Still no secure cloud sync for OneNote
I’ve long been looking for a solution for syncing OneNote between laptops, iphone and iPad, with complete security – ie. “Trust No One”, or client-side encryption. The concept here, is that if you never provide any means of decrypting your data to the cloud provider (ie. they don’t hold your keys), then there’s no way that data can ever be leaked or stolen without your say-so (or mess-up).
OneNote 2013 does offer strong encryption, and in fact this is TNO. You can enter a password for a section in any of the Windows/iphone/iPad apps, and the section will be encrypted on the client side. The downside, and it is a big downside, is that you have to do this for each section individually.. not notebook, or section group, but each section. If you have tens or hundreds of sections in your notebook, as I do, that means typing the password for each one when you want to open it!
It also means that you can’t search or index that section while it’s locked – it’s only when you open it, that it can be read. This is equivalent to encrypting each file on disk (since OneNote does indeed use a file for each section).
So – I tried this for a while, and immediately found it a pain to use.. I have a section for each client, product, project, and doing a ‘search all’ would take ten minutes just to temporarily unlock each one. Ideally, they would allow a password to be bulk-applied to multiple sections, so you can unlock the lot in a single action, but they don’t.
So – I tried something else today; I recently signed up to SpiderOak, which does provide TNO encryption for files shared between systems, including Laptops and iOS devices. This means I can securely get the file on iOS (although the key is held in memory on the server briefly).
Thus, if I sync the storage folders of OneNote that I want to protect via SpiderOak, then those files will be accessible in the iOS SpiderOak app, and I can download them unencrypted. The question is, can I then open them in OneNote for iOS?
Well… yes and no:
- If I click the file in SpiderOak and use the Action to open in OneNote, then it doesn’t understand the file, and treats it as a generic file that it simply attaches to a new OneNote document! Useless
- HOWEVER – if I open it in a OneNote-alternative app (Outline+ on the iPad, no iPhone version available), then it DOES treat the OneNote binary file correctly, and opens it as a native format ‘imported’ OneNote section in Outline+.
The problem is, once you’ve imported this file, you can’t export it again. Outline+ will read .one files from other apps like Spideroak, but then can’t export them back to those apps – it insists on converting to PDF first. Hence this is an individual section, one-way arrangement – also not useful.
So – there you have it. I think the ideal situation, would be for OneNote Windows/iOS/other apps, to automatically apply a password to any other protected sections to see if it’ll unlock them… this way, you can decrypt an entire workbook at once. It would also most likely mean no back-end changes for SkyDrive, OneNote storage locations, backups, etc – just a minor UI and front-end change.
I believe this approach is used elsewhere and isn’t considered particularly more insecure, since if an attacker guesses one password, you can pretty much expect they’d try it on all other notebooks themselves anyway, so doing so automatically is no big deal.