New feature request: Password protect files

La
Laydilejur
Posts: 11
Joined: Sun Nov 07, 2010 12:44 pm
Platform: Windows

Sun Nov 07, 2010 1:07 pm Post

I would like to password protect my scrivener files, as I store them in Dropbox for auto backup. As the files will be sitting out there on a server somewhere, I would like to know they are protected by a password. Is this a feature that can be added to the next version please?

Ge
GeoJunkie
Posts: 38
Joined: Sat Nov 06, 2010 11:05 am
Platform: Windows

Sun Nov 07, 2010 1:10 pm Post

An alternative until this is added (or if it isn't) is to use TrueCrypt to encrypt the files. It's what I do with private data.

kd
kdbertel
Posts: 78
Joined: Mon Oct 25, 2010 10:20 pm
Platform: Windows

Mon Nov 08, 2010 8:47 pm Post

As has been noted, the current focus is on obtaining feature parity between ScrivWin 1.0 and ScrivMac 1.0, and then the focus will be obtaining parity with ScrivMac 2.0. After that point is when the developer is going to focus much more on additional features.

As a sidenote, though, Scrivener stores projects as a collection of files in a directory hierarchy; most of those files are .rtf, which does not have a standard way of applying password protection. So even if the project itself had a password through Scrivener, there's nothing that is preventing someone from just opening up the project folder and pulling everything anyway.

I am curious enough to ask, though: why does storing your files in Dropbox necessitate password-protecting them? There is no logical connection between the two that I can think of.

User avatar
AmberV
Posts: 23934
Joined: Sun Jun 18, 2006 4:30 am
Platform: Mac + Linux
Location: Ourense, Galiza
Contact:

Mon Nov 08, 2010 11:39 pm Post

Dropbox is already quite secure on both ends of the equation. Your files are not stored as readable on their servers, they are encrypted using AES-256, and all transmission between you and Dropbox are encrypted using SSL as well. Thus, communicating with and storing data on their servers is, in many cases, even more secure that accessing your bank account online, exponentially so. The only time your files appear as ordinary files are when a fully qualified computer or device is hooked up to them (including portions you have made available to other users via sharing).

The only conceivable reason to further encrypt the encrypted data is to keep your Scrivener projects protected from prying eyes that have access to your machines. If you are working in a secure or confidential environment, this is definitely something you'll want to look in to. On the Mac, I recommend people use encrypted disk images, which are a bit like creating an encrypted flash drive that requires a passphrase to open. There must surely be some analogue to this on Windows.

But on that note, if you are actually dealing in top secret material, you probably shouldn't be using Dropbox at all anyway, and should be behind a heavy-duty firewall when accessing the Internet. If you aren't---then there is probably no cause for concern, as the stuff employed here for security is above and beyond what the average person would need.

What kdbertel says is right though, just slapping a password on the project file in Scrivener would actually be a disservice to most people, as it would do nothing to protect your data since you can just go into the project folder and open the RTF files in WordPad to break it. Each file would have to be encrypted, reducing the recovery aspects of the format, and as said, if you use Dropbox they already are encrypted---it's just not very obvious that they are because DB is so friendly about it.
.:.
Ioa Petra'ka
“Whole sight, or all the rest is desolation.” —John Fowles

La
Laydilejur
Posts: 11
Joined: Sun Nov 07, 2010 12:44 pm
Platform: Windows

Tue Nov 09, 2010 9:16 am Post

Thanks for the info. I usually password protect any docs I store in my Dropbox folder, which I class as 'sensitive' due them being stored in an offsite location - more for peace of mind than anything else. Having looked into the structure of the Scrivener files more closely, I can see how password protecting the project file is pointless. Thanks for the information :D

Mi
Mighty Ponygirl
Posts: 2
Joined: Mon Nov 15, 2010 5:39 pm
Platform: Windows

Mon Nov 15, 2010 5:47 pm Post

I'd like to see this feature too... for people using a shared computer, having a password protecting your writing (journals, poetry, etc), can be a real comfort. As someone who had a family member (who should have known better) tamper with her writing in order to make fun of her when she was a teenager, I reflexively protect my writing just to feel that I can write what I like, even though I'm well out of the environment that required it.

I am very eager to start using Scrivener but I admit my first order of business was to look for the "password protect" feature and was disappointed that it wasn't there.

User avatar
AmberV
Posts: 23934
Joined: Sun Jun 18, 2006 4:30 am
Platform: Mac + Linux
Location: Ourense, Galiza
Contact:

Mon Nov 15, 2010 5:51 pm Post

Please read the thread above. You will see that adding a password would do absolutely nothing at all except make you "feel safe". It would be disingenuous at best, and a critical security hazard at worst. It would be the airport security of passwords.
.:.
Ioa Petra'ka
“Whole sight, or all the rest is desolation.” —John Fowles

Mi
Mighty Ponygirl
Posts: 2
Joined: Mon Nov 15, 2010 5:39 pm
Platform: Windows

Mon Nov 15, 2010 5:57 pm Post

I realize that, I had read the thread and I understand that the rtf files currently used cannot be password protected.

I understand that adding the feature would necessitate a pretty substantial overhaul of how Scrivener works.

The purpose of my post was a) to add my voice to the people who would like it as a feature (even if it can't be done at the moment, I would think you'd still like to know), and b) to explain why someone might want password-protected files even if they aren't working on top-secret information.

User avatar
garpu
Posts: 2026
Joined: Mon Oct 25, 2010 9:38 pm
Platform: Linux

Mon Nov 15, 2010 6:09 pm Post

What you want could more easily (and more securely) be addressed by something like PGP, not by a feature in Scrivener.
Slackware-current 64-bit, XFCE

User avatar
AmberV
Posts: 23934
Joined: Sun Jun 18, 2006 4:30 am
Platform: Mac + Linux
Location: Ourense, Galiza
Contact:

Mon Nov 15, 2010 6:14 pm Post

Well the main thing holding it back, besides a complete rewrite of an architecture that works really well for what it needs to do, is that this is already something you can fairly easily accomplish for anything at all, not just on a per-program thing where everyone has to re-invent the security wheel. Using something that can create encrypted vaults on your drive is a good way to work, or at the very least, use Window's built-in system for file and folder level encryption. Without your authenticated login, that stuff is pure scrambled eggs. I'm not a Windows expert, maybe there are flaws with that (though are they flaws at the "prying family member" level of security, rather than national security?), if anyone knows better let me know as I don't want to be giving out bad advice.
.:.
Ioa Petra'ka
“Whole sight, or all the rest is desolation.” —John Fowles

User avatar
olorinpc
Posts: 85
Joined: Tue Apr 27, 2010 4:35 am
Platform: Windows
Location: Jamestown, ND USA
Contact:

Sat Nov 20, 2010 11:23 pm Post

The easiest solution for those who really insist they need to password secure their files is to use something like TrueCrypt.

Create a partition and mount it. Store your projects in there. You could make it small enough to store on Dropbox. Then its about as secure as you could possibly get.
Jakob Barnard
EpicPlains.com

Writer, Editor, Blogger

Ge
GeoJunkie
Posts: 38
Joined: Sat Nov 06, 2010 11:05 am
Platform: Windows

Tue Nov 23, 2010 11:17 am Post

Another alternative, since you're talking about the backup that you save to your Dropbox, is to password protect the zip file. I don't know that zip file encryption is all that great, but it's the one place in this architecture where you can have a level of file security centered around one file.

Just a thought. Coupled with the dollar in my pocket it should get you a cheap cup of coffee.