Encryption & Version Conflicts

What are some cloud sync options that can handle both encryption and version conflicts with Obsidian?

I would like to go all in on Obsidian.

Right now I use Dynalist for time management and task issues while I use Obsidian for information, ideas, and references. This is because Dynalist syncs so easily and never seems to have conflict issues, so frequent updates across multiple devices never poses a problem. With Obsidian, I have sync/version issues (sync is often slow with Google Drive for some reason) and it is not encrypted or hidden behind a password or anything like that.

If I use, say, Cryptomator + Google Drive, then I only get encryption. What will happen with version conflicts?

If I use the paid Obsidian Sync, I think I get better sync but then cannot encrypt. Is that right?

Is there any way to get both encryption and minimal version conflicts?

Can anybody please answer this? It would really help. Thanks!

Obsidian sync is end to end encrypted

Ok, that’s good to know.

My understanding of E2EE is that my info is encrypted while traveling around the internet. But if someone were to, say, steal my laptop they could easily read all of my Obsidian vault files. Is that correct?

Yes.

For on device encryption you can use veracrypt or whatever your OS provides natively. Like bitlocker on windows.

I see.

I’m not sure what bitlocker is, though.

What happens if I use something like veracrypt and Obsidian Sync? Or should I not combine those?

you can combine them.

Ok, I might give this a shot.

Thanks!

you can combine them [local encryption and Obsidian sync].

Is there a guide on how to do this? I’m trying to use Cryptomator + Obsidian Sync, but appear to be doing something wrong as not everything is actually syncing.

Steps:

1. Install Cryptomator.
2. Create a Cryptomator vault on your local drive (since you are using Obsidian Sync, you would not put the vault onto a cloud drive - don’t use multiple syncing methods at once).
3. Unlock the Cryptomator vault which will create a drive letter in Windows, or a local folder in Mac/Linux.
4. Create a new Obsidian vault inside the Cryptomator drive/folder.
5. Set up Obsidian Sync in the core plugins.
6. Use Obsidian as normal. When you want to lock your drive, exit Obsidian and lock the Cryptomator drive.

Ok, thanks. I will give this a try.

don’t use multiple syncing methods at once).

Why not?

because they can race each other and make a mess.

I use Keybase, and I don’t allow my computers to automatically log in when they boot. If somebody physically steals my laptop, AND they can somehow override the disk encryption, they still won’t be able to read the files.

For Obsidian … for “high security” I can store the vaults under /keybase/private/jms1/ somewhere, and the vault won’t be available at all while I’m not online and logged into Keybase (because the encrypted blocks containing the files won’t be accessible).

Or, if I trust the disk encryption (FileVault, LUKS, VeraCrypt, Cryptomator, etc.) I can store a copy of the vault on each machine’s disk (so they’re available when I’m offline), and use the obsidian-git plugin to sync the vaults against a Keybase git repo. It works really well, and it was easier to set up than sync’ing to a Github repo.

because they can race each other and make a mess.

Ok, good to know. Thanks

@JMS1 Thanks for your reply! I don’t think I fully understood the technical details of your explanation.

What does this mean?

… because the encrypted blocks containing the files won’t be accessible.

Doesn’t Cryptomator do the same thing? I don’t see the encrypted files location as a mounted drive unless I’ve entered the password.

Or, if I trust the disk encryption (FileVault, LUKS, VeraCrypt, Cryptomator, etc.) I can store a copy of the vault on each machine’s disk (so they’re available when I’m offline), and use the obsidian-git plugin to sync the vaults against a Keybase git repo. It works really well, and it was easier to set up than sync’ing to a Github repo.

What does the bolded portion mean and how does it compare to using Cryptomator + Obsidian Sync?

Sorry if these questions seem basic. I am not that technical.

Keybase is significantly different from Cryptomator.

Cryptomator creates a virtual drive with a local directory as the “backing store” (i.e. where it stores the underlying encrypted bits that nobody can access without having the right cryptographic keys). For “shared file” situations, it relies on some other mechanism to handle sharing the encrypted files. That mechanism could be dropbox, iCloud, or some other “cloud drive” solution which syncs files between computers. The encrypted files on the “cloud drive” get sync’ed between machines, and if Cryptomator is running on the other machines, the virtual drives will be able to see the plain-text versions of the updated files.

Keybase also creates a virtual drive, but rather than using files on a local disk to store the encrypted content, Keybase uploads the encrypted blocks to “the cloud” within a few seconds. If you have multiple devices attached to the same Keybase account, they all “see” the same files under the /keybase/ directory on each machine.

Keybase also offers encrypted git repos. As an example, I can git clone either of these URLs.

• https://github.com/kg4zow/hello-golang on Github
• keybase://private/jms1/jms1-old-stuff in Keybase

The big difference is this - Github repos, even if they’re marked as private, are still accessible to Github/microsoft employees, as well as any random anklebiter who manages to get past their security. With Keybase, only devices attached to Keybase accounts with access to the repo will have the necessary keys to decrypt the data blocks storing the repo contents, which means that Keybase employees (and others who might hack their systems) cryptographically cannot see what’s in the repos.

I could keep going, but I don’t want to sound like I’m advertising for Keybase. In terms of being relevant to Obsidian, the two important features are the encrypted filesystem, and encrypted git repositories. If you’re interested in learning more about it …

• keybase.io is their home page
• book.keybase.io has documentation
• The service is free (as in “zero pricetag”)
• Keybase does a LOT more than just encrypted cloud file storage
• The client’s source code is open source

As for comparing against Obsidian Sync … I have no idea, I’ve never used it. What I can tell you is, the obsidian-git plugin commits and pushes the changes I make to my vaults, automatically, without my having to think about it. I currently have vaults sync’ing with Github and Keybase, and I have used it with private Gitlab, Gitea, and gitolite servers, and after a bit of stumbling up front, it’s working well with all of them.

I’ve done all of that on my desktop, so my unencrypted Obsidian files are accessible from the Cryptomator drive. The files in encrypted form are in a normal location on my hard drive and not in a cloud sync folder.

Now I’d like this to sync with my laptop. I created a new Cryptomator drive on there with a different encryption key. How do I tell Obsidian to sync files from the desktop into there? After I press “connect” it doesn’t seem to be giving me an option of where to put the vault. It seems to think I already have files wherever it’s planning to put it.

image1506×918 66.3 KB

You’re already inside a vault, as we can see from your screenshot. So Obsidian is asking you if it’s ok to merge with your open vault, which I assume is fine since I assume it’s a brand new vault you created for the purpose.

If that’s the case, click Continue and let it sync.

I created a new Cryptomator drive on there with a different encryption key. How do I tell Obsidian to sync files from the desktop into there?

You don’t. In this situation, Obsidian doesn’t know or care about “sync”.

Just like how you use Cryptomator “below” Obsidian to handle the encryption, you’ll be using something else “below” Cryptomator to handle sync’ing.

Building up from the bottom …

• The first step is “sync”, i.e. make multiple computers “see” the same set of files at the same time.

  This could be done using something like the “cloud drive” products from Apple, dropbox, google, microsoft, or others; it could use a background auto-sync program like SyncThing or Resilio Sync (formerly BitTorrent Sync), or it could be as simple as mounting the same sshfs or WebDAV share from all of the machines (although macOS’s built-in WebDAV support is kinda flaky, you have been warned). There are also products like Mountain Duck (not free) which can “mount” an S3 bucket or azure blob storage account as if it were a disk.

• The next step is “encrypt”. Create a Cryptomator vault on the drive presented by your chosen “sync” solution, and mount that as a virtual drive.

  All changes made to any files within the virtual drive are encrypted before being written to the “real” disk. When those are written … if you’re using a sync mechanism, it will copy the updated encrypted files to the other peers. Or, if it’s a mounted network drive, the encrypted files are uploaded to that drive.

• The last step is Obsidian. Create a vault on the virtual drive that Cryptomator creates.

Then on the other computer(s) …

• Activate your sync’ed or shared directory, log into a service, whatever you need to do.
• In the synced/shared directory, find the Cryptomator vault (containing the masterkey.cryptomator and other files).
• In Cryptomator, open that directory as a vault.
• In the virtual drive that Cryptomator presents, find the Obsidian vault (with the .obsidian/ directory in it) created on the first computer.
• In Obsidian, use the “Open folder as vault” function to open that dierctory. If the vault has any plugins and Obsidian asks if you want to allow them, say yes.

Assuming everything works, you’ll see Obsidian indexing the documents in the vault, and then you should see the same vault with the same contents as the first machine. Any changes you make in the vault on one computer should “appear” in the other computers before too long. I just did a quick test using iCloud between two macOS machines on the same local network, newly created notes on one machine seem to take about 15-20 seconds to appear in Obsidian on the other machine.

The other thing to point out is that “sync” systems can run into problems when multiple computers change the same file at the same time. I wrestled with this for several years (involving applications other than Obsidian), using a variety of solutions, with and without Cryptomator involved. You may want to adopt a habit of only using Obsidian on one computer at a time, or at least not editing the same notes on multiple computers at the same time.

Personally I’ve had the best results with Keybase, even though KBFS files are not available when the computer is offline. For Obsidian, I’m using the obsidian-git plugin with encrypted git repos hosted in Keybase. The files are stored locally so they’re accessible when I’m offline, and when something goes wrong, I can quit out of Obsidian and manually fix whatever the git problems are, then start Obsidian again after the repos are cleaned up. (I use git all day long at $DAYJOB so I’m used to dealing with random problems, and Keybase’s git repos seem to be about as reliable as Github.)

Good luck.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.