I’m not a fan of sharing personal thoughts on Obsidian or any software that doesn’t securely lock the content away from prying eyes. So, with lots of tinkering and searching for the right toolset, I managed to create a nice and secure workflow.
If anyone unauthorised launches Obsidian on my computer (because for example I left it on), they’ll see the “unprotected” part of the Vault. It contains content that isn’t particularly private, like my PC parts description or recipes. I don’t want to be bothered encrypting/decrypting everything just to edit a Brownie recipe lol
However, if I’m at the computer, I can “uncover” a secret part of my Vault.
I launch cmd.exe, or the command line tool.
I write openobs which is shorthand for open obsidian
The script:
silently launches VeraCrypt
decrypts a file containing a secret folder and mounts it as a virtual disk
a “shortcut” (or a semantic link) is made between this virtual disk and a now-decrypted folder on my Vault called “journal”
restarts obsidian - the same vault is loaded again just to save me clicks
Obsidian now sees a new directory in the Vault - “journal”
I’m free to edit, add or delete any files in the “journal” folder on Obsidian.
Once I’m done I run a command closeobs
obsidian is closed
the folder “journal” is yet again encrypted and unmounted
obsidian can no longer establish connection with this folder, so it disappears from the Vault for now
repeat
Also, I managed to set up an rclone workflow, so that I backup my entire Vault into Google Drive. But, the catch is, Google Drive cannot spy on me because - for them and only for them - everything is encrypted. Even those PC parts or recipes are encrypted. For me, locally, Obsidian stays semi-encrypted (the “journal” part, that is).
I’m kinda proud of this workflow and can share these commands if anyone’s seems interested.
The main drawback of this approach is that you can’t use sync or load the protected part of the vault on your mobile devices. We really need a native way to locally encrypt parts of the vault with a password (separate from the account password) so the encrypted notes can be synced safely and securely opened on any of your devices.
I don’t know if this would fit you, but you could also add a plugin (aka. make your own) for obsidian which launches the scripts with a hotkey, and asks for the encryption key in a prompt. Would make the workflow a lot more smooth in my opinion.
That’s a nice idea. The only additional thing it would have to do is hard restart Obsidian (the same restart you can do in debug mode with Ctrl+R) - to let it scan the directory again.
It will serve as a road-post for Obsidian, telling it “hi, the folder is not really here, but I can give you directions to it. It’s on another drive, here’s the map”.
Unmount your secret data. Now Obsidian cannot find the “journal” folder anymore, so it’ll skip it the next time you mount.
Every time you mount the secret data and launch Obsidian with openobs command, the journal* will be a working shortcut, so its data will appear in Obsidian.
The openobs.bat file to decrypt your file and open Obsidian after that:
@Echo Off
SetLocal EnableExtensions EnableDelayedExpansion
Set /P "=Enter a Password: " < Nul
Call :PasswordInput
echo Decrypting the Vault...
veracrypt /volume "D:\vera" /letter o /password %pwd% /quit /silent
echo Decrypted. Running Obsidian
"C:\Users\Paul\AppData\Local\Obsidian\Obsidian.exe" obsidian://open/?vault=my-personal-vault
Goto :Eof
:PasswordInput
:: consolesoft.com/batch/?#password_input
::Author: Carlos Montiers Aguilera
::Last updated: 20150405. Created: 20150401.
::Set variable pwd with input password
::Needs delayed expansion enabled
Set "pwd="
Set "INTRO=" &For /F "skip=1" %%# in (
'"Echo(|Replace.exe ? . /U /W"'
) Do If Not Defined INTRO Set "INTRO=%%#"
For /F %%# In (
'"Prompt $H &For %%_ In (_) Do Rem"') Do Set "BKSPACE=%%#"
:_PasswordInput_Kbd
Set "Excl="
Set "CHR=" &For /F skip^=1^ delims^=^ eol^= %%# in (
'Replace.exe ? . /U /W') Do If Not Defined CHR (
Set "CHR=%%#" &If "%%#"=="!" Set "Excl=yes")
If "!INTRO!"=="!CHR!" Echo(&Goto :Eof
If "!BKSPACE!"=="!CHR!" (If Defined pwd (
Set "pwd=!pwd:~0,-1!"
Set /P "=!BKSPACE! !BKSPACE!" <Nul)
Goto :_PasswordInput_Kbd
) Else If Not Defined Excl (
Set "pwd=!pwd!!CHR:~0,1!"
) Else Set "pwd=!pwd!^!"
Set /P "=*" <Nul
Goto :_PasswordInput_Kbd
The closeobs.bat file to encrypt files and close Obsidian.
echo Encrypting the Vault...
veracrypt /dismount O /quit /silent /force