Eno
Encrypted Notes, Oui.
Linux CLI tool for encrypted notes authenticated by your SSH key — no cloud, no daemon, no extra passwords.
Install
Recommended — no Go needed:
$ curl -sSL https://gitlab.com/whiteboardguy/eno/raw/master/install.sh | sh
With Go 1.26+:
$ go install gitlab.com/whiteboardguy/eno/cmd/eno@latest
Pre-built binaries for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64. See releases.
Quick Start
# one-time setup
$ eno init
# create your first encrypted note and open editor
$ eno new hello -e
# edit it later (auto-detects passphrase or SSH key)
$ eno edit hello
Notes saved to ~/.EnoNotes/. Config in ~/.config/eno/eno.conf.
Usage
eno init
Creates config and data directory. Run once.
$ eno init
eno new
Creates encrypted note. If name has a path separator, saves at that path. Otherwise saves in ~/.EnoNotes/<name>.eno. Multi-word names joined with spaces.
# create with passphrase
$ eno new my-note
# create and open editor right after
$ eno new my-note -e
# use SSH key instead of passphrase
$ eno new secret --ssh
# save to custom path
$ eno new my-note -o ~/backup/note.eno
eno edit
Decrypts note, opens $EDITOR, re-encrypts on save. Searches current directory first, then ~/.EnoNotes/. Auto-detects auth mode from the file.
$ eno edit my-note
eno encrypt
Encrypts any file. Appends .eno to output by default.
# encrypt with passphrase
$ eno encrypt document.pdf
# encrypt for SSH key recipients
$ eno encrypt document.pdf --ssh
# custom output path
$ eno encrypt document.pdf -o secrets.eno
eno decrypt
Decrypts any .eno file. Strips .eno suffix by default. Auto-detects auth mode.
$ eno decrypt document.pdf.eno
$ eno decrypt secrets.eno -o out.pdf
eno ssh init
Interactive SSH key setup. Finds ~/.ssh/id_ed25519, verifies keypair, stores paths in config. Supports passphrase-protected keys. Ed25519 only.
$ eno ssh init
Flags
| Flag | Commands | Description |
|---|---|---|
-e, --edit |
new |
Open editor after creating note |
-o, --output |
new, encrypt, decrypt |
Custom output file path |
--ssh |
new, encrypt |
Use SSH key authentication |
Configure
Config file: ~/.config/eno/eno.conf (or $XDG_CONFIG_HOME/eno/eno.conf). Simple KEY=VALUE format, # for comments.
| Key | Default | Description |
|---|---|---|
EDITOR_STRING |
$EDITOR %s |
Editor command. %s replaced with temp file path. |
DATA_DIR |
~/.EnoNotes |
Where notes are saved by default. |
SSH_INIT |
false |
Whether SSH key auth has been set up. |
DEFAULT_SSH_PRIV |
— | Path to SSH private key. |
DEFAULT_SSH_PUB |
— | Path to SSH public key. |
How It Works
Each note is a .eno file: metadata headers followed by encrypted content. The metadata records which auth mode was used, so eno prompts for a passphrase or uses your SSH key automatically.
Passphrase mode
You pick a password. Eno derives an encryption key from it using Argon2id — a slow, memory-hard KDF that resists brute-force attacks. The same password always decrypts. Use it for personal notes, or share the password with someone you trust.
SSH key mode
Already have an Ed25519 SSH key? No new passwords needed. Eno generates a random per-note key, wraps it with your SSH public key, and stores the wrapped copy in the file. Decryption unwraps the note key using your SSH private key.
Multi-recipient encryption
Encrypt once, share with many people. Supply each recipient's SSH public key at encrypt time. Eno wraps the same note key once per recipient. Everyone decrypts with their own key. No shared secrets, no re-encrypting.
⚠️ Threat Model ⚠️
Understanding the Threat model is crucial for all software, especially the ones that claim 'Privacy' and 'Security'. The most private and Secure way to communicate, albeit the claims made and measure taken by secure software, is off the internet, probably in real life.
Eno protects data at rest.
If your disk, backup drive, or cloud storage is compromised, encrypted .eno files remain unreadable without the key.
This also includes transferring and sharing encrypted files over the internet.
It may not protect a running machine interacting with the file.
What it protects against
- Unauthorized reading of stored
.enofiles - Tampering with ciphertext (AEAD detects modifications)
- Accidental exposure via disk recovery or decommissioned drives
What it does not protect against
- Compromised host (keyloggers, malware, memory scraping)
- Plaintext captured while note is open in an editor
- Malicious
EDITOR_STRING— the config value is shell-executed (unless--threatflag is used [TBD]). - Swap or hibernation files capturing keys from memory (mitigated with
mlockand/dev/shm, but not guaranteed on all/very old systems) - Traffic analysis on file metadata (header length, recipient count, file size)
Assumptions
- The machine is trusted at encryption and decryption time
- The passphrase has sufficient entropy (short or common passwords are brute-forceable). Future releases will warn the user of low entropy passwords.
- The SSH private key is stored securely and protected by a strong passphrase, or a trusted ssh-agent is used.
- The OS honors
mlockand/dev/shmsemantics
Technical Details
Security
Keys are locked with mlock to prevent swapping, then zeroed when no longer needed.
Temp files go to /dev/shm (RAM) when available — wiped before removal so nothing touches disk.
ChaCha20-Poly1305 (AEAD) provides secrecy and tamper detection. Modified ciphertext fails decryption.
Check your editor config. EDITOR_STRING is shell-executed — a malicious value could run arbitrary commands. Review yours before using eno edit. A built-in TUI editor is planned.
File format
<header-length>:<gob-encoded headers><ChaCha20-Poly1305 ciphertext>
Header length prefix (decimal), colon, gob-encoded metadata (salt, nonce, auth mode, recipients), then ciphertext.
Encryption parameters
| Mode | Key Derivation | Cipher |
|---|---|---|
| Passphrase | Argon2id (1 pass, 2MB mem, 2 threads) | ChaCha20-Poly1305 |
| SSH | X25519 ECDH (Ed25519 → X25519) | ChaCha20-Poly1305 |
Roadmap
- CLI support
- SSH key authentication
- Multi-recipient encryption
- Rekey / passphrase change
- Single-file notebooks
- Auth with a key file
- Git sync
- TUI
- Windows support