Protected notes

Trilium is meant to store all kinds of data - including potentially sensitive data like journals or credentials etc.

For such sensitive data Trilium can protect these notes which essentially means:

encrypting the note with encryption key based on your password.
- This means that without your password, protected notes are not decipherable so even if somebody managed to steal your Trilium document, your protected notes could not be read.
time-limited access to protected notes
- To first access protected notes you need to enter your password which will decrypt the note and allow you to read / write them. But after certain time period (by default 10 minutes) this decrypted note is unloaded from memory and to read it again you need to enter your password again.
- This protects against a possible scenario where you leave your computer unlocked for a long time and somebody can access your Trilium application.

How to use protected notes

Notes are by default unprotected. If you want your note to be protected, click on shield icon next to the note title as seen here:

You can also notice how protected notes are greyed in the note tree and given subtle shield background in the note editor so you have good overview of what's protected and what isn't.

What is encrypted

In principle Trilium encrypts data, but doesn't encrypt metadata. This specifically means:

Encrypted:

note title
note content
images
file attachments

Not encrypted:

structure of the notes - i.e. you can still see that there are protected notes.
- there's no attempt to hide the fact there are encrypted notes
various metadata - e.g. date of last modification
attributes

Encryption details

... how we get from password to decrypted note:

User enters password
Password is put into scrypt algorithm together with "password verification" salt to verify that password is correct
Password is put into scrypt algorithm together with "encryption" salt which produces a hash
- here we use scrypt for key stretching
Hash produced in the last step is used to decrypt actual data encryption key
- data encryption key is encrypted with AES-128 with random IV
- data encryption key is random key generated at the time of document initialization and is constant over the lifetime of the document. If we change password, we re-encrypt only this key.
We use data encryption key to decrypt actual data - note title and content.
- encryption used is again AES-128 with CBC chaining. Unique IV is generated with every encryption operation and stored together with the cipher text.

Back to Overview

Screenshot tour
Basic concepts
- Document
- Note
- Navigation
- Keyboard shortcuts
- Themes
  - Theme Gallery
- Import & Export
Installation & setup
Advanced usage
- Attributes
- Relation map
- Note map
- Book note
- Sharing
- Code notes
- Advanced showcases
- ETAPI (REST API)
- Default note title
Developer guides
- Frontend Basics
- Widget Basics
FAQ
Troubleshooting

Uh oh!

Protected notes

How to use protected notes

What is encrypted

Encryption details

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!