DT3Pro - Encryption/Security - Big Picture & Details



Forward: I recently made the switch to Macintosh and am new to DT3. My apologies.

Introduction: I’m on a quest to use DevonThink3 for as many purposes as I can instead of having a specific application for everything.

Body: My main concern at the moment is security. After reading [Juranta’s] posts and some others - I am feeling iffy about using DT3 to store passwords or any financial/medical records in DT’s encrypted database.

Resolution: [Juranta] points out some general security concerns and issues with Sparse image/ Sparse Bundle… (not sure if the latter is a concern). Some other posts talk about creating a encrypted disk image through which to operate the encrypted database and mount it and then dismount it after use each time.

Conclusion: Once again, I am a novice to both these systems so if someone could provide a comprehensive overview as to the security of DT3 and a detailed description of what additional steps need to be done if possible to secure the already encrypted database in DT3 - that would be extremely helpful.


1 Like

An encrypted database functions no differently than manually creating an encrypted disk image, logging into a drive encrypted by FileVault, or unlocking your phone.

Data is encrypted when the device is locked, user not logged in, the image unmounted, or the encrypted database not opened. The data is available after the unlocking, logging in, mounting, or opening the encrypted database.

The dtSparse file’s mounted volume should not be visible in the Finder, on the Desktop, or in Disk Utility, so it shouldn’t be notiecable to casual inspection.
Also, when the encrypted database is closed, the volume is unmounted automatically meaning someone would have to enter the password to open the database again. The only exception would be if you stored the encryption key in your Keychain because you didn’t want to have to keep entering it - a very bad idea from a security standpoint.

Thank you for the clarification.

My last concern is the syncing and backup. I would like to have my data synced such that I can continue working on one device what I left off on another. Is there an option not to sync/backup solely the encrypted database to keep it more secure? Otherwise what do I need to be aware of when looking to sync/backup my Devon databases? Does the Devon encryption not carry over to when it’s online so therefore the online service needs to have its own encryption?

(I am referring to online/cloud backup) I am not concerned about local external storage backup.

Everything considered, is Devonthink3 a secure place (Using the encrypted database (no keychain)) to store passwords and sensitive documents?

I can’t speak to the security of DT3 databases (other than to point you to Bluefrog’s note above), but I would suggest that for storage of passwords, DT3 is less than ideal…not necessarily for security reasons, but for useability.

Check out 1Password. It will generate strong passwords, fill in login forms, sync between macs and ios devices, allow storage of notes and other document types, allow for sharing among family members (with different data sets (“vaults”) that can have different sharing rules.) It contains a section that will alert you if a site for which you have logon creds is compromised; will rate the strength of your passwords; will tell you if you’re using the same password on more than one account, and more. It will also share between mac and windows, but was originally developed for the mac.

DT3 will do a lot of things but it’s not a one-stop program for everything.


DT3 will do a lot of things but it’s not a one-stop program for everything.

How dare you!!! :wink: :stuck_out_tongue:


Is there an option not to sync/backup solely the encrypted database to keep it more secure?

ALL syncing is opt-in. You don’t have to sync any database you don’t choose to. DEVONthink will not sync any databases without you making that choice.

Otherwise what do I need to be aware of when looking to sync/backup my Devon databases? Does the Devon encryption not carry over to when it’s online so therefore the online service needs to have its own encryption?

If you are using an optional encryption key on a sync location, the sync data is stored in an encrypted state. That is not the same thing as having an encrypted database. That only has to do with the sync data.

Everything considered, is Devonthink3 a secure place (Using the encrypted database (no keychain)) to store passwords and sensitive documents?

Personal stances will differ on this, but I am very comfortable storing such data in DEVONthink databases. For almost seven years, I have been storing this kind of information in databases I have on an encrypted disk image (obviously well before our encrypted database option).

However, part of the security is up to you. If you walk away from your computer leaving a private, encrypted database open and mounted, then of course it’s possible (though not necessarily probable) someone could peek inside it. It is up to you to close the database or lock the screen, etc.


You could set up your own WebDAV server for sync - connect via https, encrypt the server disk and give yourself some more protection (assuming you don’t think commercial cloud services are secure enough).

I used to use DT for storing passwords and software licenses. It worked as well as one can expect, but I second the recommendation for 1Password to store password, licenses, credit cards, secure notes, and more. The big difference for me between 1Password and DT is the former will fill in forms in browsers and apps, which is far more convenient than searching and copying in DT.

Thank you all! This is perhaps the most helpful software community support experience I’ve had.


Thanks for the tip. I will look into that.


Thank you for your examples and insight.

Thank you for your tip too, I will look Into it some more, however I’m on a mission to make the most use out of Devon and the native Mac applications and try to avoid subscription payment models.

1 Like

Two thoughts, just for information, not to attempt to persuade you away from using DT as a one-stop shop:

  • There is still a one-time payment option for 1Password, although you have to work to find it.
  • Enpass is a very cheap, one-time payment alternative - a little clunkier in the interface, but very solid
1 Like

Well, I personally store my securely created passwords in 1Password. They probably have thinked much more about the security issues, syncing the data, done auditing on the system, precautioning people won’t do mistakes in setup, etc than DEVONthink will ever do. It’s also more convenient on many issues, such as filling the login on browser. However, I store my secure documents on DEVONthink which is much more convenient in handling documents, and can be much more secure than most of the notes application if you configure it correctly.

If you create the DEVONthink 3 encrypted vault on Mac, it’s as secure as the Mac encrypted vault, which is pretty secure. If you sync it to DEVONthink sync store to some location such as Dropbox, it’s probably also pretty secure if it’s done right, since it’s an end-to-end encryption system of a kind, which means it’s encrypted before leaving your Mac and getting stored to the sync store. On iOS, after the database stuff gets downloaded from the sync store may get downloaded to the phone, accessible to other people who get access to the phone, get backuped to the cloud, etc. It’s in this kind of issues that I trust much more companies such as 1Password to think about it all. Just as a tip of the iceberg, you need to enter the master password after some time, or else use your fingerprint to decrypt the passwords database on iOS.

But as I said, besides basically the passwords and some information I absolutely may need on move, I store my financial and other sensitive information on DEVONthink and sync it too. There’s always risk in syncing the information on cloud and to other devices. There’s some sensitive data, such as things related to work and health, that I keep only on my local Mac, in an encrypted sparse bundle Mac/DEVONthink format. Of course I backup it to a an encrypted location, but don’t sync it everywhere. Even if the software was in general reliable, there are so many potential mistakes in backup schemes, personal configuration mistakes and so on.

I explained in that other thread how the vaults didn’t get unmounted automatically, at least for custom created sparse bundles. I found a workaround in there. However, I think I’ve noticed a couple of times the databases being left open, perhaps because some file handles being left open or whatever. I mean, you can still see the disk images hanging grey in Disk Utility after closing them in DEVONthink.

But again this issue only can enable the people or software who have direct access to your Mac to potentially access the information. It doesn’t affect the security of the sync store that DEVONthink uses to sync it. However, though DEVONthink is much more secure than other options, there are certain risks in syncing very sensitive information in the first place, such as who accesses your phone, how it’s stored on the phone, iCloud backup, etc.

As I said in other post, I think there are risks in syncing your very sensitive information to all devices, even though the sync implementation in DEVONthink is encrypted and more secure than many of the options. DEVONthink sync store that you put in Dropbox, iCloud, etc is encrypted before it leaves your devices and enters the cloud. I use Arq to backup my encrypted, not encrypted, synced and not synced databases and other files to an encrypted location in cloud. In this case the Arq backup destination needs to be encrypted. There are several other similar options. Basically the secure option is to encrypt the files you put in the cloud before it leaves your device, and DEVONthink, Arq and 1Password all do this. It means, that at least in principle, these companies or some other third party can’t for example reveal your documents even if some authority demanded for it from these companies. Or if some hacker got an access to your Dropbox folder, he can’t get to the encrypted data you have in there.


Wow thank you for all that. I really appreciate it. I will keep an eye out for the possible sparse folder issue.


Thanks. At least with custom sparse bundle images formatted in APFS didn’t eject properly for me, but Mac Journaled (HPFS) works quite well. You create them in Disk Utility. t isn’t an issue if you create the encrypted sparse image in DEVONthink.

@juranta, If you are not sure about using a password manager such as 1Password and don’t want to risk the $40, or whatever it is now, you can try out a free option such as LastPass. Information is stored in their cloud, but is encrypted locally before it goes to their server. Then you can sync all your passwords and such to each of your devices. I personally use 1Pass, but the server admins at work use LastPass and they’re security freaks, so it must be ok. :slight_smile:

I also have tax and financial information in DT and sync it using a private WEBDAV server. Your data is as secure as you want to make it. If you use iCloud, you’re probably pretty safe assuming you use the encryption option in DT. Apple is pretty animalistic about customer privacy. Dropbox and Google, less so, but if your data is encrypted before it goes to them there’s not really anything they can do with it.

Use DT for what it is good for, but use other tools for what they are good for. It will make your transition to Mac much smoother. DT is not a good password manager. You’ll get a lot more features out of something like 1Pass or LastPass for your passwords.

1 Like