Which is most secure? Apple Notes, Obsidian, Craft?

I’ve been using Obsidian for my writing and research and I’ve been experimenting between Apple Notes and Craft for work related notes. I could also use Obsidian for work notes as well.

One variable I have not given sufficient attention to is the security of my work notes. Most of them are benign but I do have sensitive notes on parents, students, and staff. I have file vault “on” on my MBP. I also use iCloud for storing and syncing nearly all of my files, notes included. I also backup to Backblaze and encrypted external drives using Time Machine.

Everything else being equal, which app is the most secure-Apple Notes, Obsidian or Craft? And, if don’t mind, what is the basic reason for your recommendation?

I’m not across Craft, but Notes and Obsidian only store in iCloud, so I guess they’re as secure as iCloud is?

I’m sure more knowledgeable people than me can give better guidance!

@ChrisEdwards I’m certain that others are more knowledgeable than ME so all input is helpful! Thanks! :grinning:

1 Like

Obsidian can store your data where you choose - including in a work provided location (such as a shared drive), for that reason I’d definitely go Obsidian.

4 Likes

Is this also true on iOS? I thought you were forced to use the iCloud Obsidian folder?

Yes, my Obsidian folders are all in iCloud and sync across my devices via iCloud.

I suspect that’s good advice. My frustration with trying to use Obsidian for work notes is that it is complicated to insert graphs, charts, tables, etc. whereas in Craft and AN it is so simple.

As specifically as you can, answer: What/who are you concerned about? It’s reasonably impossible to answer a question about security without understanding the specific threat scenarios that you consider likely enough to expend resources to mitigate and the consequences/costs of the realization of those threats.

1 Like

Fair question. Today I was typing sensitive notes about a personnel matter into Craft following several phone calls. After finishing, it suddenly dawned on me that I recall David Sparks doesn’t use Craft in part because it lacks end-to-end encryption. I also don’t fully understand if the Craft data is on their servers or iCloud: Your Data is Yours - Our thoughts on Data Ownership and Accessibility.

Based on this, I’m concerned about very sensitive information somehow getting into the wrong hands, even accidentally.

1 Like

What is your school’s policy regarding sensitive data? I’d let that winnow down your options first.

Keep it secure but we don’t mandate where staff keep personal work related notes.

I see. I would say, then, that any of the three are fine. I don’t see any reason to trust Craft less than, for example, a LMS vendor which would also store student data for the school.

Secured notes in Apple Notes are the most secure sync mechanism of the three since a) secured notes are e2e encrypted, and b) iCloud has two factor authentication and (I think) Obsidian Sync does not. When Obsidian Sync adds 2FA, then I’d rate them the same. The locally stored Obsidian files and Apple Notes are as secure as you’re able to protect access to your physical device and login.

But again, that’s only my opinion on which is most secure–I really think all three are safe enough here. By choosing the option that’s most productive for you, it sounds like you’re doing your students and parents a service by doing better and more organized writing on their behalf, so security shouldn’t necessarily be the biggest factor.

2 Likes

This. Encrypted sync solutions, etc. Obsidian is great cause everything is plaintext files so you can manage it yourself.

But I agree with the other opinions expressed in this thread, especially this:

1 Like

No. On iOS you can do any of the following for a given vault:

  1. Use iCloud Drive sync
  2. Use Obsidian Sync, a paid end-to-end encrypted sync service
  3. Keep your files local to your iOS device
  4. “Sync” your files using git, via Working Copy

@Bmosbacker I would say all three services are plenty secure for your needs, for what it’s worth. As others have suggested I would just be careful of your institution’s privacy policies.

1 Like

Thanks for the kind replies. I feel a bit better now about continuing to use Craft for work related notes. While I like Obsidian for many things it is not great if one needs to embed charts, pictures, and tables. It is certainly possible and I have done so but it is not nearly as easy as doing the same thing in Craft or Apple Notes.

Thanks again, everyone on this forum is always extremely helpful.

2 Likes

You can create a new Space in Craft that syncs with iCloud. I go this route as I wasn’t keen on having AWS store my data.

I’d check with your legal department / counsel if your workflow is compliant with privacy / security / whatever law you must abide to :smiley:

I believe that in these cases, should one ever have to face a FERPA day of reckoning, any claim to have been following best practices has to default to have been following what your school guidelines permit. Or perhaps better said, you cannot (blissfully) do what your school guidelines prohibit you from doing. By example, when your school guidelines say such things as “… prohibited from storing school records on personal devices …”, you have an answer in what might be considered to be a rather strongly stated frame.

For this reason, I have recently taken extra measures to move all my school related “cloud” work to the sanctified Google. For example, the process to download assignments from Canvas, upload to iCloud, and grade on my iPad is now replaced by download from Canvas, ZIP, upload to Google (via DropZone), and then extract to grade on my iPad.

If you are staying local, then who cares. Outside (of course) that “local” means, all your school-related work is done when you are logged into a school-related login, not a personal-related login. Essentially, you can do personal-related stuff from your school-restricted login, but you cannot do any (FERPA restricted) school-related work from your personal-related login.

As to the suggestion from @memex

I suspect that you can end up opening a can of worms with this approach. Either they will be rather glad to tell you a rather narrow standard, meaning for example that you will have to give up all access to doing any school related work on anything but school-purchased computers with school-sanctioned software. Or they will be rather nebulous, meaning that they will leave you to hang yourself by your own rope should the day of reckoning come your way.


JJW

3 Likes

I know that lawyers usually complicate things (or seem to do so), but since @Bmosbacker looks to be in a quite “apical” position in his institution and kids personal data can be quite sensitive material I’d check anyway. It’s always a matter of balancing risks and benefits: “should I use a more constrained system, which is less convenient to me, or risk damages if something happens (and how likely it is to happen)?”.

Maybe he’ll find that storing sensitive data in an unencrypted cloud is ok under the relevant legislation, or that the data he stores in those crafts documents are not sensitive at all.

@cornchip, what do you mean by “secured notes”?