I was thinking of using Obsidian for journalling but I can't really do that as it stores data in plaintext. Moreover, cloud storage providers like Dropbox have openly admitted that they read our files. I would prefer no one reads them except me.

So I had to do something here. Otherwise, using Obsidian would have been out of the question.

Here is the solution I came to after trying many different setups (Cryptomator, Boxcryptor, cryfs, you name it).

Step 1

First of all, we need to install gocryptfs. We will be using it for encryption.

brew cask install osxfuse
brew install gocryptfs

On Linux, you get pre-built binaries from their GitHub releases so it is even more straightforward. Just download and place them in PATH.

Step 2

Create an empty directory in a folder that is synced to the cloud. I use Dropbox. So I created a folder in my Dropbox called obsd.

mkdir obsd

Then initialize it with gocryptfs so it is used as an encrypted folder.

gocryptfs -init obsd

You will be asked for a password that will be used to encrypt your files. Choose it carefully.

You will also get a master key at this stage. Save it in case you forget your password.

Step 3

Now we create a directory outside Dropbox (or your cloud sync folder) so that it can store decrypted files. I call it mounts.

mkdir ~/mounts

We will now create the script that will help us use our encrypted folder "obsd" with Obsidian.

#!/bin/bash
cd /Users/aviaryan/Dropbox
# mount the encrypted directory
gocryptfs obsd ../mounts/obsd
# start Obsidian and wait for it to close
open -W -a "Obsidian"
# for linux, the above command won't work, you will have to find an alternative
# unmount
diskutil unmount ../mounts/obsd
# for linux, do `fusermount -u ../mounts/obsd`

Save this script as obsdstart or whatever you want to call it. Save it in a PATH directory so you can run it from anywhere.

Step 4

We are done. Next time when you want to use Obsidian, just go to your terminal and run obsdstart. Then enter the password and voila.

obsdstart command running

The folder "obsd" will be decrypted and Obsidian will be opened. At this point, you can go to ~/mounts/obsd and place your existing Obsidian Vault contents if you had it. Else you create a new Obsidian Vault in that path.

Now, when you quit Obsidian, mounts/obsd will disappear and all new changes would have been saved to Dropbox/obsd.

Make this a habit and you will see the power of this setup. This workflow adds an extra of 3-4 seconds to my Obsidian usage (opening terminal, running obsdstart, and entering password). In return, it provides me with good encryption. I can't complain.

Here is a screenshot of how my encrypted obsd folder looks like.

encrypted obsidian folder

Cloud Sync

Since the encrypted folder is in the Dropbox folder, it will be synced to the cloud automatically. And since mounts folder is outside the Dropbox folder, Dropbox will never get access to my unencrypted data, not even for a nanosecond.

Future Proofing

If you want to be sure that you don't lose your encrypted data, you can also save the standalone linux binary of gocryptfs separately. This ensures that you will always have access to gocryptfs, even if the developer abandons the project and deletes it from the Internet.