I’ll be syncing my database via WebDAV. I think since 2.7 encryption of database sync stores for syncing is supported by DT?
But how does this work? I don’t get asked a password when I create a new sync store? Are they really encrypted or just encoded?
When Sync starts synchronizing your database, it generates a random encryption key to encrypt your database. All records, record metadata, etc are encrypted with that key (call this the primary key). Then that key is encrypted with another key generated by the username and password (if any) set for your database (call this the secondary key).
If the primary key ever changes, the entire contents of the sync store need to be deleted and recreated. So we never change the primary key. Instead, we change the secondary key. So whenever you change your username or password, all that happens is that the primary key is decrypted using the old secondary key and reëncrypted using the new secondary key.
However, if someone wanted to disassemble DEVONthink Pro 2, they could probably figure out how the secondary key is generated if there is no username/password set on the database (because, as you know, it has to be guessable by other devices). So no, that’s not terribly secure. Setting the username/password on the database is more secure.
I created a database and set a username/password. I then created a Dropbox sync store and began synchronizing the database to the sync store.
The username and password were stored on my Dropbox account in plain text.
This seems to contradict the statement, “Setting the username/password on the database is more secure.”
I’m sure I’m missing something, but it seems that there is no real encryption whatsoever anywhere in the sync store approach?
I understand not encrypting the database on your local drive, and the idea of using FileVault or an encrypted disk image for that – I want a secure way of storing a “live” sync store on another machine/cloud disk somewhere so I can keep a live backup. The description above implies this is possible, but doesn’t seem to be true in reality.
But again, I’m probably misunderstanding something.
According to a support email reply, my concern was valid.
DEVONthink is a wonderful program, and I’ve had good luck with the synchronization via Direct Connection.
But anyone who is considering placing sensitive data in a DEVONthink database needs to ensure that the database itself, as well as any sync stores are kept in a secure location. There is effectively NO security in an “encrypted” sync store. Hopefully all references in official documentation to encryption in the sync store will be removed so that other users aren’t mislead in the future until this can be fixed.
This is exactly why I wrote here – the information I can find in the forums and on the internet is scattered, incomplete, seemingly incorrect, and largely consists of reviews that probably just copy/pasted marketing material. It seems that official DEVONthink material uses “encryption” incorrectly, at least in terms of what users believe it to mean (“You keep using that word. I do not think it means what you think it means.”). In normal use, encryption does not imply that you leave a copy of the key sitting right next to the lock.
The developer I spoke with is aware of the problem and reported that he was actually working on solving just this problem before I sent in my support request. He seems interested in finding a solution that actually provides security, and not just a hurdle to prevent the uninformed from accessing your data.
The ability to keep a sync store in a potentially untrusted location (e.g. Dropbox or any server belonging to someone else) would be a great feature that would make DT much more useful. Indeed, it seems many people already think they have that feature, but are unknowingly leaving potentially sensitive data effectively in the open.
And to be clear, I understand that the DT database itself, on my computer, is not encrypted and was never claimed to be encrypted. That’s fine. That’s what FileFault is for. But I would like to be able to use a service like Dropbox, or another shared location, to act as a sync intermediary for my data without anyone else having access to it.
Thanks so much for posting. I am not sure I understand all of this, and I haven’t had time to test it myself, but this would seem to be meaningless encryption if correct. My understanding was that by setting a password on your database, no one else would have it (Dropbox or DT), and you could be assured that the content of the sync store located in any cloud service was secure.
Until we get this sorted out, perhaps it might be worth trying SpiderOak (my preferred cloud service) instead of Dropbox for the sync store. It has zero-knowledge encryption, so ought to provide an additional layer of protection. I wonder if this would work.
. This is not correct. On Sync, record and contents metadata are encrypted, database metadata is not (due to the current design).
I think this issue is being overstated since it assumes someone without authorization has accessed your Dropbox account.
If I don’t have your login credentials, I can’t access your Dropbox account. Therefore I can’t get in your Apps/DEVONthink folder to poke around.
If I did have your credentials, I would have to authorize DEVONthink’s interaction with your Dropbox account with the addition of the Sync Location on my machine. This action would surely be verifiable by Dropbox staff, even if it was possible to delete this action from your account history (though I don’t know if it is).
Even if I had set up a Sync Location, I would need to find the appropriate record in the Dropbox account before I could Sync the database to my machine.
If I did have your credentials to access your Dropbox account but not a copy of DEVONthink (say I’m running a PC with no VMs), the contents of your database are encrypted. They are not readable in your Dropbox account or even if I downloaded it.
This does not mean this is not something for us to consider and work on, but I think this is not as trivial a “theft opportunity” as it sounds.
PS: Except for the explicit Location authorization, this also applies to WebDAV Locations.
BLUEFROG – I started a long response thinking that you were replying on behalf of DEVONtechnologies, but after clicking on your profile I don’t think that’s correct.
If you do represent DEVON, please respond and I will post my full, incredulous response to the above, detailing the many logical errors it contains. It’s ok if there was a design flaw that lead to security being broken as long as it’s being worked on. It’s not ok to pretend the problem doesn’t exist if it does.
If you don’t represent DEVON, then I will not waste everyone’s time stating the obvious. Please re-read what you wrote and think about how irrelevant most of it is, in terms of a response to the issue of broken security in DEVONthink. In a nutshell however:
A) The question is not about whether Dropbox is secure, it’s about DT.
B) If the unencrypted metadata contains the username/password that were used to secure the encrypted contents, that’s about as secure as ROT-13. In other words, NOT.
C) The argument that my data is safe because an attacker might not have DEVONthink installed on their computer, or might be running Windows is hilarious. I’ll have to remember that one.
D) I’m not arguing that everyone needs to stop using sync stores – just that the individual needs to be aware of the facts so that they can make an informed decision of risk/benefits. You are free to keep using them as much as you like. The data I was interested in storing is relatively sensitive, so I will not be using these methods of synchronizing until the problems are fixed. To each his/her own.
I very rarely visit these forums – if this was a troll posting, then well done. You got me.
In any event, until an official message from DEVON, I’m glad to know that at least one developer is aware of the problem, and is working on a solution. I’ll continue to use DEVONthink, but will keep my sensitive data off any third party machines until a better solution is found.
After hitting send, I saw your signature indicating that you do, in fact, work for DEVON. I thought I had seen that somewhere, but didn’t see it when I looked again. My apologies for missing that.
So back to the full response:
I don’t understand how it can be securely encrypted if the username and password required to access the data is stored inside the sync store in plain text.
As above, to test this, I created a new database and set a username/password. I then created a new Dropbox sync store and connected the two.
After synchronizing, I deleted the original database. I then looked inside my Dropbox folder and navigated inside the sync store. After a few seconds of searching, I found the username and password in plain text.
So yes, you would seem to be technically correct. The contents may be encrypted, but if the username and password required to access the data are lying right there in plain text, that would not satisfy any colloquial definition of encryption. You might as well “encrypt” the contents in ROT-13…
So which is it? The DT data is securely encrypted by the DT program? Or DT relies on Dropbox to provide security? These are two very different things.
Dropbox does not have a perfect track record for security, which is why users are interested in a way of ensuring that certain data inside of Dropbox is encrypted separately. This is exactly why other services, such as SpiderOak (which I have not used) have come to exist, and why many users put an encrypted disk image inside Dropbox.
More importantly, many users are smart enough to know that they should not rely on a single company to protect sensitive data. Dropbox has had security problems in the past, and probably will again. DEVONthink has had security issues in past (and it appears currently), and probably will again. But by relying on two independent methods to secure my data, it is much less likely to be inadvertently released in the open, and more resistant should someone decide for some reason that my data is worth the time to try and attack.
None of this relates to the question at hand, which is whether DT’s data is securely encrypted. The question of Dropbox security is best discussed in other forums.
It took a trivial amount of time for me to locate user name/password information inside the sync store. Others on the internet have reported the same thing.
So now the means of providing security is to say that an attacker would not have purchased DEVONthink??? If this is seriously what you are suggesting, might I suggest rethinking your argument? This can’t really be the official stance of DEVONtechnologies, right? “Only good people buy DEVONthink, so your data is safe.”???
Look. I don’t think that anyone at DEVON is evil, or stupid. I think that DEVONthink is a really amazing program that does a lot of great things. But I am concerned that there seems to be a lack of understanding of security/encryption in the information that is shared publicly. Security is one of those things that really has to be done correctly, or not at all. Users who purchase your product tend to believe what you tell them.
Most users don’t take the time to look around on the internet like I did, realize that something seemed to be fishy in regards to sync store security, and then poke around inside the sync store to find the unencrypted metadata including username/password.
To be clear, I wasn’t the first or only one to do that, I was just verifying what I had read online. This isn’t about me claiming to have discovered anything, I was simply trying to clarify what others had reported elsewhere, and what I had confirmed for myself. After receiving confirmation from a developer, I wanted to help others who looked for this information to be able to find it so that they can make an informed decision about their own security practices.
This is not an “official stance” for the company. I, like many other human beings, have my own opinions on matters and the Forums are an open place to discuss them (even for employees).
I personally don’t think anyone should store any private data on anyone else’s servers. And if they decide to, then an encrypted sparsebundle would be the only local and Synced vehicle for the data I would suggest.
Practically, the matter isn’t as one-sided as DT’s encryption. Practically, the situation has to consider account access. I can describe ways to protect your belongings in your home, but your belongs are only theoretically in danger of theft unless someone actually breaks in to your house.
I appreciate your concern and comments. However, while I think people should be wise and informed, I also don’t want them (especially forum-skimmers) to be overly alarmed either.
If I understand the conversation so far, there is a vulnerability. This particular weakness was discussed briefly back in April (see comments on the page I linked above), and it came up again in this thread. Basically, anyone who obtains access to a Dropbox account (Dropbox employees, hackers, or any of the many apps that have complete access to everything in a Dropbox account–it’s all or nothing with the permissions, as far as I know). Fortunately, it appears that DEVONthink is aware of the issue and plans to address it. Does that sound about right?
I agree about not blowing things out of proportion, and I appreciate the clear explanation of the vulnerability. I suppose whether it is a big deal or not depends on your perspective, which probably has a lot to do with the kind of content in your database and your past experiences with Dropbox. I use Dropbox every day, but I avoid putting anything sensitive into my account, and encrypt it if I do. I haven’t got an especially high opinion of their approach to privacy. christopher-mayo.com/?p=1605
I do have a high opinion of DT’s approach to privacy, and I think the sooner we see the vulnerability addressed, the better it will be for users and DT. Until it is solved, though, if you are working on two computers, you could use a flash drive of some kind instead of a cloud service. Or, you could use something secure like SpiderOak.
What I and others are interested in is not whether we should be alarmed, but simply to know how secure our data is. We want to know what the weaknesses and limitations are, so we can make an informed decision.
The message that seems to come from DEVON and its employees is, “Well, the data isn’t really all that well encrypted, but don’t worry about.”
If the username and password used to generate the encryption “primary key” are included in the sync store in plain text, then it’s not clear to me how there can be any actual security for my data, other than security through obscurity/lack of ownership of DEVONthink.
And as always, if there’s more to it than the above, and my data is still secure despite an attacker having access to the username/password, then please explain it us.
Apps that sync with Dropbox have two “flavors” of access. Some gain access only to their “sandbox”, which is what DEVONthink does. These are the applications that have a folder in the “Apps” directory.
Other applications can ask for access to the entire Dropbox account, which would include anything in the Apps directory or anywhere else (many text editors that include Dropbox sync use this approach).
When you authorize an application, the Dropbox web site shows you which sort of access the app is requesting.
Great to hear. I was encouraged to hear Cook’s security speech the other day, and I’ve really been pleased to see DT take a strong stand on security. This kind of dedication to giving users the tools to protect themselves is greatly appreciated, all the more because it is rare to find companies who do it these days. Keep up the good work!
Thanks. On the iPad, everything I use wants complete access, so that is all I am familiar with. To be honest, I wouldn’t trust something as flimsy as permissions to keep me safe anyhow, so,I still wouldn’t use DB for sensitive stuff even if they had a bunch of security levels.
This is actually the situation I began looking into at first when I stumbled into all this. Unfortunately, the sync store on a flash drive also seems to lack any sort of security (though to be fair, I didn’t see anything from DEVON claiming that there was any security on the local sync store.)
If the security is being revisited for remote sync stores, could it please be done in such a way that it applies to local sync stores as well? Fundamentally they are the same thing.
It would be fantastic to be able to use any intermediary (USB drive, Dropbox, whatever) to synchronize between two computers and know that the data is secure while in transit. This would have the additional benefit that a sync store on a USB drive could be used as a secure archive/backup for DEVONthink databases.
(And yes, I do realize that in this instance I can use an encrypted disk image on the USB drive to protect my data, so this request is more about convenience and consistency rather than necessity.)
The mechanism is essentially the same, so what we are working on will apply to local syncStores as well. (If anything - and I almost hesitate to say this and start another fire - a local syncStore on a commonly accessible location (ie. non-authenticated) or portable drive is more vulnerable.)
Again, this returns to my belief in using the encrypted sparsebundle as a primary protective measure.
Isn’t an external drive encrypted with filevault in my physical possession (almost by definition) more secure than my files on Dropbox accessible (without my knowledge) by any of the means listed above (apps, employees, hackers, etc.)? The more encryption the better, so I hope development will continue, but this is the method I’ve been using for a while… maybe I have been unknowingly exposing myself to risk.