Eno

Encrypted Notes, Oui.

Linux CLI tool for encrypted notes authenticated by your SSH key — no cloud, no daemon, no extra passwords.

Install

Recommended — no Go needed:

$ curl -sSL https://gitlab.com/whiteboardguy/eno/raw/master/install.sh | sh

With Go 1.26+:

$ go install gitlab.com/whiteboardguy/eno/cmd/eno@latest

Pre-built binaries for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64. See releases.

Quick Start

# one-time setup
$ eno init

# create your first encrypted note and open editor
$ eno new hello -e

# edit it later (auto-detects passphrase or SSH key)
$ eno edit hello

Notes saved to ~/.EnoNotes/. Config in ~/.config/eno/eno.conf.

Usage

eno init

Creates config and data directory. Run once.

$ eno init

eno new

Creates encrypted note. If name has a path separator, saves at that path. Otherwise saves in ~/.EnoNotes/<name>.eno. Multi-word names joined with spaces.

# create with passphrase
$ eno new my-note

# create and open editor right after
$ eno new my-note -e

# use SSH key instead of passphrase
$ eno new secret --ssh

# save to custom path
$ eno new my-note -o ~/backup/note.eno

eno edit

Decrypts note, opens $EDITOR, re-encrypts on save. Searches current directory first, then ~/.EnoNotes/. Auto-detects auth mode from the file.

$ eno edit my-note

eno encrypt

Encrypts any file. Appends .eno to output by default.

# encrypt with passphrase
$ eno encrypt document.pdf

# encrypt for SSH key recipients
$ eno encrypt document.pdf --ssh

# custom output path
$ eno encrypt document.pdf -o secrets.eno

eno decrypt

Decrypts any .eno file. Strips .eno suffix by default. Auto-detects auth mode.

$ eno decrypt document.pdf.eno
$ eno decrypt secrets.eno -o out.pdf

eno ssh init

Interactive SSH key setup. Finds ~/.ssh/id_ed25519, verifies keypair, stores paths in config. Supports passphrase-protected keys. Ed25519 only.

$ eno ssh init

Flags

Flag Commands Description
-e, --edit new Open editor after creating note
-o, --output new, encrypt, decrypt Custom output file path
--ssh new, encrypt Use SSH key authentication

Configure

Config file: ~/.config/eno/eno.conf (or $XDG_CONFIG_HOME/eno/eno.conf). Simple KEY=VALUE format, # for comments.

Key Default Description
EDITOR_STRING $EDITOR %s Editor command. %s replaced with temp file path.
DATA_DIR ~/.EnoNotes Where notes are saved by default.
SSH_INIT false Whether SSH key auth has been set up.
DEFAULT_SSH_PRIV Path to SSH private key.
DEFAULT_SSH_PUB Path to SSH public key.

How It Works

Each note is a .eno file: metadata headers followed by encrypted content. The metadata records which auth mode was used, so eno prompts for a passphrase or uses your SSH key automatically.

Passphrase mode

You pick a password. Eno derives an encryption key from it using Argon2id — a slow, memory-hard KDF that resists brute-force attacks. The same password always decrypts. Use it for personal notes, or share the password with someone you trust.

SSH key mode

Already have an Ed25519 SSH key? No new passwords needed. Eno generates a random per-note key, wraps it with your SSH public key, and stores the wrapped copy in the file. Decryption unwraps the note key using your SSH private key.

Multi-recipient encryption

Encrypt once, share with many people. Supply each recipient's SSH public key at encrypt time. Eno wraps the same note key once per recipient. Everyone decrypts with their own key. No shared secrets, no re-encrypting.

⚠️ Threat Model ⚠️

Understanding the Threat model is crucial for all software, especially the ones that claim 'Privacy' and 'Security'. The most private and Secure way to communicate, albeit the claims made and measure taken by secure software, is off the internet, probably in real life.

Eno protects data at rest. If your disk, backup drive, or cloud storage is compromised, encrypted .eno files remain unreadable without the key. This also includes transferring and sharing encrypted files over the internet. It may not protect a running machine interacting with the file.

What it protects against

  • Unauthorized reading of stored .eno files
  • Tampering with ciphertext (AEAD detects modifications)
  • Accidental exposure via disk recovery or decommissioned drives

What it does not protect against

  • Compromised host (keyloggers, malware, memory scraping)
  • Plaintext captured while note is open in an editor
  • Malicious EDITOR_STRING — the config value is shell-executed (unless --threat flag is used [TBD]).
  • Swap or hibernation files capturing keys from memory (mitigated with mlock and /dev/shm, but not guaranteed on all/very old systems)
  • Traffic analysis on file metadata (header length, recipient count, file size)

Assumptions

  • The machine is trusted at encryption and decryption time
  • The passphrase has sufficient entropy (short or common passwords are brute-forceable). Future releases will warn the user of low entropy passwords.
  • The SSH private key is stored securely and protected by a strong passphrase, or a trusted ssh-agent is used.
  • The OS honors mlock and /dev/shm semantics

Technical Details

Security

Keys are locked with mlock to prevent swapping, then zeroed when no longer needed.

Temp files go to /dev/shm (RAM) when available — wiped before removal so nothing touches disk.

ChaCha20-Poly1305 (AEAD) provides secrecy and tamper detection. Modified ciphertext fails decryption.

Check your editor config. EDITOR_STRING is shell-executed — a malicious value could run arbitrary commands. Review yours before using eno edit. A built-in TUI editor is planned.

File format

<header-length>:<gob-encoded headers><ChaCha20-Poly1305 ciphertext>

Header length prefix (decimal), colon, gob-encoded metadata (salt, nonce, auth mode, recipients), then ciphertext.

Encryption parameters

Mode Key Derivation Cipher
Passphrase Argon2id (1 pass, 2MB mem, 2 threads) ChaCha20-Poly1305
SSH X25519 ECDH (Ed25519 → X25519) ChaCha20-Poly1305

Roadmap

  • CLI support
  • SSH key authentication
  • Multi-recipient encryption
  • Rekey / passphrase change
  • Single-file notebooks
  • Auth with a key file
  • Git sync
  • TUI
  • Windows support

Links