A question about encrypted databases

I have a question about encrypted databases. All my databases are synced with iCloud with an encryption password in the sync setting. I dont have a password set to any individual database,

I note in devonthink 3 you can create a new database OR a new encrypted database. If you create a new encrypted database the program prompts you for a password.

I dont fully understand the difference between these two ?

The help in DT3 has a section on the encrypted databases.

Here is the first blurb from the help:

Encrypted Databases: If you have databases containing sensitive or private information, you can create an encrypted database. This is specialized AES-256 encrypted disk image that will not appear in the Finder or your desktop when it’s open. Quitting DEVONthink or closing the database unmounts the disk, so you are always required to enter the password to access it.

1 Like

This is not a database password, it’s a key to encrypt the data located in iCloud.

I think I understand it now…

I had assumed all my databases were encrypted end to end on iCloud. (Which I believe they are with a password)

The confusion arose with the setting to create an encrypted database. This implies that just creating a normal database wouldn’t be encrypted. However as I understand it creating an encrypted database would encrypting it on my Mac rather like creating a secure disk image.

An encrypted database is stored on your Mac locally but an (optionally) encrypted sync store like iCloud encrypts the remote copies of databases, no matter whether locally encrypted or not.

On a Mac encryption isn’t necessary that often but for cloud sync stores it’s always recommended.

I have never locally encrypted my databases because I am happy with the security in my home and who has access to my Mac. However it does sound like a sensible option to do.

Is there anyway to encrypt existing non encrypted databases.

You could create a sparse disk image using Applications > Utilities > Disk Utility.app, then move your database into the disk image, unmount the volume and change the extension to .dtSparse. Please ensure to specify enough disk space for the disk image, by the way.

I have seen a CRITICAL issue here after migrating to DT3 for DT2Pro … It seems that the DT2 password protected DB can be opened WITHOUT prompting for a password … I’m really really worried about the security in DT. Closing and opening the DB doesn’t help … This special DB was never ever opened in DT3 before so how is it possible to bypass password protected DB. Neither do I store in Keychain, at least to my knowledge. What did you changed?

1 Like

The username/password is now only used by the sync (see File > Database Properties…). This protection wasn’t really secure as the files were not encrypted. Usage of encrypted databases is now recommended instead.

this I know BUT then the password was only handled in DT2 thus meaning I could open the dtfile2 ??

Yes, it’s not used anymore to open databases.

ok I read DT2Help again and it is explained but perhaps in terms subject to interpretation for non-technical users which I’m not. so, for me I understand that it was more or less cosmetic (only UI) but perhaps, and since I haven’t read the help before creating the password in DT2 would it not worth to mention it in the UI … ok now DT3 is here perhaps not so important but… thanks

Problem is that the content of the opened psswd protected DB is not complete so I missing data currently … So, it seems that the password has some implication … The DB properties tab shows a password so recognizes it but data content is not complete at all … Any suggestions?

This shouldn’t affect the database as it was only a simple password protection while opening the database in version 2. What exactly is missing?

this is also what I expected but missing 60% of the content … just testing currently. Will also check/compare with other Dbs if the same apply

ok now understanding you moved the Inbox DB to Inboxes in DT3. I was still looking at the Open DB Category in the right sidebar for the content of passwd protected DB inbox which is now displayed under the Inboxes category.
Can understand, not sure I liked it for now… but could be used to … Is there a way to also show the complete content (also Inbox) under the DB in the Open DB category in the sidebar (as in DT2)?

No, that’s not possible.

last question I just check the db properties of the encrypted DB. I would really welcome to see that the DB is encrypted and not a user and password field as in DT2. (screen is DT3)


This is wired, sorry dislike completely. I have a sparse image which is AES256 encrypted with a strong password and this reflects the old DT2 “DB” schema/instance approach. So please refactor completely this feature.
This UI must stay and be shown only for old password protected DT2 DB which are now completely obsolete (as you correctly stated before) otherwise for the new encrypted one please do not present this screen since do not reflect the reality.

However, how I change the passphrase of the sparse image?
Last, but least may I suggest to uniquely identify both in the Inboxes and Open Databases Categories the DB as encrypted with a small locker icon beside/beneath/sub- superscript or whatever the DB name… Would help to enhance the readability of the UI

1 Like

What kind of database did you check? Databases created via File > New Encrypted Database… are encrypted, the username/password are only used by the synchronization (see the description in your screenshot).

However, you can’t change the encryption key of sparse images or encrypted databases after creating them anymore.

the screen shown is as said AFTER I encrypted the DB. It shows the DB DT3 properties of an encrypted DB.

Not to be able to change the password is restrictive since I can do it of filesystem level.

And somehow I would really welcome some open-minded mindset since I take time to report issues and make some proposals and I do not have the feeling that my engagement as a user is taken really into account. I’m testing other products and there it seems that my help reporting things and proposal is appreciated … (no offense meant, I really appreciate how @eboehnisch is taken response seriously and appreciate the help we the community try to give )