Today I bought DT 4 Pro and activated DTTG 4 with my license as well. As I was activating my encrypted databases from two encrypted sync storages (iCloudKit & WebDAV) I noticed that I don’t need to enter the passwords for those databases on my iOS devices.
Somehow DTTTG 4 already knew my encryption keys for my encrypted databases. How did this work? Where in the manual can I read something about that? Could it be that the synced database on the syncstore isn’t encrypted anymore?
I checked further and I would guess the databases on my iOS devices aren’t encrypted. Could it be that if I enable the upload of the encrypted database in my sync location the uploaded database isn’t encrypted anymore?
I checked further and I would guess the databases on my iOS devices aren’t encrypted.
There’s no way for you to actually determine this on mobile.
Could it be that if I enable the upload of the encrypted database in my sync location the uploaded database isn’t encrypted anymore?
DEVONthink To Go does not support encrypted databases in the way DEVONthink does. It never has and the differences in the underlying technologies of macOS and iOS make this infeasible. DEVONthink To Go has long relied on the on-device encryption provided with your mobile device. However, it also implemented its own application lock via Settings > Privacy (Security in version 3). It uses a mandatory passcode and optional biometrics to unlock the application.
I meant it doesn’t ask for my database encryption key. Indirectly that means the database isn’t encrypted anymore. With encryption I meant the Devonthink layer of encryption and not the underlying device encryption. And you confirmed that DTTG does not support encrypted databases.
Personally I would like to have a more informative way to inform users that you use an encrypted database without Devonthink encryption in DTTG.
How does Devonthink manage to provide an unencrypted version of an encrypted database from the sync location? DTTG never asked me for an database encryption key but it manages to give me an unencrypted version.
Is the encrypted database really encrypted in the sync location?
If yes, will the encryption key also stored in the sync location? The encryption key must be used to get an unencrypted database for DTTG.
Maybe I do anything wrong: I thought I created an encrypted database and sync it to all my devices with iOS included. As it seems that isn’t supported at all. After reading your answer I conclude encrypted databases are only local on a Mac possible. Is that conclusion right?
I checked again: if I upload a database to the sync store there isn’t an option to upload an encrypted database. Therefore I assume all databases in the sync location aren’t encrypted. Their overall encryption relies only on the sync location encryption layer if selected. Otherwise if you sync an encrypted database to an unencrypted sync location than the everything would be unencrypted.
What’s the use case of encrypted databases if they are device only on a Mac accessible? Personally, I can’t see a good use case. And I expected that an encrypted database would be encrypted everywhere (on iOS, on MacOS, in the sync location).
Is there a point in the manual that describes those limitation of database encryption. In my opinion that behaviour is different than other apps. Usually I expected that if I encrypt a database than that database will be encrypted in the sync location and on other devices (Mac and iOS) as well.
After reading the marketing text from DT I could interpret it that database encryption in general is only on a Mac supported. Is that correct?
When you synchronize it between your devices, the connection, the data you put on a cloud service, and, optionally also the database on your Mac, are securely encrypted.
Did you already synchronize the same databases using the same sync store with DEVONthink To Go 3.x on this device? Then this information was probably migrated from the old version.
Encrypted databases are only encrypted on the Mac, therefore this works as expected. But you could add password protection (see File > Database Properties) and then importing such databases (no matter whether encrypted or not on the Mac) from a sync location requires this authentication.
DT uses sparse images on macOS and the encryption that the OS provides for them. On iOS/iPadOS, there are no such things as sparse images. The lack of those implies the lack of encryption for them.
So, what you see is to be expected. And your database encryption will probably not be respected by sync since the database has to be open to be synced. While it is open, it is not encrypted. You can use encryption with your sync method and a password with your databases, though. Those work regardless of the OS.
That’s a lot of expectations. First off, it implies that all devices can use the same encryption algorithm (AES-256 in the case of DT) and that it is available to third-party developers on each platform – you would not want a database developer to implement an encryption algorithm. Second, you’d need to enforce transport encryption for the sync mechanism. In the hypothetical case of a HTTP-only WebDAV server, that might be difficult to do. For iCloud, you must simply trust Apple that they indeed do encrypt the traffic. If you use Bonjour to sync, the traffic is not encrypted by the Bonjour protocol.
Finally, your expecations imply that the sync location contains a database that can be encrypted – it does not, though (and that has often been explained here). The sync store does not simply contain databases. Which is good, because it is more difficult to get at your data from the content of a sync store.
Not gonna comment on the encryption stuff as it’s way outside my knowledge, but just on this: I have several databases that are only available on my Mac, and I would assume I’m not the only one. I only sync databases that I need on my mobile devices. Mostly for two reasons: 1. there are databases that only have content that I need if I’m working on my Mac, and having them on mobile devices is pointless, 2. My Mac is more secure and it’s safer to have them stored locally on one device. Each time you add a device, you’re adding another point of access (or several of you think about sync stores, which I’m not!).
It’s fair enough if you actually do need your databases on all your devices, but I would query if you really really do or whether some things can wait until you’re back at your Mac.
P.s. you can add Face ID to DTTG so that no-one except you can open the app.