Password protect / lock folder / Encryption at rest

Rather than insisting that a plain text application add something out of scope, why not use one of the many note taking applications that do offer encryption?

Here’s a list of alternates which are all open source as well (unlike Obsidian; a big benefit if you’re talking about encrypted notes):

https://www.privacytools.io/encrypted-notebooks

However, in your comment you’re not really talking about encrypting the notes, you’re more talking about having a password to just open the app.

So you could use a tool for Windows or Mac that puts a password lock on any application.

Here’s an example for Windows: https://www.gilisoft.com/product-exe-lock.htm

I use this plug-in for sensitive notes, it works very well:
obsidian://show-plugin?id=meld-encrypt

Sometjing to note, TiddlyWiki 5 uses the Stanford Javascript Crypto Library (SJCL) to allow encryption of the entire .html or individual pages (tiddlers) using AES 128 (128 default, but can be and planned to be made AES 256) using a bit of javascript.

Is this something that can be done in Obsidian?

The plugin allowing for encryption and decryption unfortunately does not use the live preview of the formattted text last I tried it.

One key aspect nobody has mentioned so far but is perhaps the most important factor in this, is that using Cryptomator or Veracrypt to encrypt vaults is a futile endeavor because the full, plain text content of every note is still stored in the indexed .txt files in Appdata->Roaming->Obsidian.

So even if you encrypt the vault, once you de-crypt it and open it with Obsidian, all those plain text, human readable contents are stored in Appdata, even if you then un-mount the encrypted veracrypt/cryptomator container.

So this is not a viable solution to the most popular pain points articulated in the comments:

I want to have my notes on my job’s laptop without anybody being able to look at them.

I want to use this for creative writing and journaling, and I don’t want just anyone to open or see my files or the program and be able to read confidential material. So far this is my largest hurdle to adoption.

Perhaps I didn’t mention it in this thread, but I did in another thread:
Yes, you should disable file recovery plugin (that’s the one the keeps the copies of your notes for recovery purposes).

There is still some metadata that is stored in obsidian to make it work fast (note names, links). If you want to protect that too, you need to also put in the veracrypt vault the obsidian “roaming” directory.

Thank you for chiming in.

I tried via multiple ways to move the appdata->roaming->obsidian folder into an encrypted container in both VeraCrypt and Cryptomator, but Obsidian simply remakes it in Appdata.

What worked is removing access privileges to the “IndexedDB” folder (Properties->Security->Advanced->Disable inheritance), that way Obsidian can’t create the .log file there which contains the data you mentioned. I checked all other folders and files, and that one .log file seems to be the only one that stores data from the vault.

I don’t think that’s gonna make obsidian work properly. It’s better if you move the roaming directory in the veracrypt vault and leave a link/junction to the new location in the old place.

Thanks for that useful info. I’m also interested in this topic.

So, if I was to set up a symbolic link to roaming directory, pointing at veracrypt drive, that would handle issue with index files. Is it also possible to also to do this for the file recovery plugin?

I’m using windows here.
Thanks!

But I don’t understand what you mean by specifying the .md type? You can encrypt everything with e.g., RSA, and if its a folder or multiple files you simply archive it and then encrypt it (works for every os). If Obsidian is a texteditor or not should have nothing to do with vault encryption because the functionality doesnt relate to the encryption method. I dont see it complex, you simply create a batch to decrypt an password protected 7z archive with the obsidian notes after giving the password to the console, and after launch obsidian (automatically) super save and easy (7z uses AES) and just a single click + password entry no more effort.
You can also use Veracrypt (and also automate via batch) but this may is overkill and takes more effort. 7z should be alright, fast and easy to use.
I dont see the problem

You can’t imagine how often I hear that phrase from people who will not implement feature which is addressed to people who will implement feature

I agree, that it might be done.
I agree, that It might be not as complex as I mentioned before. But I still can see a lot of moving parts (how app should behave when it can’t encrypt, if there is no right to folder, no space left, what if file was broken, what if file is locked, a lot of things to think for the user).

I believe, that each layer of abstraction or end-user simplification add layers of complexity for maintaining, debugging, user support, feature extension and increase production cost for a developer.

Anyway, if it was team’s focus I think we already had that at least some kind of feature prototype.
As I don’t see the feature in Obsidian I was tried to help people to achieve their goals using other tools like VeraCrypt.

Hi all, I would go further and argue that Microsoft Onenote has the drop on Obsidian - even though Onenote is old and been beaten up by the UGLY STICK big time! - for offering password encryption, automatic AFK password locking, AND the ability to share Sections with friends via another password that does not unlock your whole Onenote app for them to read!

I really want AFK. While at lunch, I often read the notes on my phone. A tag-team of 2 thieves might get it one day. “Hey mate - what’s that you’re eating there? Looks good!” and BOOM! The other guy has my phone while it’s open and my NOTES APP is open as well!

At least with AFK password locking by the time they get somewhere quiet to investigate - hopefully my app has locked! I’m close to deciding on Obsidian - but Upnote already has password & AFK in place - even if there servers are on Firebase and do not technically get encrypted. Why can’t all the good things be in the one app? (It also lacks sharing Sections with visitors. One password for the entire app - not multiple for different Sections.)

With the amount of ID theft and scams going on in the world - I would have thought this level of security would be standard by now?

+1

need encrypt feature

Use case or problem

Plaintext local storage of vaults on mobile devices especially leads to data security/privacy issues, especially when backing up your device to cloud services

Proposed solution

Obsidian should encrypt/decrypt vaults in local storage, wherever that is, by default

Current workaround

Use Advanced Data Protection on iOS, ensuring iCloud Backups are E2EE; or backup locally to a Mac; not sure about android

Long form explanation

Local vaults are plaintext repositories of all your data. I don’t use android but can explain the problem and a solution for iOS:

If you’re using Obsidian Sync, your local vault is probably in an Obsidian app folder in the On My iPhone folder in the Files app.

If you have iCloud Backups turned on and ADP turned off, Apple and anyone with access to their servers can read your notes. This is an issue for UK users following Apple pulling ADP. Internationally, ADP is also turned off by default, so many people may be unaware of this issue.

If you have iCloud Backups turned off, great, but if someone has your iPhone passcode, they can read your notes. Obisidian does not provide any protection of your plaintext vault.

A solution could be to use something like the Signal messaging app model for local storage. If someone has my iPhone passcode, when they try to access Signal, they’ll be prompted for another password/faceID. Without it, my messages can’t be accessed. Messages are never stored outside of Signal’s own encrypted sandbox.

To maintain ‘true’ local storage, Obsidian could offer exports of plaintext vaults on demand from the Obsidian app interface that could be saved wherever the user wants. This is what Standard Notes does.

Reasonable and well written request.

In my understanding, “Vault” should be synonym of “secure place” or “private place”.
Both s*gnal and matrix are govt funded, so they’re all other than “private” if you read and dig long enough. But the example to use a password to unlock vaults is OK, especially for mobile devices which are connected to the web all times.

I’m not sure if a password for Obsidian would be useful, because standards become very quickly obsolete. Face-id? No thanks. Best if users themselves care about data security, because this means to be responsible. That’s my opinion

Links or source for this claim?

“Security” is a willingness to research uncomfortable topics, an ongoing research to decide in autonomy what tools and services to use.

No easy task. Why bother? It’s about user rights in a broader sense. We see what happens today: random data leaks, user who don’t know what their phones (and other devices always connected online) do behind their backs.
Here’s a good start.

Obsidian’s local-first Markdown vaults are awesome, but the lack of native local encryption in 2025 is ridiculous. OneNote has password-protected sections, and privacy-focused apps like Proton’s Standard Notes offer local encryption by default. Forcing users to rely on third-party apps like Cryptomator is a weak excuse, and local encryption fits Obsidian’s ethos of user control perfectly. Here’s why.

OneNote and Competitors Nail Local Encryption

OneNote lets you password-protect sections with AES encryption—simple and secure. If someone accesses your device, those notes stay locked. Obsidian’s vaults? Just plain text Markdown, readable in any text editor. Competitors do better:

• Standard Notes (Proton): Notes are locally encrypted with XChaCha20 before saving, keeping them secure on-device, even without syncing.
• Notesnook: Encrypts notes locally with AES-256, protecting them at rest.
• Joplin: Offers local encryption for notes stored on your device.
• Apple Notes: Locks notes with AES-GCM encryption, keeping them secure locally.

These apps show local encryption is a must for note-taking in 2025.

“Encrypt Your File System” Isn’t Enough

The default advice—use BitLocker or FileVault—doesn’t solve everything:

• Not always an option: Work or shared devices often block system encryption.
• Targeted risks: A nosy coworker or thief could target your notes specifically.
• Cloud syncing: Vaults synced via Dropbox or iCloud are plain text without extra tools.

Local encryption would protect your vault directly, no matter the device or context.

Third-Party Apps Are a Bad Workaround

Relying on VeraCrypt or Cryptomator is clunky:

• Too complex: Most users aren’t tech-savvy enough to set up encrypted containers.
• Sync issues: These tools can mess up cloud syncing, especially on mobile.
• Mobile pain: Options like Cryptomator are often paid or awkward on iOS/Android.

In 2025, a note-taking app shouldn’t outsource security to external tools.

Local Encryption Fits Obsidian’s Ethos

Obsidian’s all about user control and data ownership—local files, offline-first, no lock-in. Local encryption aligns perfectly:

• Choice: Optional vault encryption lets users decide their security level.
• Seamless: Keeps security within Obsidian, no third-party hacks needed.
• Privacy: Protects sensitive notes like journals or work data on-device.

Without it, Obsidian’s promise of control feels half-baked.

Encryption is Standard in 2025

With privacy concerns and laws like GDPR, users expect note-taking apps to secure sensitive data locally. Standard Notes, Notesnook, and even Apple Notes deliver. Obsidian’s lack of local encryption feels outdated. Plugins like Meld Encrypt are unofficial and unreliable—native support is the answer.

TL;DR

Obsidian rocks, but no local encryption in 2025 is completely absurd. OneNote and Standard Notes show how it’s done, and it fits Obsidian’s ethos of control. Why force us to use third-party apps?