to the SD card – which would fail, since it’s read-only.
As for the frequency – well, we want the file to be synced to the PC automatically pretty soon after we scan it, so I set a scheduled task to run every minute.
Sugarsync of the PC Scan folder
Note that I’m not really editing or renaming files yet – because I’m not logged into the microserver; it’s running headless under my desk. However, Sugarsync is watching the scan folder in real-time, and syncing it over the internet to all our family and work PCs.
What that means, is within a minute or two of the scan completing, size-depending, it’s updated on all the PCs. Then, when one of us edits or renames the file, or deletes it, that also is synced to all the PCs. Thus there is no duplication of effort, or even duplicate files.
So far, this seems to work.