Subscribe
By ohm in Obsidian

Securing Obsidian - The Basics

Whether it be plugins, community themes, or had haphazardly pasted HTML, Obsidian is vulnerable to third-party content[1] by default.

The developers are not at fault. They did an amazing job, but security was never first priority. After all, extensibility is a core element of the program.

To mitigate this issue, we have a variety of options. The following proposes some simple solutions to the primary threats.

Threat Modeling

First, we must determine what we're fighting to protect. For most, I expect this is a combination of these two ideas: personal privacy and data loss prevention.

To me, losing access to my journal would be devastating. Before privacy, I want my data protected[2].

So, who are our threat actors? Why would we be targeted?

Privacy is most likely to be targeted. Some third-party content will invariably contain greyware[3] or spyware[4]. Luckily these types of content are normally spotted by the community. It's just a matter if you'll use it in spite of knowing.

Unless you know yourself to be a valuable target, ransomware is likely your worst case scenario. Such an attacker may your data encrypt it forever or to even post it online. After payment, the attacker has no good reason to return the favor.

However, please use your judgement to create your own threat model. Ask yourself what you're trying to protect and why someone else wants it.

Is third-party content worth the risk?

For most of us, absolutely. I'm not a celebrity, journalist, or whistle-blower. Remember, your already using third-party software. If you're so concerned, downloading Obsidian was a risk to begin with.

However, of course, we want to mitigate the risk. Obviously don't install third-party content from obscure sources. As far as Obsidian goes, if it's not available on the Community Tabs, I don't suggest installing it. The Obsidian team does do some code review before adding a plugin.

Furthermore, many plugins use another parties content. A forth party or what have you. Take for example the Kindle Highlights plugin, it will leak your data to Amazon[5]. This is nothing against the plugin. After all, for it to work, you had to access your Amazon account. Even if accidental, It becomes more of an issue when this forth-party has more control.

Use your own judgement. Third-party content is always a question of trust!

Audits Are Hard

I would love to see proper security audits for plugins, but it's either too expensive or restrictive. My best suggestion would be to establish a standard for plugins to follow. This combined with a some automated tooling and a small bit of review could lead to a marginal improvement in security.

Honestly, I don't think that would work well. If anything, we should pull our efforts to scrutinize the top plugins. If one of the authors happens to be "hacked", the results could be devastating when we all collectively update into malware.

As for actual mitigation, I highly suggest code signing. This would increase the effort required to submit a malicious update, and I don't see this as a requirement for the Community Plugins Tab.

Copy/Paste and Dangurous Settings

A few plugins like DataView and Templater have explicitly insecure settings. Please be very careful when inputting data into your vault with these plugins enabled! Fully understand what your copying does before you put it into your vault.

Additionally, certain HTML can be dangerous as well. HTML is—generally—not escaped within Obsidian. And although I won't call iFrames insecure, they are a weak point. Remember, an iFrame is the same as running third-party code because it is running third-party code. It's just a matter of how it's running.

Backups

What does a backup do? What's the point? To avoid a "single" point of failure. Or, rather, a "shared" point of failure.

Here's some points of failure and their solution:

  1. I Accidentally deleted my file, so make a copy in a another folder.
  2. My hard drive failed, so make a copy on another.
  3. My house burnt down with my computer and my hard drive! Make an offsite backup.
  4. Ransomware encrypted all my data and removed my Google Drive access! Make an offline offsite backup.

"Why can't I just have an offsite offline backup?"

If you did, you'd create a few points of issue. Mainly, with only one backup, your vulnerable when you update that backup. Never (physically or digitally) have all your backups in one place. Also, it's just annoying to update an offsite offline backup.

Whether it be an accident, ransomware, hard drive failure, or a government seizure, remember to minimize these shared points of failure.

In general, for Obsidian users, I'd suggest to store your files in four locations: your device, your sync provider (Obsidian Sync, Google Drive, etc), an onsite external drive, and an offsite external drive. For frequency, I'd suggest weekly for the onsite and monthly for your offsite. Additionally, you may want to consider a location for a yearly backup.

Test your backups!

If you don't test your backups, you may as well not be doing anything! Every so often, you should pretend to lose all your data and utilize your backups. Make sure everything works as you expect it would! Yes, you should test all of your backups.

Encryption

For those who would like to keep their data out of others hands, I highly suggest using something like VeraCrypt. It will allow you to create a encrypted volume, or, my preference, an encrypted folder volume. Additionally, because you only have "one" file, this method makes backing up an easy operation.

Moving Forward

Everyone should consider the above. It's of most relevance, and saves more time than it takes. I can't say the same for the more advanced stuff. If your still interested, check out my post next Sunday, I'll be showing you how to setup a sandbox and firewall for your vaults. Surprisingly, Android makes it the easiest.

  1. By "third-party content" I'm referring to anything that would execute even if it wouldn't necessarily be considered "code". For the most part, I'm referring to HTML, CSS, and JavaScript. ↩︎

  2. If you're compliant to things like HIPPA, confidentiality is of first priority, so I highly advise against using unvetted third-party content. If you still choose to use Obsidian, your vaults should remain offline! ↩︎

  3. Greyware is software that contains both virtuos and malicious elements ↩︎

  4. Software that spys on you. ↩︎

  5. This information is likely limited to simple metadata: date of access, IP address, and user agent (Obsidian). It should be of little concern to most. ↩︎

Subscribe to ohm.one

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe