I learnt recently about Emacs EasyPA and how easy working with Gpg encrypted files can be on Emacs.
For Org-roam, the documentation explains that all the user has to do is build some templates to create files with the .gpg extension.
The doc also informs us that, for complete data protection, one can encrypt the database so that no sensitive information would be stored in plain text. It however falls short of explaining how to do that exactly:
Note that the Org-roam database stores metadata information in
plain-text (headline text, for example), so if this information is
private to you then you should also ensure the database is encrypted.
Looking around, I found the following Org-roam variable org-roam-db--connection that I imagine sets the database connection parameters. Its value looks like that (note that I am on Doom Emacs, so some paths might look unusual):
#s(hash-table size 65 test equal rehash-size 1.5 rehash-threshold 0.8125 data
("/home/USER/.local/share/org/" #s(emacsql-sqlite-builtin-connection #<sqlite db=0x64432f287950 name=/home/USER/.emacs.d/.local/cache/org-roam.db> nil #<finalizer> "~/.emacs.d/.local/cache/org-roam.db")))
For what I know so far of connecting to databases from code I would see a passphrase= variable fit perfectly after the db and name fields, right before <finalizer>.
Unfortunately, my guess work stops there, I would not now how to change those parameters from my config; the db value for example looks challenging. The Info pages on emacsql-sqlite-builtin-connection did not help me much, and I could not find the manual for emacsql.
Thanks for your help.
and that would also explain why the doc would not expand more on the topic. It can be easy to forget an sqlite database is just a file.