How to password protect Agenda?

For me, password protection to enter the application is sufficient to keep “prying eyes” away, but I would not be surprised if some users would like full data encryption, if they consider their information highly classified. Make both optional!

The step from just hiding some info to full end-to-end encryption is quite a big one, and almost certainly has far reaching legal ramifications. We will think about it. Unfortunately, it is not that simple. Also the question of what happens when you lose your password.

With regard to “password protection”, I am not necessarily looking for something as expansive in scope as end-to-end encryption (though I would not be surprised if there are users whose workflow might make that desirable).

I am really just looking for a little extra security to make sure that certain notes cannot be viewed without entering a password. The security system that Apple Notes now has in place for “locked notes” is one such very useful approach - i.e. where the user can choose to hide certain notes behind a password while the rest of the notes remain freely viewable. Such an approach in Agenda would be fantastic!

Thanks for the feedback! It is very useful.

I haven’t used Apple’s locked notes yet. Do you know what happens if you forget the password, or is it perhaps tied to your iCloud account login?

Don’t worry about replying: I just tried it myself. Seems they do not use the iCloud login. It is just a password, and if you forget, short of using touch id, you have lost your data. Good to know.

Indeed, if you forget the password your kind of “effed”. But I would think that if you are going to use a password in the first place, you’d be responsible enough to either use one your remember or use a password manager.

In any event, I do think it would be a useful feature as I sometimes take notes in meetings that include my own subjective assessment of my colleague’s performance. And while I strive to be fair and accurate, nonetheless I would be very unhappy (as might they) if they were to read those comments.

Understood. Thanks for the feedback!

I would love this feature. I’ve considered creating a “project” of journalling daily, and would definitely prefer those not to be readily accessible (in the ‘keep prying eyes away’ sense).

That said, I’ve already thought about the ability to search within notes to find things I had previously written (this is one of the things that would push me to switch to Agenda/ digital rather than paper). I don’t know if this is a feature in Agenda already (i.e. if I do a search does Agenda only look at titles of documents, or all text, or tags, etc) but I can see password protection on some-but-not-all documents (which is the way I would prefer to use it) and full-text searching not playing nicely with each other.

You have hit on an interesting point about search and encryption/locking of notes. Would need to investigate that. To be fully safe, you probably have to remove the locked notes from search, which is definitely a downside.

Re: search. Our search is full text, so we scan not only title, but content as well.

Actually, I do not think that’s a downside at all. In fact, quite the opposite. Having to unlock password protected notes in order to include them in a search is exactly the behavior that I would want. In fact, if we were living in a Harry Potter-esque world, I would welcome being able to make locked notes disappear entirely. lol As it is, I find myself giving my locked notes titles that are deceptively unrelated to the actual content of the note in order to further safeguard their privacy.

Note, this is also exactly how the Apple Notes app handles locked notes, i.e. locked notes are entirely excluded from search unless and until they have been unlocked. Then they become fully searchable.

One other point I’ll mention is that while this is how the Apple Notes app behaves on the Mac, on iOS it seems that locked notes are never included in search results regardless of locked status. (Just one more of the already too many annoying inconsistencies between Mac and iOS versions of Apple software.)

Having to unlock password protected notes in order to include them in a search is exactly the behavior that I would want.

That’s exactly what Drew meant in that this is not possible (without some significant difficulties at least). In order to have your notes be searchable in a global (across all notes) search, your notes needs to be indexed, which isn’t possible if your note is locked (otherwise a hacker could simply go to the search index instead of your note and that way still get access to at least part of the supposably save content). There are ways around this but it is complicated and non-trivial, I guess this is exactly why Apple Notes behaves different on iOS and Mac.

For me, I want it to protect certain projects so that others cannot access. You know, like a journal. Although, it would be nice to have the password option to protect work projects that I may want to work on during my own time. That way, I don’t have to worry about someone looking at private work information.

Below are the three threats mentioned in this thread:

1. Friends, family, or coworkers using another person’s iOS/MacOS device that has been unlocked and are snooping through the owner’s Agenda data.
2. Outside organizations gaining access to Agenda information uploaded to iCloud either through a security breach at Apple or legal decryption request from various governments.
3. Access to Agenda data through theft or loss of the iOS/MacOS device.

The following are the various concerns that arise from enabling encryption and/or password/PIN/Touch/Face ID protection:

1. Searching capability
2. Password loss and the subsequent data loss
3. Legal liabilities

I believe a hybrid approach may be one of the best solutions. Take DEVONThink To Go v2’s (DTTG) approach to tackling the two threats mentioned above. DTTG mitigates threat number one by giving the user the choice to lock access to the app via a passcode or Touch/Face ID. To my knowledge, the data on the iOS device is never encrypted at the appplication’s level allowing for normal backend searching and indexing. This solves concern number one. As for concern number two, losing access to the owner’s data is minimal through the use of an easier authentication factor: a four digit pin (something you know). This concern is minimized even more if the user decides to use the “something you are” authentication method (Touch/Face ID).

DTTG mitigates threat number two by offering the user the option to symmetrically encrypt their data before it is uploaded to any supported remote storage solution (WebDAV, iCloud, etc). The user simply uses the same password for each device. Since encryption is only required before sending the data to the cloud, concern number one is no longer an issue. Concern number two may not be as much as an issue as initially believed. Remember the data is still stored on the iOS device in clear text as far as the application is concerned. If the cloud encryption password is lost, a new password can be used on both devices to get everything synced again. I understand there may be some lower level sync issues that I may be missing in this scenario during the initial password change, but I know it can be done as I had a similar situation with my DTTG sync store recently.

Threat number three is not an issue for iOS devices. My examples above only addressed iOS devices in which data at rest encryption is mandatory at the OS level. Trust is given to Apple to maintain file permission and sandboxing for the user’s Agenda data while it is stored without encryption after unlocking the iOS device. Whole disk encryption is not mandatory on MacOS (…yet), and the user still has the issue mentioned by mekentosj of exposed index files. Data could be also be accessed by mounting the MacOS disk in another OS. There is no easy solution to this; mounting FileVault disk images for storing the databases is asking too much for most users. DTTG does not solve this problem, but the team makes it abundantly clear to their users that while they offer password protection for viewing database metadata, everything is still stored in clear text on the MacOS device.

Concern number three can be mitigated by being transparent in the encryption and password protection methodologies chosen by the Agenda team within Agenda’s Privacy Policy, Terms & Conditions, and confirmation dialogs when enabling such features. Please note that I am not a lawyer, and this is not legal advice. Communicating the following may help in gaining users’ trust and minimizing legal liabilities with user error:

1. The encryption library used and the strength enforced (e.g. 256-bit).
2. Discrepancies in password PIN/Touch/Face ID protection levels between MacOS and iOS devices in regards to data at rest encryption
3. Whether protection measures may or may not meet various government level data protection regulations (e.g. GDPR or HIPAA).

End to end encryption is an important feature to me. This is the reason I refuse to purchase Things 3 for iPad and MacOS as the Things Cloud service does not allow for end to end encryption. I am impressed with Agenda so far, and I would like to utilize it to its fullest potential one day once the team tackles encryption before uploading to a third party service or at least grants me the capability to sync via a self-hosted remote storage solution (e.g. a local instance of WebDAV).

TLDR: Data does not need to be encrypted on device at Agenda’s level. Data only needs to be encrypted before uploading to a remote storage service. Provide the option to keep Agenda from opening without providing PIN/Touch/Face ID to keep snoopers from looking at Agenda data when a device is borrowed by a semi-trusted individual. Ensure customers are aware of the lack of whole disk encryption on MacOS devices.

Very thorough discussion of the options. I think it also shows why this is not a few days work.

We have wanted to support password protection of notes and projects, and end-to-end encryption since the beginning. It’s just a question of priorities at this point.

Look to Apple Notes for a good example. The only thing I would add to their implementation is locking whole notebooks as well.

I must say, something that scares the begeebees out of me is that if you forget your password, or mistype it wrong twice, your notes are gone. Nobody can get them back.

People in this day and age are used to forgetting passwords, or using some password manager. They never expect that if they forget a password that it is game over. They just go to the web site and hit “Forgot Password”, get a link emailed etc.

We are going to think about it some more. Maybe there is a recoverable way to do it. Not sure.

Use touch id. You can forget your password but you can’t forget your fingerprint.

I agree; it is scary. It may not be worth taking on the responsibility of implementing complete data at rest encryption (on the device & in the cloud). The solution I proposed should be recoverable as only the data in the cloud is encrypted while the data on the device is still in clear text within the application. The user could create a new password for both devices and resync to the cloud. The responsibility for data at rest encryption on the device could rest with the individual or Apple. People that require data at rest encryption for their MacOS device at least have the option to use FileVault for whole-disk encryption in the meantime.

As for protecting Agenda data from prying eyes on the device, Agenda could use the usual pin and/or Touch/Face ID mechanism to prevent flagged notes from being visible until unlocked. If the individual forgets the pin, perhaps it could be reset once re-authenticating to their Agenda account.

I appreciate you taking the time to read my comments. In the meantime, I will be purchasing the iOS version of Agenda today. I have confidence that your team will figure out a solution. Good luck!

I realize this is an old thread but I’ll chime in nonetheless. I’m a premium user but I can’t use Agenda at work. It is installed on my company-provided MacBook Pro, MacBook Air, iPad Pro, and iPhone but, like I said, I can’t use it because there’s no end-to-end encryption. If you guys enable that I’ll be able to actually use what I paid for. I didn’t realize Agenda doesn’t have the security levels I need when I bought the premium subscription. I don’t regret paying for premium features because I like Agenda. I’m hoping you can provide end-to-end encryption soon (and the ability to paste pictures inline into a note.)

Yes, we would like to add end-to-end encryption. It’s in the roadmap.

Thank you for supporting us in the meantime!