Raven - Blog
January 3, 2023

Joplin : improve security of the Nextcloud link

Posted on January 3, 2023  •  4 minutes  • 649 words  • Other languages:  Français

I begin this article by wishing you all a wonderful 2023: health, happiness and fulfillment 🥳!

I’m not going to introduce you to Joplin, that excellent free note-taking application in Markdown format. Instead, I will present you an alternative to connect Joplin to your Nextcloud instance in order to limit access to your data to the bare minimum.

Standard synchronization between Joplin and Nextcloud

In the Joplin app, whether Mobile (iOS/Android) or Desktop (Linux/Mac/Windows), you can connect Joplin to a Nextcloud account, which has the advantage of:

For this, the Joplin FAQ, as well as many tutorials, will advise you to use Nextcloud’s WebDAV file server and to configure Joplin in this way :

If you have enabled dual authentication on your Nextcloud instance, you will need to generate an application password and enter it instead of the password in Joplin.

This method works but I find it very insecure because your Joplin apps have full read/write access to all of your data in your Nextcloud account. We’ll see how to improve this.

Please note that Joplin does not hash passwords in the SQLITE database (on Linux Application only). If you lose a device on which Joplin is installed, it is very easy to recover the password of your cloud in the SQLITE database. If you encrypt your notes, you will also find the masterkey in clear...

Joplin not encrypt

UPDATE 2023/01/04 :

🙏 Call for contributions 🙏


After discussions on the Joplin Discord, it turns out that the problem is only with the Linux application. The application does not support the Linux keychain. If you can improve this issue, please contribute here: https://github.com/laurent22/joplin/

Give limited access to Joplin on your Nextcloud account

Your Joplin notes are all grouped in one folder on your Nextcloud account. The goal is that the Joplin app cannot access anything other than that folder.

To do this, we can use Nextcloud’s sharing and WebDAV features to avoid connecting to Joplin directly through our personal Nextcloud account.

A - Set up your Nextcloud instance

For this method to work, the Nextcloud public shares must be accessible via WebDAV. This is a common option and usually enabled on Nextcloud servers.

However, if you are an administrator, or would like to have the administrator enable this feature, it can be found in Administration > Sharing > Federated Cloud Sharing. Check the box :

Partage fédéré Nextcloud

B - Share your Joplin folder

Then make a share on your Joplin notes folder, and adjust the settings to your liking. Don’t forget to add a password to the share :

Partage Nextcloud

Once the sharing is done, you will get a URL like :

Pay attention to this URL, because it is the last part (xF4CDBt5mRCid83) that will be used as your username in the Joplin application.

C - Connect your Joplin application

In the Joplin application (Desktop/mobile), here is the information to enter :

Pay attention to the URL of your Nextcloud which must end with /public.php/webdav.

Joplin configuration

Conclusion

I find this connection method between Joplin and Nextcloud to be a security gain by significantly limiting access to your Nextcloud account (which is always good when possible). Moreover, this method will extend the possibilities of sharing notes thanks to Nextcloud allowing to :

This is, for me, the best way to use Joplin coupled with Nextcloud. See you soon !

Follow me

Subscribe to my RSS feed !