feat: allow to set password-protected notes

[dynamotn]

This PR resolve #637.

Demo

https://notes.dynamotn.dev/01_Fleeting-Notes/20240505093315 with password 123451

How it works

• Key Derivation: Utilizes PBKDF2 for generating secure encryption keys.
• Unique Salt for Each Encryption: A unique salt is generated every time the encrypt method is used, enhancing security.
• Encryption/Decryption: Implements AES-GCM for robust data encryption and decryption.
• Encoding/Decoding: Use base64 to convert non-textual encrypted data in HTML

[saberzero1]

While I think this solution is great in what it does, I wouldn't recommend relying on it to keep anything safe. This is mostly for two reasons:

1. Requires a plain-text password value in the frontmatter. This is poses risks for man-in-the-middle attacks if pushing to GitHub over HTTPS.
2. Cross Fork Object Reference attacks. Most users use a fork, private or not, to host Quartz.

Having said all that, I do think that your solution has value, as password-encrypted static site can only get about as secure as your solution without external tooling/authentication. I feel like the documentation should reflect that, and I feel like we shouldn't be recommending users to deploy encrypted secret company documentation or medical records in the documentation.

[aarnphm]

I just want to quickly chime in. For Quartz itself, I don't see any sort of SOC-2 compliant or adjacent security folks would use for hosting private and internal documentation (though we live in a society).

This is still a good POC imo.

[dynamotn]

@saberzero1 @aarnphm I updated documentation and put some recommendations from you

[aarnphm]

tbh this can also just be kept as reference for ppl who wants to add this to there vault.

Personally I don't really find a wide usage for this.

[jackyzha0]

im happy to include it, we have quite a few reqs for this feature

been swamped the last few days but can do a quick review later

[aarnphm]

To keep minimal change, I suggest we do locale in separate PR as follow up.

We can add support for Vietnamese and English should be good to start with

[dynamotn]

How about this PR @jackyzha0? Do you want to change anything?

[leikoilja]

came here through the search.
@dynamotn, thanks for adding this feature - i'd find it super useful.
This is not to keep smth very sensitive, but just another layer of protection for a note that i dont want to be publicly available, tho would like to be able to access from my own automation. So big kuddos to you @dynamotn for building it elegantly 🔥

@jackyzha0, let's get it in please 🙌

[sanjeed5]

Came here via searching for this feature. Thanks @dynamotn

My use case is: sharing some notes with friends, but I don't want it to be accessible to everyone. I understand that if someone really wants to, they can get through, but that's okay. Won't put anything that sensitive here.

Looking forward to this!