The Cryptsidian plugin provides a robust solution for encrypting all files in your Obsidian vault using a password, ensuring your data remains secure and private. Designed for desktop use, the plugin encrypts notes and attachments directly on disk with AES-256 encryption, protecting sensitive information from unauthorized access. Users can easily encrypt and decrypt their vault through modals accessed via the command palette. The plugin is particularly useful for shared device scenarios, such as family or public computers. It automatically closes open files during encryption to prevent corruption and emphasizes the importance of password retention, as files are irretrievable without it. While offering strong encryption, the plugin is not audited for critical security use cases.

Cryptsidian: Encryption for Obsidian.md

Encrypt all files in your Obsidian.md Vault with a password.

Three Warnings

Backup the Vault - before running the plugin make a backup to save your data.
Remember your Password - files cannot be recovered without your password.
File Corruption - Do not open files in Obsidian.md (or other app) after encrypting them. Contents can become corrupted and irrecoverable. The plugin auto-closes all open notes to avoid accidental corruption.

👋🏾 New Project: OpenRelay

Want more privacy? Check out my new project: OpenRelay, a community-built, privacy-first VPN with provably no logs! Tech docs here.

Cryptsidian Installation & Use

You can install the plugin via the Community Plugins tab within Obsidian by searching for "Cryptsidian".

Manual Installation: Copy over main.js and manifest.json (from Releases) to your vault in this location: VaultFolder/.obsidian/plugins/cryptsidian/.

Git Clone: git clone this repository into VaultFolder/.obsidian/plugins/cryptsidian and npm install and npm run dev.

Use: open the command palette (cmd + P on mac) and type "cryptsidian" to bring up the encrypt and decrypt modals. To encrypt, select the encrypt modal and enter your password. To decrypt, select the decrypt modal and enter the same password.

If you use different passwords for encryption and decryption, your files will become corrupted.

Files remain encrypted (or decrypted) after the Obsidian app closes.

Usability

This plugin makes it dead simple to encrypt your vault with a user selected password, including all notes and files (e.g. attachments) in the vault directory. Useful for single device, multiple user situations, like a family computer or a shared computer lab.

It is desktop-only and has been tested on OSX and Linux. It should work on Windows but has not been tested.

This plugin has not gone through an independent security audit and should not be relied upon for critical security applications.

Future changes to the Obsidian API may break this plugin. Forward compatibility is not guaranteed.

Technical Notes

Files are encrypted and overwritten in-place on disk.

Encryption used is aes-256-ctr. A reasonable improvement would be using GCM instead to take advantage of AEAD.

Salt is static in the source code. IV is unique and random (and pre-pended to the file on disk). PBKDF is scrypt with default parameters, from the Node.js crypto API.

Password is required to posess sufficient entropy, but you can change the amount of entropy required in the hasEnoughEntropy function.

The backend functions are all in cryptsidian.mjs. The frontend interaction is in main.ts.

Unit tests can be run using mocha with npm install then npm test.

Code is well commented for readability.