Storage encryption

studiosus
May it be possible in the future to add the possibility of encrypting all the data with my own password (storage) - notes etc, before it is sent to any servers (wether zotero.org or my own)?

Thank you for a great product!
  • dstillman
    edited June 3, 2012
    Data synced to zotero.org cannot be encrypted before sending it, as the server needs to understand the data in order to provide the sync backend.

    We don't have any plans to provide encryption of files for storage sync—and Firefox may not even expose the functionality necessary to do so natively—but you could use a service such as JungleDisk that automatically encrypts data before sending it to the server.
  • studiosus
    Thank you for this answer.

    But what about storing and syncing also metadata (in the meaning - all the data) only with my own server? Will it be someday possible, because as I understand and see, at the moment only the attached files are synced with my server, everything else goes throgh zotero.org.

    Best!
  • abhirkmv
    I don't get why the server needs to understand THE CONTENTS of the files/notes in order to provide the sync backend. Why can't the server just treat the contents as black boxes? Does the server store the content-search-index also?
  • adamsmith
    Dan's answer about having to understand data for sync is about _data_, not about files. As he says, Zotero doesn't currently plan to encrypt files on the server, either, but if you use a file syncing method that does encrypt files (via jungle disk, e.g.), that would work just fine.

    By default, Zotero will also store the index of the files on the data server, and if you want full text search across computers you'll need that enabled, but you can disable it in the sync preferences.

    Dan has mentioned the possibility of point-to-point encryption in the past, but as I understand it that's unlikely to happen absent either a third party patch or a grant.
  • abhirkmv
    Thanks. Does the sync mechanism use SSL for all communication? I remember reading somewhere that the attachments are not sent over an SSL connection by default.
    I can't find any option to enable SSL connection for attachments.
  • adamsmith
    all sync activity is ssl encrypted and, I'm pretty sure, always has been. You'll note people at Zotero are ssl obsessive to the point that even the forums and documentation are https.
  • adamsmith
    Trying to think of where you would have read about non-encrypted file syncing, the only thing I can think of is sync via WebDAV, which Zotero will, I believe, allow even if the WebDAV is http://, though obviously it will also take https:// and that's what you should be using.
  • abhirkmv
    Sorry for my bad memory. You are absolutely right. I dug up my browsing history and found that place. It was Sean's post at https://forums.zotero.org/discussion/6210/synch-with-server-and-privacy-security/ .

    I think it is correct to allow http:// for WebDav for users who might have their reasons of doing so.
    Thanks again.
Sign In or Register to comment.