TiddlyWiki Node.js and encryption

I fiddled a little to see how it works.

When importing (the tiddlywiki subcommand is load, which term is preferred in this context?) tiddlers from an encrypted single file wiki, I am expected to provide the password in command line, in plain text, like this: $ tiddlywiki mywiki --password 123 --load my_encrypted_wiki.html. I am not happy that the password is echoed to screen in plain text as I type it. I am not happy that the plain text password is eventually recorded in a shell history file. $ tiddlywiki --help password doesn’t tell me that it could read the pasword from an environment variable for example. And tiddlywiki won’t let me “cheat” by not providing a pasword at all, like this: $ tiddlywiki mywiki --password --load my_encrypted_wiki.html hoping that I’ll get a no echo password prompt. What can be done here to boost my opsec happiness?

Once I import an encrypted single file wiki, make some changes and export it again as single file - it is saved in plain text, unless I explicitly set a password again right before saving. I won’t go as far as claiming this is wrong, but did I not correctly interpret the output of tiddlywiki --help password, which claims that “this sets a password for subsequent crypto operations”? If I load an encrypted wiki into the Node.js version and I’m telling it the password anyway, shouldn’t it use it when saving again later? I’m ok with manually entering a password again before saving, but I’d expect this to be needed only if I wanted to change it and save with another password.

Encryption does not work with TW node.js. It only works with single file wikis. If you need encrypted files, you can use OS level encryption, which is transparent to use.

The --password command is used to use simple-auth when tw is started as a server.

I can’t respond properly now, but @pmario is not correct to say that TW under Node.js does not support encryption. The OP is about using the --load command under Node.js to decrypt and load tiddlers from an encrypted single file TW. I think everything @vuk reports in the OP is accurate, and I will comment in more detail when I can.

Encryption does not work with TW node.js.

At the risk of being unnecessarily picky about wording (or too obtuse about things that are presumably not rocket science, I’m not a native English speaker) - as I started to read your answer, just the statement quoted above is quite hard to comprehend out of context for a first time reader. Fortunately, there is more below:

It only works with single file wikis.

Yes, I know this. My original post is feedback about me learning how does the Node.js version (which stores tiddlers in separate files, that are not encrypted) play with a single file encrypted wiki. From this perspective, the first quote above gets split into multiple parts and doesn’t look so confusing anymore (as in “encryption is a completely missing feature”). As I wrote above:

1. It is possible to have a Node.js wiki, set a password and export it as single file encrypted wiki.

2. The opposite import action (of a single file encrypted wiki, into a not encrypted Node.js wiki) is possible as well.

3. If doing 2., then 1., the wiki password is not cached and has to be explicitly set again before doing 1., otherwise the single file wiki is saved unencrypted as well.

At least this is what my trial and error learning experiments show.

If you need encrypted files, you can use OS level encryption, which is transparent to use.

Or try to use TW5-CSEncryption, which is my long term goal after I get used with the basics of vanilla Node.js version.

The --password command is used to use simple-auth when tw is started as a server.

This needs some elaboration as well. If I understand it correctly, simple-auth is password protection of the web page served by tiddlywiki in server mode. Above I used --password as additional parameter for the --load command, to specify the decryption password for the encrypted single file wiki as the help suggests. This is not related to simple-auth at all, correct?

And the last, but not the least detail that I find confusing: $ tiddlywiki --help password mentions ServerCommand. As in tiddlywiki --help server? Because that command is labeled legacy (in favor of listen?).

My question above why should I pass a password in plaintext as recorded command line argument, still remains open.

You are absolutely correct and I just posted one more detailed wall of text Hopefully this will help making the things clear.