Security manual configuration manual security zettelstore zmk 00001000000000 00001012921200 00001000000000 00001004010000 00001012921200 1 (c) 2020-present by Detlef Stern 20210126175322 00001004010000 00001010040100 00001010040200 00001010040400 00001010040700 00001010070200 00001010070300 00001010070400 00001010070600 00001010090100 00001012000000 en EUPL-1.2-or-later 20221018123622 20221018123622 public Your zettel could contain sensitive content. You probably want to ensure that only authorized person can read and/or modify them. Zettelstore ensures this in various ways. Local first The Zettelstore is designed to run on your local computer. If you do not configure it in other ways, no person from another computer can connect to your Zettelstore. You must explicitly configure it to allow access from other computers. In the case that you own multiple computers, you do not have to access the Zettelstore remotely. You could install Zettelstore on each computer and set-up some software to synchronize your zettel. Since zettel are stored as ordinary files, this task could be done in various ways. Read-only You can start the Zettelstore in an read-only mode. Nobody, not even you as the owner of the Zettelstore, can change something via its interfaces However, as an owner, you have access to the files that store the zettel. If you modify the files, these changes will be reflected via its interfaces.. You enable read-only mode through the key readonly in the startup configuration zettel or with the -r option of the zettelstore run sub-command. Authentication The Zettelstore can be configured that a user must authenticate itself to gain access to the content. How to enable authentication How to add a new user How users are authenticated (some technical background) Authenticated sessions Authorization Once you have enabled authentication, it is possible to allow others to access your Zettelstore. Maybe, others should be able to read some or all of your zettel. Or you want to allow them to create new zettel, or to change them. It is up to you. If someone is authenticated as the owner of the Zettelstore (hopefully you), no restrictions apply. But as an owner, you can create user zettel to allow others to access your Zettelstore in various ways. Even if you do not want to share your Zettelstore with other persons, creating user zettel can be useful if you plan to access your Zettelstore via the API. Additionally, you can specify that a zettel is publicly visible. In this case no one has to authenticate itself to see the content of the zettel. Or you can specify that a zettel is visible only to the owner. In this case, no authenticated user will be able to read and change that protected zettel. Visibility rules for zettel User roles define basic rights of an user Authorization and read-only mode Access rules define the policy which user is allowed to do what operation. Encryption When Zettelstore is accessed remotely, the messages that are sent between Zettelstore and the client must be encrypted. Otherwise, an eavesdropper could fetch sensible data, such as passwords or precious content that is not for the public. The Zettelstore itself does not encrypt messages. But you can put a server in front of it, which is able to handle encryption. Most generic web server software do allow this. To enforce encryption, authenticated sessions are marked as secure by default. If you still want to access the Zettelstore remotely without encryption, you must change the startup configuration. Otherwise, authentication will not work. Use a server for encryption