Fun fact: Joplin log files include plaintext secret keys when you enable E2EE. I moved away from Joplin after that plus a data loss incident where Joplin decided that it wanted to delete all of my notes in the repository. Too many foot guns there! I did like the software though.
If you don't mind me asking, can you share some more info on this?
Did some searching around, and only found one [1] semi related issue from 2018. Is this the one you were referring to?
I don’t. After discovering that flaw plus the issue I was originally reporting in that thread plus another issue where Joplin deleted all my notes, I just stopped using the software.
I’m reasonably happy using Obsidian now, despite it being closed source and not supporting anything but proprietary sync mechanisms. I have no had any data loss issues with it.
I tried Joplin, and most other PKM/note-taking tools out there.
Eventually settled on org-mode. Encryption can be sync-time using restic/cryptomator (cloud sync), filesystem (self-hosted all the way), or save time using plain old GPG. As a bonus, there is a gigantic ecosystem around org-mode, and thanks to the platform (Emacs) it is nearly completely FLOSS and pretty much guaranteed to be around and kickin' when most commercial systems with either die, get acquired or just change too much for my taste.
The master keys are used to encrypt and decrypt data. They can be generated from the Encryption Service and are saved to the database. They are themselves encrypted via a user password using a strong encryption method.
These encrypted master keys are transmitted with the sync data so that they can be available to each client. Each client will need to supply the user password to decrypt each key.