Obsidian for the Paranoid

Share & showcase
1

I’m not a fan of sharing personal thoughts on Obsidian or any software that doesn’t securely lock the content away from prying eyes. So, with lots of tinkering and searching for the right toolset, I managed to create a nice and secure workflow.

If anyone unauthorised launches Obsidian on my computer (because for example I left it on), they’ll see the “unprotected” part of the Vault. It contains content that isn’t particularly private, like my PC parts description or recipes. I don’t want to be bothered encrypting/decrypting everything just to edit a Brownie recipe lol :smiley:

However, if I’m at the computer, I can “uncover” a secret part of my Vault.

  1. I launch cmd.exe, or the command line tool.
  2. I write openobs which is shorthand for open obsidian
  3. The script:
    • silently launches VeraCrypt
    • decrypts a file containing a secret folder and mounts it as a virtual disk
    • a “shortcut” (or a semantic link) is made between this virtual disk and a now-decrypted folder on my Vault called “journal”
    • restarts obsidian - the same vault is loaded again just to save me clicks
  4. Obsidian now sees a new directory in the Vault - “journal”
  5. I’m free to edit, add or delete any files in the “journal” folder on Obsidian.
  6. Once I’m done I run a command closeobs
    • obsidian is closed
    • the folder “journal” is yet again encrypted and unmounted
    • obsidian can no longer establish connection with this folder, so it disappears from the Vault for now
  7. repeat

Also, I managed to set up an rclone workflow, so that I backup my entire Vault into Google Drive. But, the catch is, Google Drive cannot spy on me because - for them and only for them - everything is encrypted. Even those PC parts or recipes are encrypted. For me, locally, Obsidian stays semi-encrypted (the “journal” part, that is).

I’m kinda proud of this workflow and can share these commands if anyone’s seems interested.

3 Likes
2

I’d like to see the commands. Thanks for sharing!

3

The main drawback of this approach is that you can’t use sync or load the protected part of the vault on your mobile devices. We really need a native way to locally encrypt parts of the vault with a password (separate from the account password) so the encrypted notes can be synced safely and securely opened on any of your devices.

3 Likes
4

I don’t know if this would fit you, but you could also add a plugin (aka. make your own) for obsidian which launches the scripts with a hotkey, and asks for the encryption key in a prompt. Would make the workflow a lot more smooth in my opinion.

5

That’s a nice idea. The only additional thing it would have to do is hard restart Obsidian (the same restart you can do in debug mode with Ctrl+R) - to let it scan the directory again.

6

I understand it can be a deal breaker for some people, but I don’t use any of that.

7

Prerequisite knowledge to Google:

  • you know how to make a .vera file that contains an encrypted drive
  • you know how to make a symbolic links, or “shortcuts” essentially
  • you know how to make your script be recognized by cmd as a valid command (google: “how to add commands to PATH”)

Initial setup

  1. Create an encrypted .vera file somewhere on your disk
  2. Decrypt it and mount it as a drive at least once
  3. While you have your data decrypted and “exposed”, make a symbolic link from your actual Obsidian Vault into the decrypted folder.

mklink /J Z:/vault/your-dummy-folder Y:/your-actual-decrypted-secret-stuff-folder

It will serve as a road-post for Obsidian, telling it “hi, the folder is not really here, but I can give you directions to it. It’s on another drive, here’s the map”.

  1. Unmount your secret data. Now Obsidian cannot find the “journal” folder anymore, so it’ll skip it the next time you mount.

image
image1063×524 70.6 KB

  1. Every time you mount the secret data and launch Obsidian with openobs command, the journal* will be a working shortcut, so its data will appear in Obsidian.

image
image1019×533 75.9 KB

The openobs.bat file to decrypt your file and open Obsidian after that:

@Echo Off
SetLocal EnableExtensions EnableDelayedExpansion

Set /P "=Enter a Password: " < Nul
Call :PasswordInput
echo Decrypting the Vault...
veracrypt /volume "D:\vera" /letter o /password %pwd% /quit /silent
echo Decrypted. Running Obsidian
"C:\Users\Paul\AppData\Local\Obsidian\Obsidian.exe" obsidian://open/?vault=my-personal-vault

Goto :Eof

:PasswordInput
:: consolesoft.com/batch/?#password_input
::Author: Carlos Montiers Aguilera
::Last updated: 20150405. Created: 20150401.
::Set variable pwd with input password
::Needs delayed expansion enabled
Set "pwd="
Set "INTRO=" &For /F "skip=1" %%# in (
'"Echo(|Replace.exe ? . /U /W"'
) Do If Not Defined INTRO Set "INTRO=%%#"
For /F %%# In (
'"Prompt $H &For %%_ In (_) Do Rem"') Do Set "BKSPACE=%%#"
:_PasswordInput_Kbd
Set "Excl="
Set "CHR=" &For /F skip^=1^ delims^=^ eol^= %%# in (
'Replace.exe ? . /U /W') Do If Not Defined CHR (
Set "CHR=%%#" &If "%%#"=="!" Set "Excl=yes")
If "!INTRO!"=="!CHR!" Echo(&Goto :Eof
If "!BKSPACE!"=="!CHR!" (If Defined pwd (
Set "pwd=!pwd:~0,-1!"
Set /P "=!BKSPACE! !BKSPACE!" <Nul)
Goto :_PasswordInput_Kbd
) Else If Not Defined Excl (
Set "pwd=!pwd!!CHR:~0,1!"
) Else Set "pwd=!pwd!^!"
Set /P "=*" <Nul
Goto :_PasswordInput_Kbd

The closeobs.bat file to encrypt files and close Obsidian.

echo Encrypting the Vault...
veracrypt /dismount O /quit /silent /force
1 Like