256-bit high security data encryption standard is supported to protect a single page or groups of them.
WoaS has two different interfaces for encryption passwords, namely one for encryption (called Locking
) and one for decryption (called Unlocking
An interface for page encryption shows also a colored meter for estimated password quality; encryption password is not stored in your saved files (true AES encryption is used).
If you forget the password there is no way to retrieve it or your data.
In order to encrypt a page you will have to click on the lock
icon in the navigation bar. The page locking interface will have two password boxes (the second for verification); the background color of the first box will hint about password estimated strength.
Once you've chosen and typed in your password, click the Lock
button to encrypt the page.
When encrypting additional pages during a session, you'll be offered to use the same password you used to encrypt the first page. Accept by pressing the OK
button or decline by pressing the Cancel
button. If you decline, the password interface will open, allowing you to set a new password for the page. There is no limit to how many passwords you can use.
Click the Set password
icon in the navigation bar to set the decryption password used for next page.
The password for decrypting a page (or pages) is cached so that you only need to enter it once per session. If you close or reload the wiki, you will need to reenter the password to work with the encrypted page(s). To disable the password cache, check the box for Do not temporarily cache the AES key
in the wiki Options
. If you've used more than one password for encrypting your pages, you'll need to enter the password to unlock each encrypted page.
Security is never absolute. Data encrypted with these pages might be compromised in a variety of ways, including but not limited to the following:
- WoaS uses random numbers generated by the browser itself, and they are not secure (user-generated entropy will be used in future versions)
- User-generated passwords are weak by nature (PBKDF2 will be used in future)
- You have not disabled the AES key cache, so when you will enter the password for the first time other users (if not you) will be able to see encrypted pages and could possibly get your key
- Some other applet running on another page in your browser, perhaps without you being aware of its existence, is spying on other windows
- Some other "spyware" application running on your computer may have compromised your system's security and be snooping on your activity
- The implementation of the encryption may contain a bug which makes its results insecure, Wiki on a Stick is open-source, you can judge for yourself whether the tool merits your confidence.
- Your computer's security may have been compromised physically; when's the last time you checked that a bug that transmits your keystrokes and/or screen contents to that white van parked down the street wasn't lurking inside your computer cabinet?
Apart from the above, your normal usage of encrypted pages can be considered secure.