What should journalists know about Obsidian?
Obsidian stores everything as plain markdown files on your device. No account required, no cloud dependency, no company between you and your notes. The plugin ecosystem has 2,000+ community plugins — you can build anything from a simple notebook to a full research database with Dataview queries and Canvas spatial maps. Obsidian Sync is end-to-end encrypted with AES-256 (file contents via AES-GCM, file paths via AES-SIV as of August 2025). Cure53 has audited both desktop and mobile clients twice (December 2023 and December 2024), with all findings remediated. The privacy model is the strongest of any mainstream note-taking app because by default, nothing leaves your machine. Bases (v1.9, 2025) adds structured querying of notes by properties — essentially a database layer over plain files. Canvas gives you spatial mapping for investigations. The team is 18 people generating ~$2M revenue, bootstrapped with zero VC. That matters: no investor pressure to monetize your data. Bellingcat lists Obsidian in their investigation toolkit. For journalists handling sensitive material, this is the right default.
Research notes, source tracking, investigation journals, personal knowledge management. Connecting leads across complex stories using graph view and backlinks. Long-term knowledge building where you own every file.
Real-time collaborative editing (use Google Docs or CryptPad). Teams that need shared workspaces with permissions (Notion does this better). Anyone who wants zero setup — Obsidian rewards configuration investment.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Obsidian collects no personal data and requires no account for the core app. Notes never leave your device unless you opt into Sync or Publish. Obsidian Sync offers two modes: managed encryption (Obsidian holds the key) or custom encryption password (zero-knowledge — Obsidian cannot decrypt). No telemetry. No tracking. The app is not open-source, but the local-first model means your data is never at risk from a server breach.
How to protect yourself:
Enable full-disk encryption (FileVault, BitLocker, LUKS) to protect local vault files at rest. If using Obsidian Sync, always choose the custom encryption password option for true zero-knowledge sync — the managed key option means Obsidian could theoretically decrypt. Vet community plugins before installing: they run with full access to your vault and inherit Obsidian's OS-level permissions. There is no plugin sandboxing or permission manifest system. Restrict Mode (enabled by default) blocks all third-party code — only disable it deliberately. Back up your vault with git or rsync; local-only means no safety net if your drive fails. Review linked devices in Sync regularly.
Local-first architecture means no cloud dependency and no company access to your notes by default. Obsidian Sync uses AES-256 E2E encryption (AES-GCM for contents, AES-SIV for file paths). Two independent Cure53 penetration tests (2023, 2024) with all findings fixed. No telemetry, no tracking, no ads. Bootstrapped with no VC — no incentive to weaken privacy for growth metrics. The main risk is the community plugin ecosystem: no sandboxing, full vault and OS access, and the team is too small to audit every update. Use Restricted Mode unless you have vetted your plugins. ~8% market share in note-taking but dominant in the personal knowledge management niche among researchers, developers, and journalists.
Who Owns This
Known issues
Community plugins are the primary attack surface. Plugins run with full OS-level access inherited from Obsidian — no sandboxing, no permission manifests, no capability restrictions. The Obsidian team cannot manually review every plugin update; they rely on community reporting. Supply-chain attacks through plugin dependencies are a real risk. Historical CVEs (all patched): CVE-2023-2110 allowed crafted webpages to exfiltrate local files via app://local/ paths (fixed in 1.2.8). CVE-2023-27035 allowed desktop notifications and audio recording via embedded websites in Canvas (fixed in 1.2.2). CVE-2022-36446 allowed remote code execution via obsidian:// URI handler (fixed in 0.15.5). The August 2025 Sync upgrade strengthened file-name encryption from a pattern-leaking scheme to AES-SIV. The app is closed-source, so independent code audits depend on Obsidian commissioning them (Cure53 audits in Dec 2023 and Dec 2024, both with all findings remediated and reports published).
Pricing
Free for personal and commercial use (commercial license requirement removed in 2024). Sync: $4/month billed annually ($5 monthly). Publish: $8/month billed annually ($10 monthly). Catalyst one-time supporter license starts at $25.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.