I just saw this question on an internal mailing list so I thought I would pass it on to the blogging community. The question was:
What underlying security technology is used to protect OneNote content with passwords?
Well the answer is:
OneNote uses 3DES encryption, with 192 bit key length. We do encrypt all the content that you enter into the page, so once protected there is no way for someone to read it without knowing (or guessing) the password.
What that means is the longer the password and the more complex the better. It takes some time but people can still brute force an attack on your files by guessing your password. Note that you cannot unlock password protected sections via the OneNote 2007 API. You just can't get to it unless the user opens OneNote and unlocks the password (even then they can still lock out API apps from getting encrypted content).
Is triple DES used in the 2003 version of OneNote as well?
Any thoughts to go to AES? Or is it possible to "plug-in" other encryption schemes?
For the current versions you cannot 'plug-in' other encryption schemes though that is a pretty cool idea. However I can see lots of errors if we aren't careful.
AES is something we are interested in using but that will be a future consideration, maybe you will see it in O14. Thanks for the feedback!
Is 3DES still used in OneNote 2007/2010?
Excellent write-up!!! I second another commenter's question, though... does Onenote 2010/13 still use 3DES encryption with 192-bit key length?
I would also like to know if 2013 uses 3DES or some other scheme
Same here, any updates on what OneNote 2013 uses?
AES is the default for Office 2013, maybe earlier -- technet.microsoft.com/.../cc179125(v=office.15)
Any special considerations file file attachments - is that data encrypted if a section has a password? Also is the encryption applied to any secondary location of onenote data, like the cache and backups.