Security Flaw in Obsidian? Global Encryption to MD Files on local

Evernote or OneNote may not be as good as Obsidian but one thing they have is, if you don’t authenticate with your username and password, no one, even someone in your family who can access your computer cannot see your notes, even by accidentally.

However, with obsidian, even your 10 year old can go open a folder and see the MD files contents or images etc. without even opening Obsidian.

How can a better security be achieved like Evernote? Any ideas welcome.

I would begin with having separate accounts in the computer for each family member and lock your screen when you are not using it.


Still though. My computer may be compromised from an outsider. It can be stolen. I have bitlocker enabled but anything can happen. There must be a better solution than creating seperate accounts.

Then encrypt your data locally, either with your OS via bitlocker or with third party solutions like veracrypt.

1 Like

This is Obsidian’s best and most critical feature: plain text, locally stored Markdown files. It’s up to you to secure them.

If you don’t want plain text, locally stored Markdown files (e.g. you want encrypted files or an encrypted SQLite database), then there are other non-Obsidian options.

And to echo WhiteNoise - if you leave your computer unlocked, your other software like Evernote can be read by anyone sitting at your computer

You might want to consider Veracrypt or Cryptomator.


But it is much more likely that your files on a cloud that is designed to be accessed day and night based on those credentials that can be stolen, reused or any other vulnerability or an internal actor get leaked than what is on your own computer. Local will just always be more secure, plus with local you are the one who can decide to add additional protection like locking your computer, creating accounts, encrypting drives and files. Cloud is just a word for “someone else computer” that can also be stolen, breached (and are every day) and designed from the start for being accessible internally and externally by hundreds or more people ^^

1 Like

I would like to use Obsidian hence asking this in this forum. Otherwise, I wouldn’t have wasted my time and went with another tool. What you are describing as a feature is a flaw as far as I am concerned. Obsidian should have authentication feature imho. I am using other cloud solutions too, to sync. Securing local files are not the only consideration point.

I think Obsidian should have a feature, to encrypt everything on the application level with 2FA as well as ability to unencrypt (export) for people to move away etc. So that “Feature” you are talking about would still be there.

They are working on 2FA, see

About full disc encryption, see this

1 Like

2fa is for obsidian account and had no relationship with how your files are stored locally.

This is exactly the problem separate accounts are meant to solve. Users aren’t meant to share accounts.

(post deleted by author)


I am sorry but we don’t see at flaw at all. Obsidian is an app that runs locally on your computer and it is intended that other apps in your computer to potentially access your files.

If it is something you do not want, it is upon you to not allow it (veracrypt?, Containerization)


Thanks, Whitenose. Although Microsoft Word, Excel etc. can be running “locally” as MDs, office apps have feature to encrypt, in-built within the app.

Veracrypt could be an interim solution, but I do really think Obsidian should have this feature in-built to encrpyt all MD files, would be more elegant, secure and reliable.

Similar to what Meld Encrpyt is doing on individual note level but with the whole vault globally, and again, as in-built plugin instead of a third party one.

All I ask is, please just think about it and perhaps discuss at one of your next team meetings with your team. In any case, I do appreciate your input though.

This is not in the plans, I am sorry.


@courseworm I notice that you didn’t comment on my earlier suggestion, but if you haven’t tried using Cryptomator before, you should seriously consider it.

It will give you what you’re looking for, with the benefit of extraordinary ease of use, and encrypted cloud backup, all for free and open-source.

If that’s not of interest, you might try looking at NoteSnook.


Thanks. Will check it out.

No probs, hopefully these “arrogant and ignorant responses” are of use :+1:

1 Like

This. I don’t know about windows/linux, but on macOS every user has its own encrypted home.

Do you mean that in mac admin user doesn’t have access to the whole system? I would like to know more about that.

To achieve basic home cyber security, every user should use their own device (usually laptop) with Windows 11, Chrome OS or Mac OS (Windows 10 can be unsafe due to not having encryption by default). Part of that security every user should back up their data periodically.

Piggybacking off this frequent topic - is it technically feasible for a plugin to encrypt/decrypt an entire vault in a performant manner? The devs have stated their position. Obviously OP using the subject “Security Flaw” is going to result in some snarky responses.

There is no denying that an integrated encryption layer would be a massive benefit, especially for users on mobile. For those who sync across multiple devices, think of how many copies of these plain-text notes are backed up using various systems and services. It becomes difficult to cover all the bases.