mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-05 00:29:48 +03:00
Encrypted Pages #658
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @changchichung on GitHub (May 2, 2018).
For Feature Requests
Desired Feature: encrypt page
is that possible to add a encrypt page in bookstack ? open page needs enter password or just encrypt the content ?
@Shackelford-Arden commented on GitHub (May 2, 2018):
Out of curiosity, what is the use case you have in mind? what is the intent of encrypting in this way as opposed to simply using the built in permissions to properly hide/secure the page?
@mendiromania commented on GitHub (May 2, 2018):
displaying it to the guests that you would give the password to I guess
@lithium-ap commented on GitHub (May 10, 2018):
I have also been thinking how to pose this question or address feasibility. For my use I've been using this to document environments that occasionally have sensitive information. At the moment I do not store sensitive data.
I dont think encrypting the entire page is something i'm interested in, but more of specific content. Maybe this could be done with a special control or text box that allows the data to be obfuscated and stored in hashed in the DB
Not too sure how far outside of scope this would be either- I've considered contracting to implement and then offer for merge.
@Shackelford-Arden commented on GitHub (May 10, 2018):
Would it not be sufficient to simply is the built in permissions to simply hide the pages from those who don't need them?
@lithium-ap commented on GitHub (May 10, 2018):
No, not if you desire some of the data to be obfuscated; also the aspect of storing hashed in the database.
@ssddanbrown commented on GitHub (May 12, 2018):
This is an interesting feature. Obviously the content would not be searchable, And you'd need to provide the password to edit the content.
@aljawaid commented on GitHub (May 13, 2018):
Would be nice for admins to be able to hide/show/restrict content base don the user's account password.
For business case, this means that the manager can create a single document but password-protect certain pics/paragraphs to senior staff only so the juniors can't see.
Restricting by user name or all would be good options. Then globally set a password per book/page/chapter for 'anyone' to view the content.
@KyferEz commented on GitHub (Jun 27, 2018):
This is a VERY important feature for HIPPA and GDPR considerations.
It would also enable the possibility of storing passwords in the system which would make it a FAR more useful system for system administrators wanting to maintain documentation for their clients.
@tmikaeld commented on GitHub (Jul 4, 2018):
Which is exactly what I use it for, sysadmin docs. (With no sensitive information yet though)
I'm thinking, maybe use the same encryption as is used in Lastpass and Bitwarden (Open source)? This would certainly be secure, considering the implications of their encryption not being good enough.
@nullquery commented on GitHub (Jan 4, 2019):
Running into this as well. Lack of encrypted pages makes it difficult to comply with ISO certifications. Currently, they would end up plaintext in a MySQL data file. Not ideal.
@guenth commented on GitHub (Mar 1, 2019):
I would like to be able to encrypt at least "fields" in a page. That way the page could be searchable, but say the specific contents in a command would not. I still probably wouldn't put actual passwords in there, but sometimes it is desirable to obscure things like db structure or even user name lists.
@ghost commented on GitHub (Sep 29, 2019):
This would be easily implemented with OpenPGP (or similar) client-side encryption using user account-linked public keys and a symmetric key per page or book. You can then rely on Subresource Integrity (SRI) and potentially user-side attestation of the libraries (or rely on standardized browser crypto) to deter server-side malicious tampering with the crypto.
@kaspwip commented on GitHub (May 31, 2020):
BookStack is publicly hosted and it would be great, if necessary, to be able to encrypt and decrypt at the browser level (JavaScript)
@fklappan commented on GitHub (Sep 7, 2021):
Did you already schedule this feature request? I would love to see the feature come to life!
Maybe some additional background: I use BookStack only for myself. So I would use the feature for some kind of "journal" or "private notes".
@wxrl commented on GitHub (Oct 8, 2021):
Would love to have this feature to encrypt pages!
Independent password required every time visiting the protected pages even for the owner as well as for those who can view.
@the-infrequency commented on GitHub (Mar 11, 2022):
+1
Using this as an internal wiki, but have some information that we (temporarily) store that would be best to encrypt.
@FeIix commented on GitHub (Sep 12, 2022):
The "Security and Encryption" extension for confluence has a nice way to do this, you can hide any content behind a button and give access permission to specific users or groups.
It's integrated in the toolbar, like spoilers or code blocks.
Really useful to store / share passwords, especially the Copy button
@DrMxrcy commented on GitHub (Oct 4, 2022):
+1 For this. Would be great for Internal Wikis
@SonGokussj4 commented on GitHub (Oct 7, 2022):
Wow, this would be so cool. (and have the password categorized like in settings - "IT Admins" - set password, "Department X" - set password and so on.
@MepLab commented on GitHub (Nov 2, 2022):
+1 - Would be very usefull for me :)
@42bios commented on GitHub (Nov 23, 2022):
+1 this would be a great feature!
@larissa-pereira commented on GitHub (Feb 12, 2023):
+1 necessary for GDPR
@mieszkou commented on GitHub (Apr 30, 2023):
+1
@Szwendacz99 commented on GitHub (May 5, 2023):
Would be great, and make you feel safer when hosting instance that is open to world, and you would like to store there a bit of sensitive information too. Currently for such usecase (very sensitive notes) I rather use separate tool. I am not sure, but basic server-side encryption with password should be relatively easy to do?
@xKugeki commented on GitHub (Jul 14, 2023):
+1 this feature would be awesome :)
@Mindpsy commented on GitHub (Jul 22, 2023):
+1 this would be a great feature! Please to release it!
@JesusRedGar commented on GitHub (Oct 4, 2023):
yes, this would be very desirable to have
@otherjoel commented on GitHub (Oct 4, 2023):
My $0.02: Sensitive information and credentials should be stored, shared and protected using tools designed for that purpose, not in a documentation tool.
In particular, if you believe your envisioned use of Bookstack without this feature would put you afoul of HIPAA or ISO considerations, you either don’t understand those frameworks or you have bigger problems.
@Szwendacz99 commented on GitHub (Oct 4, 2023):
You start talking about your case and somehow end up summarising my use of Bookstack.
Also, If something is worth hiding behind a password, I think it is worth encrypting, if that is not a trouble.
@FeIix commented on GitHub (Oct 4, 2023):
In some case yes, in others no.
I think the users should be able to decide if it's too sentitive or dangerous, or more practical for their project to have everything in the same tool.
@exnerit commented on GitHub (Oct 9, 2023):
i am thinking about inserting access data as a link to e.g. 1password or keeper datasets. it might be an approach? yes you have to go back into another system. But i think that sensitive data is better stored in something like 1password or keeper. Maybe you can develop a functionality that recognizes such links and inserts them nicely formatted into the document?
@Mindpsy commented on GitHub (Apr 19, 2024):
I think this is quite a demanded and appropriate function for such a project. For example, Evernote provides such a feature to its users. Because any information can be sensitive. And encrypting the contents of a specific page or certain sections of the page using a password, which is a fully justified way to additionally protect data. Even if the main tasks of the system are different.
@jacrook commented on GitHub (Aug 27, 2024):
Hello, I'm wondering if this is still on the roadmap. I'm enjoying transferring my documentation, and this feature would enable full adoption.
Thank you
@ssddanbrown commented on GitHub (Aug 27, 2024):
@jacrook This was never on the roadmap to be honest. Not that I'd never consider this, but I don't plan a roadmap that far out. From my view, this would introduce trade-offs & complexities, while encouraging a use we're not targeting nor suited for (passwords, secrets etc...).
For one-off/within-page encryption, it might be possible to hack something in on an instance via custom JavaScript (since it can all be client side).
For general instance wide encryption at rest, it might be possible to enable this at the database level but I have little experience in this personally and it's not something I've tested with BookStack.
@ZicPL commented on GitHub (Sep 26, 2024):
@ssddanbrown In my opinion, your application is the best in its category. It was only a matter of time before such a request was made, and it is not without merit.
Background:
Your application is so well-developed and very popular that your users need to focus on security instead of new features.
Security Considerations:
You are faced with a choice of what to officially announce. Should you withdraw your application's security support for confidential information or should you take your security policy to a higher level.
Understanding the needs and Proposed Solution:
Users asked you to encrypt selected or all application content. The point of encrypting the entire content of your application has been disproved by the users themselves. Exist dedicated apps for this. The point of encrypting selected content (e.g. a specific book) has been confirmed by everyone. I have the impression that choosing the encryption method for this need scared you (new undiscovered lands). Unnecessarily. I identified the request as like as .zip file encryption, i.e. there are no keys/secrets etc. on the server. Following this line of thought, Users asked you for "Private Mode" for selected content. Don't waste time thinking about what should be encrypted because the users who asked you don't know themselves. Let's focus on the encrypted book. When deciding to encrypt a specific book, the User should confirm that they understand that:
Hidden dangerous:
For my part, I would like to note that no user has written a use case that I have witnessed. The server administrator is not the same person as the application administrator. The server administrator, having full control over the device and system, committed a crime - without details, separating and encrypting the book from everyone is the subject of this discussion. The encrypted file can only be cracked using the BruteForce method
Conclusion:
I understand that the pressure regarding data security in "Bookstack" is high, but this is evidence confirming the success of your application, in which public trust is only growing. Understanding the need (which I helped you with) will allow your application to meet expectations and rise to the top of the rankings.
I hope that my message is understandable to you and will allow me to receive a definitive answer from you whether you will implement: separating and encrypting the book. Bookstack is a great app and you've done an amazing job. I look forward to your continuing to develop it.
@ssddanbrown commented on GitHub (Sep 26, 2024):
@ZicPL
Thanks!
If you need a definitive answer, assume the answer is no.
That's not to say I'm dismissing the idea of this being implemented in some way in the future, but I can't provide any definitives on that.
I generally don't target rankings or expectations when it comes to deciding on features to support/implement, I prefer to focus on existing user & audience balanced to scope & maintenance/support burden.
@ZicPL commented on GitHub (Sep 26, 2024):
@ssddanbrown Thank You for Your clear response. I acknowledge Your priorities and respect Your decision. I began utilizing your application several days ago and I'm pleased with its. My participation in this discussion stems from concerns about the potential access of device administrators to the data stored within your application.
Let me explain:
I've entrusted Your application with my personal data, including financial, academic, and entertainment information, without hesitation. However, I couldn't store sensitive medical data within Your app due to privacy concerns (sever admins). While this data isn't typically classified as confidential in the same manner as passwords or company plans, I felt a heightened sense of security was necessary. My local computer is a testing environment (no store essential data), and I don't possess a Network Attached Storage (NAS) device. Storing encrypted medical data in the cloud could be a viable solution, but it presents logistical challenges, such as:
In the context of this discussion's protected book by password, Bookstack could streamline the process by allowing me to conveniently use my personal resources. Anyway, I hope for Your "Yes" answer in the future :)
@Vennesaa commented on GitHub (Oct 9, 2024):
@ZicPL
The ability to encrypt a book with a password not stored in the application sounds lovely. As a DevOps, I've access to server applications and would never rummage through other people's garbage - it's unethical. I didn't write this as me, a woman, or an IT worker, but as a human being. True, I can't speak for everyone, but I can confirm that a server administrator with programming skills has full visibility of what you have on the server. Privacy certainly suffers because of this. Privately, I always stored my sensitive data on my NAS, but recently I've been struggling with frequent moves and also plan to store some important files for me in the cloud. That's how I'm here and I confirm that your proposal to make Bookstack friendly for private notes is spot on.
@ZicPL commented on GitHub (Feb 28, 2025):
@ssddanbrown Hi, can You look at: Zero knowledge databases
What do You think about this idea? I'd keep the keys to private data with me (the server administrator wouldn't be able to spy on me without them) 😊
@ricardoberenguer commented on GitHub (Mar 27, 2025):
Hi,
More one vote for this! This would be a great feature!
Thanks for all the developers of this great tool
@thetechjester commented on GitHub (Jan 31, 2026):
Please add me to the YES vote column. This project is just awesome. I'm trying to move both my personal (as well as my company's) notes, wiki, documentation repo solutions, etc away from all of the "big box" type tech giants to the open source realm. Traditionally, in my experience, open source solutions are more secure and usually (although not always) are around for the long haul and won't go away at the whim of corporations based on sales growth models or shareholder pressure.
If I'm understanding the requested feature correctly, an example would be like Synology Note Station. They provide the ability to password protect (encrypt) a specific note or page. But... they are one of the many "big box" companies I am trying to move away from.
I would love to see this feature implemented. That would definitely get me to move all of my current (personal) solutions to BookStack and give me leverage to persuade my company to do so as well.
@Man-in-Black commented on GitHub (Jan 31, 2026):
Someone in the community has build a similar feature to "PIN protect" a specific page. The page ist not encrypted, but hidden and only be accessible via PIN.
https://github.com/Rockyroad1827/Bookstacks-Password-Protect-Page-Hack