🆕 Software Suggestion | Bolster #2093

New Issue

2020-10-15T12:59:42Z

ronanyeah commented

2020-10-15 12:59:42 +00:00

(Migrated from github.com)

Basic Information

Name: Bolster
Category: Productivity app
URL: https://bolster.pro/

Description

Bolster is an end-to-end encrypted journal that prioritises efficient daily use. It is designed to be used on every device, and features a tag-based habit tracking system.

Why I am making the suggestion

I see a lot of people asking about encrypted journals in PTIO so I think it would be a good fit for the subreddit.

My connection with the software

I am the owner, builder and promoter of the product.

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Basic Information **Name:** Bolster **Category:** Productivity app **URL:** https://bolster.pro/ ## Description Bolster is an end-to-end encrypted journal that prioritises efficient daily use. It is designed to be used on every device, and features a tag-based habit tracking system. ## Why I am making the suggestion I see a lot of people asking about encrypted journals in PTIO so I think it would be a good fit for the subreddit. ## My connection with the software I am the owner, builder and promoter of the product. - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

ronanyeah commented

2020-10-17 00:33:26 +00:00

(Migrated from github.com)

Encryption processes

Uses the WebCrypto API.
PBKDF2 for password stretching.
AES-CBC for encrypt/decrypt.
Specific code can be viewed here.

#### Encryption processes - Uses the [WebCrypto API](https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto). - PBKDF2 for [password stretching](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveBits). - AES-CBC for [encrypt](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt)/[decrypt](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/decrypt). - Specific code can be viewed [here](https://github.com/tarbh-engineering/journal/blob/master/src/crypto.js).

lynn-stephenson commented

2020-10-17 02:04:47 +00:00

(Migrated from github.com)

@ronanyeah Considering there is no self-hosting option, and that the client is really only a website, there is no guarantee for average users the application can't be backdoored easily. In addition to that, you're using older less secure cryptographic primitives, and do not authenticate the ciphertexts.

I don't really see a reason for this to be added to the site unless you build an Electron/mobile applications, and at least authenticate ciphertexts.

@ronanyeah Considering there is no self-hosting option, and that the client is really only a website, there is no guarantee for average users the application can't be backdoored easily. In addition to that, you're using older less secure cryptographic primitives, and do not authenticate the ciphertexts. I don't really see a reason for this to be added to the site unless you build an Electron/mobile applications, and *at least* authenticate ciphertexts.

ronanyeah commented

2020-10-17 11:54:10 +00:00

(Migrated from github.com)

@lynn-stephenson Fair point about self hosting + apps, and that is currently in development.

As for primitives, would you recommend AES-GCM as an acceptable approach?

@lynn-stephenson Fair point about self hosting + apps, and that is currently in development. As for primitives, would you recommend AES-GCM as an acceptable approach?

lynn-stephenson commented

2020-10-17 15:54:39 +00:00

(Migrated from github.com)

@ronanyeah AES in GCM mode, or (X)ChaCha20-Poly1305. (I highly recommend you use Libsodium.)

ronanyeah commented

2020-10-17 17:20:47 +00:00

(Migrated from github.com)

Thanks!

This repo is archived. You cannot comment on issues.