Added encryption functionality and documentation for the app

RcodePlay · RcodePlay · commit 798df5afddce · 2026-01-06T15:08:49.000+01:00
diff --git a/NoteD/Program.cs b/NoteD/Program.cs
@@ -1,5 +1,6 @@
 ﻿using Terminal.Gui;
 using System.Collections.ObjectModel;
+using System.Security.Cryptography;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using NoteD;
@@ -39,6 +40,38 @@
 ThemeManager.Initialize();
 ThemeManager.ApplyTheme(SettingsManager.Settings.Theme);
 
+string? masterPassword = null; 
+
+var loginPromptDialog = new Dialog { Title = "NoteD Login", Modal = true };
+var loginLabel = new Label("Enter your master password. If you forget this password, THERE IS NO WAY TO RESET IT!!") { X = 1, Y = 1 };
+var loginInput = new TextField("") { X = 1, Y = 2, Width = Dim.Fill() - 2, Secret = true };
+var okBtn = new Button("Login") { IsDefault = true };
+var exitBtn = new Button("Exit");
+
+loginPromptDialog.Add(loginLabel, loginInput);
+loginPromptDialog.AddButton(okBtn);
+loginPromptDialog.AddButton(exitBtn);
+
+okBtn.Clicked += () => {
+    if (string.IsNullOrWhiteSpace(loginInput.Text.ToString())) {
+        MessageBox.ErrorQuery("Error", "Password cannot be empty", "OK");
+        return;
+    }
+    masterPassword = loginInput.Text.ToString();
+    Application.RequestStop();
+};
+
+exitBtn.Clicked += () => {
+    Application.RequestStop();
+    Environment.Exit(0);
+};
+
+Application.Run(loginPromptDialog);
+
+if (string.IsNullOrWhiteSpace(masterPassword)) Environment.Exit(0);
+
+var security = new SecurityModule();
+
 var listView = new ListView
 {
     X = 0,
@@ -59,8 +92,8 @@
     CanFocus = true
 };
 
-var cursor = "Line: 1, Col: 1";
-var stats = "Chars: 0, Words: 0";
+const string cursor = "Line: 1, Col: 1";
+const string stats = "Chars: 0, Words: 0";
 
 var statusBar = new StatusBar([
     new StatusItem(Key.Null, cursor, null),
@@ -73,6 +106,29 @@
 var notesFolder = handler.LoadOrChooseNotesFolder();
 context.NotesFolder = notesFolder;
 
+handler.RefreshNoteList();
+
+foreach (var note in context.NoteFiles)
+{
+    try
+    {
+        security.UnprotectFile(Path.Combine(notesFolder, note), masterPassword);
+    }
+    catch (InvalidDataException)
+    {
+        Console.WriteLine($"File {note} is not encrypted. Skipping decryption.");
+    }
+    catch (CryptographicException)
+    {
+        MessageBox.ErrorQuery("Access Denied", "Incorrect Password.", "OK");
+        Environment.Exit(0);
+    }
+    catch (Exception ex)
+    {
+        Console.WriteLine($"Error decrypting file {note}: {ex.Message}");
+    }
+}
+
 textView.KeyPress += (key) =>
 {
     if (key.KeyEvent.Key >= Key.Space || 
@@ -133,7 +189,14 @@
 
 win.Add(listView, textView);
 
-Application.Top.Add(menu, win, statusBar);
+var top = new Toplevel {
+    X = 0,
+    Y = 0,
+    Width = Dim.Fill(),
+    Height = Dim.Fill()
+};
+
+top.Add(menu, win, statusBar);
 
 if (SettingsManager.Settings.AutoSaveEnabled)
 {
@@ -177,7 +240,17 @@
     handler.UpdateStatusBar();
 };
 
-Application.Run();
+Application.Run(top);
+
+foreach (var note in noteFiles)
+{
+    var path = Path.Combine(notesFolder, note);
+    if (File.Exists(path))
+    {
+        security.ProtectFile(path, masterPassword);
+    }
+}
+
 autoSaveTimer?.Dispose();
 Application.Shutdown();
 
diff --git a/NoteD/Security.cs b/NoteD/Security.cs
@@ -0,0 +1,99 @@
+using Konscious.Security.Cryptography;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace NoteD;
+
+public class SecurityModule
+{
+    private static readonly byte[] MagicBytes = { 0x4E, 0x6F, 0x74, 0x65, 0x44 };
+    
+    private const int DegreeOfParallelism = 4;
+    private const int Iterations = 4;
+    private const int MemorySize = 1024 * 128; 
+
+    // Metadata Lengths (Total Header: 81 bytes)
+    private const int SaltSize = 16;
+    private const int NonceSize = 12;
+    private const int TagSize = 16;
+    private const int HashSize = 32;
+    private const int HeaderSize = 5 + SaltSize + NonceSize + TagSize + HashSize;
+
+    private (byte[] encryptionKey, byte[] verificationHash) DeriveKeys(string password, byte[] salt)
+    {
+        using var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password));
+        argon2.Salt = salt;
+        argon2.DegreeOfParallelism = DegreeOfParallelism;
+        argon2.Iterations = Iterations;
+        argon2.MemorySize = MemorySize;
+        
+        var combined = argon2.GetBytes(64);
+        return (combined[..32], combined[32..]);
+    }
+
+    /// <summary>
+    /// Reads an encrypted file, decrypts it, and overwrites it with Plaintext.
+    /// </summary>
+    public void UnprotectFile(string filePath, string password)
+    {
+        var fileData = File.ReadAllBytes(filePath);
+        
+        if (fileData.Length < HeaderSize || !fileData[..5].SequenceEqual(MagicBytes))
+        {
+            throw new InvalidDataException("This is not a valid NoteD encrypted file.");
+        }
+        
+        var salt = fileData[5..21];
+        var nonce = fileData[21..33];
+        var tag = fileData[33..49];
+        var expectedHash = fileData[49..81];
+        var ciphertext = fileData[81..];
+        
+        var (key, vHash) = DeriveKeys(password, salt);
+        
+        if (!FixedTimeEquals(vHash, expectedHash))
+            throw new CryptographicException("Invalid Password.");
+        
+        using var aes = new AesGcm(key, 16);
+        var plaintextBytes = new byte[ciphertext.Length];
+        aes.Decrypt(nonce, ciphertext, tag, plaintextBytes);
+
+        File.WriteAllBytes(filePath, plaintextBytes);
+    }
+
+    /// <summary>
+    /// Reads a plaintext file, encrypts it, and overwrites it with Binary Header and Ciphertext.
+    /// </summary>
+    public void ProtectFile(string filePath, string password)
+    {
+        var content = File.ReadAllText(filePath);
+        var salt = CreateRandomSalt();
+        var (key, vHash) = DeriveKeys(password, salt);
+        
+        using var aes = new AesGcm(key, 16);
+        var nonce = new byte[NonceSize];
+        RandomNumberGenerator.Fill(nonce);
+        var tag = new byte[TagSize];
+        var plaintextBytes = Encoding.UTF8.GetBytes(content);
+        var ciphertext = new byte[plaintextBytes.Length];
+        aes.Encrypt(nonce, plaintextBytes, ciphertext, tag);
+        
+        using var ms = new MemoryStream();
+        using var writer = new BinaryWriter(ms);
+        writer.Write(MagicBytes);
+        writer.Write(salt);         // 16
+        writer.Write(nonce);        // 12
+        writer.Write(tag);          // 16
+        writer.Write(vHash);        // 32
+        writer.Write(ciphertext);   // Rest
+
+        File.WriteAllBytes(filePath, ms.ToArray());
+    }
+
+    private byte[] CreateRandomSalt() => RandomNumberGenerator.GetBytes(SaltSize);
+    
+    private static bool FixedTimeEquals(byte[] left, byte[] right)
+    {
+        return CryptographicOperations.FixedTimeEquals(left, right);
+    }
+}
diff --git a/README.md b/README.md
@@ -1,3 +1,24 @@
 # NoteD
 
-A simple TUI markdown note taker made in C#.
+A simple TUI markdown note taker made in C#.
+
+## Features
+- Auto-save
+- Settings in settings.json
+- Fuzzy search
+- Note management inside folders
+- Command Palette (VSCode-style)
+- Color themes (+ support for custom themes)
+- #Tag support inside notes for faster searches
+- Smart status bar (character & word count, cursor position)
+- Recent notes list
+- External editor hook
+
+## Setup
+1. Build from source or download compiled binary from the latest release.
+
+2. To use the external editor hook, make sure the external editor's binary is in the environment PATH.
+
+3. When setting up a password, make sure to store it properly, if you forget it, it can't be reset, so you'll lose access to all your files. **I do not take responsibility for any important file loss!**
+
+4. On startup of NoteD, you have to give it time to decrypt all of the files. To increase encryption and decryption speed, you need to change the `DegreeOfParallelism` variable inside of Security.cs to a higher number to use more CPU threads. Also when you leave NoteD, it starts encrypting all the files, you have to wait until it finishes, otherwise your files will NOT be protected.
diff --git a/TODO.md b/TODO.md
@@ -1,8 +1,10 @@
 - Features to add:
-    - Encryption for notes
     - Syncing to git, Nextcloud (WebDAV)
     - Advanced formatting options (tables, code blocks, etc)
     - Task management (to-do lists, reminders)
+    - Recovery key for lost password (maybe at v2)
+    - Memory zeroing after exit (maybe at v2)
+    - Storing decrypted notes & password hash in RAM (maybe at v2)
     - Note sharing (public/private links) (maybe at v2)
     - Plugin system for third-party extensions (maybe at v2)
 
@@ -21,3 +23,4 @@
     - Smart status bar (Line/Column number, size in words and characters, file saved timestamp, read-only status)
     - Recent notes list
     - External editor hook
+    - Encryption for notes (Master password)
