Docs

Protected-notes

Trilium is meant to store all kinds of data - including potentially sensitive data like journals or credentials etc.

For such sensitive data Trilium can protect these notes which essentially means:

How to use protected notes

Notes are by default unprotected. If you want your note to be protected, click on shield icon next to the note title as seen here:

What is encrypted

In principle Trilium encrypts data, but doesn’t encrypt metadata. This specifically means:

Encrypted:

Not encrypted:

Encryption details

… how we get from password to decrypted note:

  1. User enters password
  2. Password is put into scrypt algorithm together with “password verification” salt to verify that password is correct
  3. Password is put into scrypt algorithm together with “encryption” salt which produces a hash
  4. Hash produced in the last step is used to decrypt actual data encryption key
    • data encryption key is encrypted with AES-128 with random IV
    • data encryption key is random key generated at the time of database initialization and is constant over the lifetime of the document. If we change password, we re-encrypt only this key.
  5. We use data encryption key to decrypt actual data - note title and content.
    • encryption used is again AES-128 with CBC chaining. Unique IV is generated with every encryption operation and stored together with the cipher text.

Sharing

Please note that protected notes cannot be shared like regular notes.