Are encrypted database archives also encrypted?

DEVONthink
1

I use the File, Export, Database archive to make backups of my databases.

Does anyone know if I back up an encrypted database, is the backup also encrypted / password protected?

2

Welcome @Cisk

The encrypted database Is stored in An encrypted disk image, so the disk image should be backed up.

3

Thanks Bluefrog - I’m new to DTP and I’ve been backing up my databases (which are a mixture of encrypted & regular databases) to a local drive using File / Export / Database, to create *.dtBase2.zip files.

My concern / question is that I can’t find anywhere online or in the manual that says if the .zip file is encrypted if it’s an archive of an encrypted database - I know you could create the archive to an encrypted volume, I just wondered if the zip file itself is encrypted if it’s an archive of an encrypted database - because if it isn’t then presumably someone could just unzip it without a password…

4

No the database isn’t encrypted when you export to a ZIP file.
And the database itself isn’t encrypted in this case. When the database is open it’s not encrypted. It’s encrypted when it’s closed no different than FileVault or iOS uses.

5

After reading your latest tips on the blog, also the manual and doing some (re)searching on this community forum, I remain a bit puzzled on backing on iOS, ipadOS and macOS.

  1. I’ve hit the switch in your DTTG app to prevent iCloud Backups, so iOS and ipadOS are no longer storing my data to iCloud Backup.

  2. I’ve also setup encryption for data stores synced to iCloud (inbox + active projects) and Dropbox (same + all other DBs). So both my sync stores are E2E encrypted.

  3. Then on macOS I also have setup the same sync stores, so I have access to the DBs inside them. On macOS I have to ‘import’ them to have them synced locally. At this point I have the option to import them as regular DBs or encrypted ones; I choose ‘encrypted’ so when the database is closed it’s stored encrypted on my local disk, correct? I understand that this is just another layer of security, as FileVault fully encrypts my Mac’s SSD using my password.

Now I understand that, when I use File => Export => Database Archive (or Scripts => Export => Daily Backup Archive) on Mac, DT it will optimize, export and compress the data from the ‘opened’ database. So everything is exported as a decrypted / unencrypted data to a regular database. Is that right? Or is there a way to backup it to an encrypted database, just like when I’m importing it?

If not, then how can I keep a local DB export encrypted? Can I simply optimize it, close it and copy/paste a database (manually) from the local Databases directory to another location?

Best regards,
Maik

6

Be aware that by doing this your iOS devices (iPhone and iPad) are not backed-up, so in the event of catastrophic loss or whatever, everything (apps, data associated with those apps, etc. are not backed up. And if you were to upgrade to a new device, much harder to do so. Up to you. Apple probably on their support web site gives details on how the backups are encrypted for you. Frankly, I would recommend you reconsider this.

Page 134 of the Handbook says “Database Archive: Creates an optimized ZIP file of the current database in the selected location. This can be useful as a secondary backup strategy.” output of this process is an unencrypted zip file of the database.

Should you want to encrypt this, I can think of a number of ways. May be more and some ways may be better than others. You decide.

  • There are numerous articles on the Internet. I found How to Encrypt and Password Protect Files on Your Mac - The Mac Security Blog. You could create an encrypted disk image and put the file into that volume.
  • You could create a new encrypted DEVONthink database and import the unencrypted zip files into that database
  • You could zip the archive zip file using the app “zip” on your Mac (accessible by the terminal). Type “zip” on the command line to get the options. Or type the command “man zip” to get full documentation. Encrypting is done by the “-e” option. Delete (including Trash) the unencrypted version.

I’m sure you know, but remember to keep all the passwords somewhere. I’ve learned through the years that the biggest risk causing data loss with encrypted files is simply forgotten passwords.

When doing all this encryption, think through who or what it is that you are protecting against access. For example, if you use FileVault encryption, do you need further encryption for files on the Mac? Only you can decide.

7

Thanks for pointing this out :+1: all welcome information, too.

I’m aware that shutting down iCloud Backup entirely, would stop the ability to recover from disaster. That’s why I’m using the function from within the DTTG app itself. Besides that, it’s also possible to leave out one (or more) specific app(s) from iOS backup. So not stopping the service as a whole.

For backing up the encrypted database, I’ve tried the manual actions as suggested in my previous posting. Action performed:

  1. Select an ‘encrypted’ database
  2. File => Optimize Database
  3. Click button Synchronize the current database
  4. Right click database and then Close database
  5. Open local Databases directory
  6. Copy the closed database to a secondary storage location
  7. Optionally: prefix the filename of the copy with the current date
  8. Optionally: reopen the original database to use it until the next backup or delete it if you don’t need it locally, after which you’ll have to re-import it as a ‘secure database’ from a Sync Store or re-import a backup.

It seems to work that way and an ‘encrypted database’ remains securely stored, so it’s not send unencrypted to a (cloud) storage location. Of course I could add a (automated) compression step, but for now I leave the backup databases uncompressed.

Maybe @BLUEFROG could confirm if this is a proper (or valid) way of working? And, maybe you have a tip on opening a copied backup next to the original database? In case I want to restore bits of information from an older backup. Thanks in advance.

Best regards,
Maik

8

New one on me. None of my IOS devices, far as I can tell, allow that. Probably my lack of curiosity as I’d prefer to backup the entire device since on more than one occasion in the last >10 years I’ve benefited by restoring a device from the iCloud backup. Just my bias.

Re your 8 steps, I’m wondering where this comes from? Sounds all too complicated to me, and frankly can’t get my head around what you say–my bad, I guess. I recommend you follow the guidelines in the DEVONthink Handbook for backups, and if you wish to encrypt the Zip files created using the archive process DEVONthink provides, then use the MacOS methods to encrypt–nothing to do with DEVONthink.

I’m not at a computer where I can refer to the DEVONthink Handbook, but my hunch is there will be guidance on how to recover files from an archive zip. If not what you need, just try it with a test database.

Also: always remember that synchronising is NOT backup.

9

Well, this is how (I think) I can manage the backup on a per device basis:

On your iOS / ipadOS device go to Settings => Account => iCloud => Manage Storage => Backups => Device (current) …wait untill it’s done loading… then click: Show all apps.

There you can include / exclude a app’s data from the backup, too. I think it’s basically the same as hitting the switch inside the DTTG app, but I’m not sure.

Personally I find making a backup using the steps above (quick sync, close, copy-paste, open again) as easy as using the export function and having to encrypt my exported database afterwards. Because that requires me some extra steps outside of DT. But again, I’m looking for some confirmation if this is a valid procedure, too.

Finally I will have a look on the handbook to see if there’s some information / tips on opening two database (original + backup) next to each other. That would complete my WoW.

Regards,
Maik