I’m not a fan of sharing personal thoughts on Obsidian or any software that doesn’t securely lock the content away from prying eyes. So, with lots of tinkering and searching for the right toolset, I managed to create a nice and secure workflow.
If anyone unauthorised launches Obsidian on my computer (because for example I left it on), they’ll see the “unprotected” part of the Vault. It contains content that isn’t particularly private, like my PC parts description or recipes. I don’t want to be bothered encrypting/decrypting everything just to edit a Brownie recipe lol
However, if I’m at the computer, I can “uncover” a secret part of my Vault.
- I launch
cmd.exe, or the command line tool.
- I write
openobs which is shorthand for
- The script:
- silently launches VeraCrypt
- decrypts a file containing a secret folder and mounts it as a virtual disk
- a “shortcut” (or a semantic link) is made between this virtual disk and a now-decrypted folder on my Vault called “journal”
- restarts obsidian - the same vault is loaded again just to save me clicks
- Obsidian now sees a new directory in the Vault - “journal”
- I’m free to edit, add or delete any files in the “journal” folder on Obsidian.
- Once I’m done I run a command
- obsidian is closed
- the folder “journal” is yet again encrypted and unmounted
- obsidian can no longer establish connection with this folder, so it disappears from the Vault for now
Also, I managed to set up an
rclone workflow, so that I backup my entire Vault into Google Drive. But, the catch is, Google Drive cannot spy on me because - for them and only for them - everything is encrypted. Even those PC parts or recipes are encrypted. For me, locally, Obsidian stays semi-encrypted (the “journal” part, that is).
I’m kinda proud of this workflow and can share these commands if anyone’s seems interested.
I’d like to see the commands. Thanks for sharing!
The main drawback of this approach is that you can’t use sync or load the protected part of the vault on your mobile devices. We really need a native way to locally encrypt parts of the vault with a password (separate from the account password) so the encrypted notes can be synced safely and securely opened on any of your devices.
I don’t know if this would fit you, but you could also add a plugin (aka. make your own) for obsidian which launches the scripts with a hotkey, and asks for the encryption key in a prompt. Would make the workflow a lot more smooth in my opinion.
That’s a nice idea. The only additional thing it would have to do is hard restart Obsidian (the same restart you can do in debug mode with Ctrl+R) - to let it scan the directory again.
I understand it can be a deal breaker for some people, but I don’t use any of that.
Prerequisite knowledge to Google:
- you know how to make a .vera file that contains an encrypted drive
- you know how to make a symbolic links, or “shortcuts” essentially
- you know how to make your script be recognized by
cmd as a valid command (google: “how to add commands to PATH”)
- Create an encrypted .vera file somewhere on your disk
- Decrypt it and mount it as a drive at least once
- While you have your data decrypted and “exposed”, make a symbolic link from your actual Obsidian Vault into the decrypted folder.
mklink /J Z:/vault/your-dummy-folder Y:/your-actual-decrypted-secret-stuff-folder
It will serve as a road-post for Obsidian, telling it “hi, the folder is not really here, but I can give you directions to it. It’s on another drive, here’s the map”.
- Unmount your secret data. Now Obsidian cannot find the “journal” folder anymore, so it’ll skip it the next time you mount.
- Every time you mount the secret data and launch Obsidian with
openobs command, the
journal* will be a working shortcut, so its data will appear in Obsidian.
openobs.bat file to decrypt your file and open Obsidian after that:
SetLocal EnableExtensions EnableDelayedExpansion
Set /P "=Enter a Password: " < Nul
echo Decrypting the Vault...
veracrypt /volume "D:\vera" /letter o /password %pwd% /quit /silent
echo Decrypted. Running Obsidian
::Author: Carlos Montiers Aguilera
::Last updated: 20150405. Created: 20150401.
::Set variable pwd with input password
::Needs delayed expansion enabled
Set "INTRO=" &For /F "skip=1" %%# in (
'"Echo(|Replace.exe ? . /U /W"'
) Do If Not Defined INTRO Set "INTRO=%%#"
For /F %%# In (
'"Prompt $H &For %%_ In (_) Do Rem"') Do Set "BKSPACE=%%#"
Set "CHR=" &For /F skip^=1^ delims^=^ eol^= %%# in (
'Replace.exe ? . /U /W') Do If Not Defined CHR (
Set "CHR=%%#" &If "%%#"=="!" Set "Excl=yes")
If "!INTRO!"=="!CHR!" Echo(&Goto :Eof
If "!BKSPACE!"=="!CHR!" (If Defined pwd (
Set /P "=!BKSPACE! !BKSPACE!" <Nul)
) Else If Not Defined Excl (
) Else Set "pwd=!pwd!^!"
Set /P "=*" <Nul
closeobs.bat file to encrypt files and close Obsidian.
echo Encrypting the Vault...
veracrypt /dismount O /quit /silent /force