(zettel (meta (back "00001000000000 00001012921200") (backward "00001000000000 00001004010000 00001012921200") (box-number "1") (created "20210126175322") (forward "00001004010000 00001010040100 00001010040200 00001010040400 00001010040700 00001010070200 00001010070300 00001010070400 00001010070600 00001010090100 00001012000000") (modified "20241213102811") (published "20241213102811") (role "manual") (syntax "zmk") (tags "#configuration #manual #security #zettelstore") (title "Security")) (rights 4) (encoding "") (content "Your zettel may contain sensitive content.\nYou probably want to ensure that only authorized persons can read and/or modify them.\nZettelstore ensures this in various ways.\n\n=== Local first\nThe Zettelstore is designed to run on your local computer.\nIf you do not configure it in other ways, no person from another computer can connect to your Zettelstore.\nYou must explicitly configure it to allow access from other computers.\n\nIn the case that you own multiple computers, you do not have to access the Zettelstore remotely.\nYou could install Zettelstore on each computer and set-up some software to synchronize your zettel.\nSince zettel are stored as ordinary files, this task could be done in various ways.\n\n=== Read-only\nYou can start the Zettelstore in a read-only mode.\nNobody, not even you as the owner of the Zettelstore, can change something via its interfaces[^However, as an owner, you have access to the files that store the zettel. If you modify the files, these changes will be reflected via its interfaces.].\n\nYou enable read-only mode through the key ''readonly'' in the [[startup configuration zettel|00001004010000#readonly]] or with the ''-r'' option of the ``zettelstore run`` sub-command.\n\n=== Authentication\nThe Zettelstore can be configured that users must authenticate themselves to gain access to the content.\n\n* [[How to enable authentication|00001010040100]]\n* [[How to add a new user|00001010040200]]\n* [[How users are authenticated|00001010040400]] (some technical background)\n* [[Authenticated sessions|00001010040700]]\n\n=== Authorization\nOnce you have enabled authentication, it is possible to allow others to access your Zettelstore.\nMaybe, others should be able to read some or all of your zettel.\nOr you want to allow them to create new zettel, or to change them.\nIt is up to you.\n\nIf someone is authenticated as the owner of the Zettelstore (hopefully you), no restrictions apply.\nBut as an owner, you can create \"\"user zettel\"\" to allow others to access your Zettelstore in various ways.\nEven if you do not want to share your Zettelstore with other persons, creating user zettel can be useful if you plan to access your Zettelstore via the [[API|00001012000000]].\n\nAdditionally, you can specify that a zettel is publicly visible.\nIn this case no one has to authenticate itself to see the content of the zettel.\nOr you can specify that a zettel is visible only to the owner.\nIn this case, no authenticated user will be able to read and change that protected zettel.\n\n* [[Visibility rules for zettel|00001010070200]]\n* [[User roles|00001010070300]] define basic rights of an user\n* [[Authorization and read-only mode|00001010070400]]\n* [[Access rules|00001010070600]] define the policy which user is allowed to do what operation.\n\n=== Encryption\nWhen Zettelstore is accessed remotely, the messages that are sent between Zettelstore and the client must be encrypted.\nOtherwise, an eavesdropper could fetch sensible data, such as passwords or precious content that is not for the public.\n\nThe Zettelstore itself does not encrypt messages.\nBut you can put a server in front of it, which is able to handle encryption.\nMost generic web server software do allow this.\n\nTo enforce encryption, [[authenticated sessions|00001010040700]] are marked as secure by default.\nIf you still want to access the Zettelstore remotely without encryption, you must change the startup configuration.\nOtherwise, authentication will not work.\n\n* [[Use a server for encryption|00001010090100]]"))