End-to-end encryption in Bear (With Advanced Data Protection)

I agree – the lack of pervasive end to end encryption in Bear is an increasingly serious omission.

I found this page for Noteplan on the topic: Is my data secure (encrypted)? - NotePlan Knowledge Base. I wonder if it is a compatible method for Bear. Not sure it would mean 100% E2E, but it does mean no-one would be able to see into notes or assets.

Well dang. It looks so beautiful xD

If I’m not mistaken, isn’t this basically what Bear does? I think what mine (and everyone else’s) issue is that our notes may be encrypted in transit and at rest, but Apple still maintains the keys which is, in my opinion, the problem because they can technically decrypt any note that they wanted, right? Out of any big tech company I “trust” Apple the most — but that doesn’t mean that I want them to have access to all my notes.

And I could be wrong xD but that’s at least what I’m getting by the research I’ve done.

My understanding is that when you choose the option in Noteplan, everything except the file names are E2E, so no one but you has the key.

Hmm, interesting. Well that would be a lot better than what we currently have.

Correct me if I’m wrong, a solution while waiting might be to disable iCloud Sync and manually back up your notes to iCloud Drive. That won’t work for people who use multiple devices, though!

Having E2EE available with attachments will be good enough for me - at least then I can toggle it for all the things I care about. Right now I’m forced to split out important notes with attachments to sub-par competitors. I’d very much love to keep everything in-house.

The system will prevent it… 17 days seems like a long time ago now! But let’s not get into politics here. The fact remains that some, maybe many Bear users are worried about using the app without E2EE.

Could you explain this a bit more? Does this mean encrypting single notes, one by one?

EDIT: Never mind, I looked it up; it does mean that. Unfortunately, this won’t solve the issue for me (and others, I’m guessing). I need automatic E2EE for all notes, especially now that Tim Cook, too, has bent the knee for Trump.

Matteo, nice to know the Bear Team is indeed working on better encryption.
I have joined the Bear Community just to say that I’m eagerly awaiting for:

• Zero Knowledge Encryption (AADP, even if opt-in via settings)
• Bear’s Second Gen encryption supporting attachments for individual notes.
  That is a HUGE deal.

And, hmm, no, I do not trust Apple to have the keys to my notes, which will contain some of my most personal information.

Thanks and I have set a reminder to this post to follow it up.

Good work.

Good to hear it’s on the radar. I’ll come back when it’s been implemented.

Encypting individual notes is problematic, because, supposedly encrypting all your noets causes a perfromance issue.

Wait, what?! The primary reason I switched to Bear was because I thought I was getting ZKE with ADP turned on, since it uses iCloud storage.

With that and the long latency to implement a reasonable Backlinks panel, I guess I’m on the hunt for another notes app to switch to now, which makes me really sad.

I wish you guys would charge more money to subsidize increasing the development cadence.

iCloud storage is not the same as CloudKit, unfortunately.

I would be also glad if I all my notes would be encrypted fully, HOWEVER lets not be hysterical here.

(1) The real chance of Apple spying on you using decrypt keys is really minimal und rather theoretical in nature (due to what it would mean for their reputation and PR).

(2) If you have REALLY deeply sensitive information like passwords to your life-long financial accounts, you should use E2EE (password-lock note in Bear) or better dedicated vault apps. But how many such info do you have? Sometimes it seems to me that people quite overestimate “sensitivity” of their notes just for the sake of similar discussions like this one. The current level of encryption of Bear transfer/server data does NOT mean that it is accessible for anybody in the technical roles of the app providers (as is the situation e.g. of highly popular Craft app). And in the end, I do not think that CIA or any sister agency will be too keen to spend its resources on researching all my article ideas, saved webs and personal brainstorming, providing that am not planning to mount some bomb or anything, which I do not plan. So lets stay a little bit real here.

Money isn’t always the answer: Good developers are rare nowadays!
You can disable iCloud sync and instead store your backup in iCloud Drive. That WILL have encryption if you have ADP turned on!

I’m not sure that people are too concerned about Apple looking at your private information. More concerning is the UK government’s demand to Apple to let it view iCloud data of anyone it chooses. Yup, this demand is not restricted to UK citizens, it would apply to US citizens, EU citizens etc.

This is because the UK government has created a law that applies to any company doing business in the UK, irrespective of where that company is based. If the UK demands access to data, then businesses operating in the UK must comply.

Bonkers I know. Check out MacRumours / Sky News / BBC news for validation.

I can see but this is just quite a wild guess about applicability of this law in this context (of forcing Apple to use this type of CloudKit decryption key as opposed just to pass the data). I would not be so sure. EVEN if this would be correct, my argument is still valid - even in this case the government should have VALID (proportionately serious reason) to require your data. So not anyone, anytime, I am sure…

even in this case the government should have VALID (proportionately serious reason) to require your data

That ship sailed long ago. The well-documented abuse of the FISA court for domestic surveillance is toothpaste we can’t put back in the tube and is just one of many examples why this thinking is ancient history.

More importantly, please stop litigating the desire to have Zero Knowledge Encryption w/ Advanced Data Protection on this forum. ZKE a real thing, some people include it in their threat models, and they want their note taking app to support it. The Bear developers can implement it or not. It’s as simple as that.

I’m sorry, but this is very naïve. We’ve had lots of civilizations, and none of them ever failed to abuse power when giving access to it. I don’t see why it should change now.
Encryption is normal; your brain has encryption. It’s a lack of encryption that is abnormal. Can you imagine if everyone could hear the intrusive thoughts in our heads?
What kind of crimes is reading someone’s notes going to stop?
There is NO valid reason anyone should have access to your data, just like they is NO valid reason someone should able to force access to your brain. Our devices are extensions of us today!