WARNING! Do not use Cryptomator with
journal-cli. Cryptomator is a great tool, but it does not play nicely with git, which is baked into
journal-cli. I tried creating a git repository on a mounted Cryptomator drive on my Windows machine and it basically corrupted my files. Don't make the same mistake.
Do you need encryption?
Out of the box,
journal-cli stores all your journal files in plain text in a directory of your choosing on your local file system, without protection of any kind. Depending on what kind of information you're keeping in your journal, that might be perfectly acceptable. The files aren't in the cloud, so at least they're not vulnerable to the ineptitudes of your favorite cloud provider - or to the nefarious hacker targeting it - but anyone who is able access your computer can potentially read them. That includes the thief who steals your laptop and manages to crack the shitty password you used to lock it, or your nosey brother who "accidentally" finds your journal while "browsing the internet". Again, if your journal consists of research notes of from books and articles you're read, this all may not be a problem. But if your journal is for writing intimate, personal, or private thoughts, it really should be encrypted. To do that, you'll need another third party tool.
There are a lot of tools available for encryption these days, and I've experimented with many of them specifically for use with
journal-cli. Based on my experiences, I can offer two recommendations. First, as indicated above, don't use Cryptomator. I personally experienced data corruption after creating a git repository on a mounted Cryptomator virtual drive. Other folks have reported similar issues. So while it's a great tool overall, it's not a good choice for use with
journal-cli. By extension, I don't recommend testing other encryption tools with
journal-cli unless you've confirmed that they will work reliably with git repositories.
The other recommendation is for what you should use with
journal-cli for encryption: VeraCrypt. I've used VeraCrypt - and its long defunct predecessor - for many years without issue. I've used it to encrypt my journal for as long as journal-cli has existed.
If you've never used VeraCrypt before, I suggest you start by reading this beginner's tutorial. Basically, it allows you to create an encrypted file - referred to as a "container" - that can be mounted as a disk drive on your computer. Once mounted, you can interact with it just like you would any other drive on your machine. You can add files, edit them, delete them; whatever. However, once you dismount the drive, it is removed from the system and the files it contains become inaccessible. They still exist within the encrypted container, but are not accessible until the container has once again been mounted.
If you already have a
journal-cli journal that you would like to encrypt, it's as easy as creating a new encrypted container as described in the tutorial linked above, mounting it, and then moving all your journal files from their current location to the mounted container's virtual drive. Don't forget to include the hidden
.git directory. Once that's done, use the
Set-JournalDefaultLocation cmdlet to update your journal's path.
If you have not yet used
journal-cli to create journal entries, first create a new encrypted container as described in the tutorial linked above and mount it. Then, use the
Set-JournalDefaultLocation cmdlet to set the desired path on the mounted drive where your journal files should be stored.
Remember, you must always use the same path when mounting your journal's container file. (Using VeraCrypt's "favorite volumes" feature - described below - makes this easy.)
Chose a naming convention
Even though VeraCrypt containers can be named anything at all, I suggest using a naming convention so you can easily find them again. For example, I always name my containers with a
.vcc file extension. ("VeraCrypt Container") That way, I can easily find all my containers by searching for "*.vcc" with a tool such as Everything*.
Choosing the right file size
How large should your encrypted container be? It depends. Will your entries consists solely of text? If so, you can veer toward the smaller end of the spectrum. On the other hand, if you plan on embedding lots of images in your entries you'll need a larger container. I recommend starting with a 100MB. If your journal ever outgrows the container, you can always create another, larger one and just move your journal files over.
Keep your password secure and private
This might be patently obvious - in fact, I hope it is - but I'll say it anyway. Keep your password away from prying eyes. I highly recommend using a password manager such as 1Password. It's not free, but it's fairly inexpensive and totally worth it. (There are free alternatives out there, but I've used 1Password for years so it's the only one I can recommend.)
You might be tempted to memorize your password and never write it down. I don't recommend that. If you don't unlock your container for a long enough period of time, you risk forgetting the password and if that happens you are completely screwed. This point warrants further emphasis: if you forget the password to an encrypted container, there is absolutely no way to recover the data inside it. There are no password recovery options available.
Enable container timestamp modifications
By default, VeraCrypt will not alter the "last modified" date on encrypted container files. That means when a container is created, the file will have the same initial "created on" and "last modified" dates which will never change. This is for increased security, but has a significant downside because synchronization and backup software may not detect when the container's contents have changed. In the context of
journal-cli, the consequence is that your journal may not get backed up and/or synchronized properly. For this reason, I highly recommend you enable timestamp modifications if you plan to use VeraCrypt to protect your journal.
Starting from the VeraCrypt main window, go to Settings, then Preferences, and then uncheck the option that says "Preserve modification timestamp of the file containers". That's it.
When you sit down to write a journal entry, you want to be able to decrypt and mount the container quickly and easily. The best way to do this is with keyboard shortcuts. That way, it's just a quick keyboard combination in order to read from and write to your journal. To enable hotkeys, follow these steps:
- Starting from the VeraCrypt main window, go to Settings, then Preferences, and then:
- Under "VeraCrypt Background Task" check the option that says "Enabled" and uncheck "Exit when there are no mounted volumes". This ensures VeraCrypt is ready to mount your volume at any time.
- Under "Actions to perform upon logon to Windows", check "Start VeraCrypt Background Task". (I assume this is the same on operating systems other than Windows.)
- Follow these instructions to create a "Favorite Volume" for your journal's container.
- Go to Settings, then Hot Keys..., and create a keyboard shortcut for the "Mount Favorite Volumes" action.
Once your container is mounted, it's very easy to forget to dismount it. Therefore, you should tell VeraCrypt to automatically dismount it for you - just in case. Starting from the VeraCrypt main window, go to Settings, then Preferences. Under "Auto-Dismount", enable all six options:
- Dismount all when... User logs off.
- Dismount all when... User session is locked.
- Dismount all when... Screen saver is launched.
- Dismount all when... Entering power saving mode.
- Auto-dismount volume after no data has been read/written to it for XX minutes. (How long depends on how paranoid you're feeling. Anywhere from 15 to 60 minutes seems reasonable.)
- Force auto-dismount even if volume contains open files or directories.
* "Everything" is window-specific, but I'm sure there are similar tools for Mac and Linux.