NotePlus Module User Guide

Unlimited Notes for Every Element

• Add an unlimited number of notes to each element.

• Each note includes a title and content.

• The system logs the date and user of the last modification:

Elements Supporting NotePlus Notes

• The "Note+" tab will appear in the following Dolibarr elements:
  Products, services, customers, suppliers, contacts, members, users, projects, contracts, quotes, customer orders, supplier orders, customer invoices, supplier invoices, calendar events, Bills of Materials (BOM), manufacturing orders, workstations, and tickets.
   
• Some of these elements (e.g., calendar events) do not have Dolibarr’s native "Private Note" or "Public Note" options:

Optional Note Encryption

• You can optionally encrypt note content.
• The module generates a random 256-bit key.
• The system prompts the user for an "unlock key".
• This key is not stored in the database.
• If lost or forgotten, encrypted data cannot be recovered.
   
• Adding encrypted notes is simple:

• To access encrypted note content, only the unlock key is required:

Personal Keys vs. Shared Keys 

• Each user can create as many encryption keys as needed.
• Users can also create shared keys for team access.
• When using personal keys: Only the creator can decrypt notes
• When using shared keys: Any user with the key can decrypt notes.
• Each user manages their own keys:

Shared Note Considerations:

• When a user marks a key as SHARED, others can use it to encrypt notes with the same unlock key, enabling secure collaboration.
• Only the key creator can modify or delete it (!!).

Technical Considerations

Secure Key Storage

• Encryption keys are 256-bit (64 hex characters), generated using PHP’s `openssl_random_pseudo_bytes()` with a unique salt. Example:
  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
• The key is stored in the database encrypted with AES-256, using the user’s unlock key (which is typically weak). To strengthen it, the system applies PBKDF2 with 600,000 iterations and a unique salt—double the OWASP 2025 recommendation (!!).
• Notes are encrypted using the 256-bit key also via AES-256.
   
  ⚠️ Performance Note: Encryption/decryption may add ~0.5 seconds (depends on server power).
   

Encryption Recommendations

While PBKDF2 hardening makes brute-force attacks difficult, we recommend:

1. Avoid reusing keys—use different keys for different purposes to limit exposure.
2. Use strong unlock keys—avoid short or dictionary-based passwords. Instead, use mixed case, numbers, and symbols. If using words, make them a long, nonsensical phrase.

Change Tracking

Currently, only the **last modification time and user** are logged. A full **change log** may be added in the future if demand exists.

Multi-Company Compatibility

• Notes added to a company’s elements are **only visible within that company**.
• Keys created by a user are **only accessible when working in that company**.

Installation Process

Follow the standard Dolibarr module installation steps:

1. Go to Configuration → Modules.
2. Navigate to the "Install External Module" tab and upload the module’s ZIP file.
3. Return to the "Available Modules" tab.
4. Filter by Origin: "External - IMASDEWEB".
5. Activate the module.