Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Fun fact: Joplin log files include plaintext secret keys when you enable E2EE. I moved away from Joplin after that plus a data loss incident where Joplin decided that it wanted to delete all of my notes in the repository. Too many foot guns there! I did like the software though.


That issue seems to have been fixed 4 years ago: https://github.com/laurent22/joplin/commit/b07fe5cc348ab8c3d...


If you don't mind me asking, can you share some more info on this? Did some searching around, and only found one [1] semi related issue from 2018. Is this the one you were referring to?

[1] : https://github.com/laurent22/joplin/issues/288


Just look in your log files. Here’s my log file with the keys scrubbed, which I discovered while hunting down an unrelated issue.

https://discourse.joplinapp.org/t/keep-original-notebook-on-...


> Just look in your log files. Here’s my log file with the keys scrubbed.

https://discourse.joplinapp.org/t/keep-original-notebook-on-...

I just checked my log.txt file and I can't find mention of my master password. Maybe it is fixed?


Do you have open an issue about it?


I don’t. After discovering that flaw plus the issue I was originally reporting in that thread plus another issue where Joplin deleted all my notes, I just stopped using the software.

I’m reasonably happy using Obsidian now, despite it being closed source and not supporting anything but proprietary sync mechanisms. I have no had any data loss issues with it.


I haven’t found anything better than Joplin, have you?


I tried Joplin, and most other PKM/note-taking tools out there.

Eventually settled on org-mode. Encryption can be sync-time using restic/cryptomator (cloud sync), filesystem (self-hosted all the way), or save time using plain old GPG. As a bonus, there is a gigantic ecosystem around org-mode, and thanks to the platform (Emacs) it is nearly completely FLOSS and pretty much guaranteed to be around and kickin' when most commercial systems with either die, get acquired or just change too much for my taste.

Probably not for everyone, though.


Joplin has no mobile writer. Only reading.

Obsidian has that. And is more extendable. That is why I switched.

For me, writing a note on multiple devices is the key feature.


Joplin's Android and iOS app can both edit note contents, by tapping the '+' or 'edit' circular button at bottom right of screen.


Last time I checked (2019ish) it wasn’t possible. The times they are a changing, I guess.

Will check it out again.



I edit on mobile all the time... works great



Wait a minute, that's not fun at all!


It's also an incomplete assessment - anyway who doesn't take a backup before entering into the unknown (or inexperienced) world of new tools? - PEBKAC

If you follow the instructions properly, this issue is a non-issue.


Of course I resorted from backup. And then I stopped using the application which has such problems.

Still, after discovering that the keys were in the log file, it was definitely a “final nail in the coffin” for me.


Have you read this?

https://joplinapp.org/spec/e2ee/

Master Keys

The master keys are used to encrypt and decrypt data. They can be generated from the Encryption Service and are saved to the database. They are themselves encrypted via a user password using a strong encryption method.

These encrypted master keys are transmitted with the sync data so that they can be available to each client. Each client will need to supply the user password to decrypt each key.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: