Is my information security workflow secure?

Hi All, I have a question about information security in Obsidian. I hope this is the right place to ask this.

I like using nested vaults so I can see notes and tags from different domains in my life (work, personal, hobbies, etc.). I know there are cons to nested vaults, but I’ve got it set up so my workflow isn’t impeded by those concerns.

My question is this: I like using Obsidian for journalism because of the great tagging and query functionality and graph view. However, I don’t want the community plug-ins that I use in my top-level vault to have any access to interviews and notes that I save in specific child vaults, which are of course confidential. I work on a Mac, so my workaround is that I used Disk Utility to create a password-protected image from my Interviews vault. When I want to work on interviews, I mount that image (vault) and open it directly from obsidian, not as a sub-folder in a parent vault. My Journalism vault has community plugins turned off. So if you looked at the file system of the parent vault (which does allow for community plug-ins), you’d see all my other folders (vaults) within the top parent vault, and you’d see that the Interviews folder is a dmg within the file system that cannot be opened by obsidian without a password. Example 1:

- Parent Vault/ (community plugins are on)
-- Daily Journal/
-- Work/
-- Personal/
-- Journalism/ (community plugins are off)
--- Ideas/
--- Interviews [DMG]

From Obsidian’s GUI, this seems to work: if I click on the “Interviews” .dmg from the parent vault, it prompts me for a password which I never enter from within the parent vault. Once I have mounted that image, it is accessible through my Mac’s finder, but still prompts for a password in the Obsidian gui, which is what I want to have happen. To open the Interviews vault, I mount the image and open it from Mac’s Finder. Example 2:

From Mac’s Finder:
Locations
- Macintosh HD
- Interviews (I open this directly from Obsidian via File>Open Vault… and have community plugins turned off for this vault)

However, I will sometimes have one instance of Obsidian open that uses the Parent Vault as the root and another instance which is just the Interviews vault. In that case, the image is mounted and the Parent Vault is open, though I still can’t open the Interviews vault from within the Parent Vault.

I am wondering if community plug-ins could still access the contents of the mounted image even if Obsidian’s gui cannot open the vault? The image is mounted on my machine, so I can access it via the Unix terminal from my root account. When mounted, can community plug-ins access it as well? Or do the permissions that seem to limit the Obsidian gui from opening the mounted image (which is the case for Example 1) from a parent vault also apply to community plug-ins? My goal is that I can only access the mounted image by 1. Mounting it and 2. Opening it directly from obsidian and not from a parent vault (Example 2), making sure no community plug-ins would have access to the contents since the Interviews vault has community plug-ins turned off.

I hope this makes sense. Sorry for the long and complicated wording; I wanted to get as specific as possible. Thank you!

(I am not a security expert.) I think your system sounds pretty solid, but I would not run the parent vault while any child vault is mounted. Plugins can pretty much do whatever, so it should be possible for them to access the mounted vault one way or another. This comment gives details about that, and the thread in general is essential reading about Obsidian security (see especially comments from Obsidian developer Licat and associate WhiteNoise): Security of the plugins - #43 by davecan

1 Like

Thanks so much, CawlinTeffid! What you say makes a lot of sense and I do agree that it’s probably best to keep community plugins entirely asleep whenever I have a protected vault open. Thanks so much for the suggested reading!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.