Encryption of DEVONthink Pro data file

Some time ago I queried the position in regard to the password protection and I think the answer was that this is a simple password. As a result, I have been storing my data file in an encrypted volume for added security. I am currently in the process of writing a mini-review of the application for my Macoldie blog and need to cover security. Can you please confirm that the data files are NOT encrypted?

Presumably, if not, this is a feature that has been requested and I wonder if there are any plans to achieve this,

That’s correct.

There are plans but this doesn’t have the highest priority, e.g. external editing & automatic synchronization of edited documents is more important for v2.0 and things get complicated if you want to have both. And both FileVault and encrypted disk images are more than a workaround for now.

For others who need encrypted data storage with DEVONthink, I highly recommend using Leopard’s new “sparsebundle” support. Here’s how to use it:

1. Open up Disk Utility, from within Applications/Utilities.

2. Click on the “New Image” button.

3. For Volume Size, pick something bigger than you need. However, be aware that you can resize this in the future, so no need to make it gigantic. I usually make it the size of a DVD, to facilitate easy backups by just burning the image.

4. Leave the volume format to Mac OS (Journaled), this helps in case of system crashes.

5. For encryption, select either AES-128 or AES-256. The lower number is fine if your data is just being kept from prying eyes, and is not truly sensitive.

6. Leave the partition type alone.

7. Set the Image Format to “sparse bundle disk image”.

This will create a bundle (a special directory filled with files) on your disk named “Whatever.sparsebundle”. Just double-click on this image to open it. You can save the password in the Apple Keychain so that you never have to type it in again, just your Keychain password after login.

Now drag-and-drop your DEVONthink database into the volume that got mounted. Voila! Everything is encrypted now. I recommend you also go to “File | Database Properties…” and uncheck “Create Spotlight Index”, otherwise thieves will know exactly what is in your encrypted volume, and even some of the contents (what was used to make the index). If you need to delete this info after the fact, it’s located in ~/Library/Caches/Metadata/DEVONthink Pro.

After you exit DTP, you can now unmount the secure volume. After you machine logs out, or your Keychain locks, you’ll now be as secure as most anything you can reasonably hope for in today’s world.

I personally keep multiple encrypted volumes for different purposes. The advantage to sparsebundles is that they grow and shrink using individual 8Mb files, so that it’s pretty easy on Time Machine or rsync. (In fact, the sparsebundle format was created to make it possible for Time Machine to backup FileVault home directories).

John

John (and others),

Thanks for your detailed instructions! I got most everything to work correctly. However there is one issue I still can’t figure out.

It’s stated that this sparse bundle can be resized in the future. That’s great. But how do I do it? Is it automatically done in 8 Mb chunks and there’s nothing I need to do. Or is there an optional procedure for either reducing or enlarging by a user-specified amount?

If you go into DIsk Utility, there’s a Resize Image button on the toolbar.

John

John,

Sorry, I did not express myself clearly enough. Yes, I see the Resize Image button. But if I select the sparsebundle itself (or the disk image within it), neither time does the Resize Image button activate. It stays grey.

So is there some other trick for resizing, or is it possible I created the sparsebundle itself incorrectly?

Aha, I think I found the answer. I had the image disk open. When it was closed/ejected and there was only the sparsebundle left, then and only then did the Resize button activate. Got it now! I figured it was something silly (as I’m not used to the logic of sparsebundles, etc. yet). Should be simple from now on.

Again, thanks for the great help. I certainly needed a way to protect my data from others.

But you don’t really need to do that. I set it to 4.7GB and it automatically grows to that size without me having to do anything other than adding more files to that disk image.

Annard: That’s great to know. What happens, then, once you go beyond 4.7 Gb? I can see that happening (though not for a few months or more).

Since I started this thread with my question about encryption, it’s about time I provided an update. For some time I used an encrypted volume using Knox, an encryption application which, I believe I am right in saying, uses Leopard’s in-built features. This this worked well; it’s just a matter of remembering to open the volume before opening Devon.

Since then, though, I’ve adopted PGP Whole Disk Encryption (WDE) pgp.com/products/wholediske … index.html which encrypts the entire HDD, including the boot sector. So now, of course, the Devon data file doesn’t need extra protection, nor do I have to enter any passwords, except the master key to boot the computer. In my opinion this is a better solution than using Leopard’s File Vault to encrypt the User folder.

So far this has been working well over a period of four months and I have absolute peace of mind. If security is important, particularly with a portable computer, it is one thing to consider.

Mixalis: Thanks for the further thoughts. As it turns out, I actually prefer the partial encryption offered above. Most of the stuff on my computer are things I’d freely share with others. I only need the protection for a relatively low percentage of my files—but in those cases I do need great security.

But it’s nice to know there’s a variety of good options out there. I was a bit unhappy that DTP did not have encryption included, but I think I actually like this other solution better.

About once a month we get a Support request pleading for help in accessing a password-protected database. The user has forgotten the password and needs to get at the database for an important purpose.

If the simple password scheme built into DEVONthink was used, we can suggest that the user upload the database to Eric for unlocking it. There’s a FAQ on the Web site with instructions on how to upload the database. It will be returned unlocked to the user. We have no interest in looking inside your database, and the DEVONtechnologies business plan doesn’t include trying to steal your bank account password.

For more secure protection I recommend an encrypted disk image, probably using 256-bit encryption. That’s pretty darn secure.

Apple’s File vault will secure an entire user account, and of course whole disk encryption locks the entire disk to unauthorized access. Personally, I’ve never used those solutions, as if anything goes wrong the secured data — everything — is likely gone forever.

Putting on my Support hat, let me beg users — especially those using really secure protection — not to forget your password(s). If you do, there’s nothing we can do to help, except to offer our sympathy.

Don’t assume that using secure encryption is all it takes to keep your data secure. Most unauthorized access to secured information isn’t done by people who use sophisticated technological means to crack the password. Almost always, access is gained by human engineering approaches. A clever spy may be able to trick the user into volunteering the password. Perhaps he will find the password on a sticky note on the computer. More likely, your spy may simply try “obvious” passwords — your dog’s name, your wife’s birthday, etc. So if you forget your password, try to find a good espionage agent and let him ask you a few questions. He may be able to figure out the password you’ve forgotten. Most people use pretty predictable passwords.

The tip posted earlier in this thread, not to turn on Spotlight indexing for secured information, is a good one. Here’s another: be careful about “broadcasting” a sensitive database when DTPO2’s Web sharing Server mode is active. Use File > Database Properties to uncheck that option, which can be toggled on or off for individual databases.

Also note that although the DTPO Server preferences allow one to set a username and password, which provides at least some access control, and individual databases can have passwords, that’s not really high-level security, although it’s good enough to keep casual bystanders out.

Bill: I agree with all you say except when you make the point that if something goes wrong with the encryption (either File Vault or WDE) all is lost. The same can apply to an unencrypted disk if it fails disastrously and there is no backup. If you are going to use encryption it is more than ever necessary to have a good backup strategy. I have two complete encrypted backups–one using WDE with a clone of the HDD, and one using Knox as an encrypted volume. If something goes wrong with WDE I have my fallback with Knox. At the moment, my Achilles’ heel is my unencrypted Time Machine backup. Fortunately, it’s hidden away on the Time Capsule in a cupboard. Must do something about it, though.

As for the mother’s maiden name syndrome, any system involving encryption needs a really secure password or, better still a passphrase containing a few random symbols. If it’s something you are using every day you are unlikely to forget it.

Oh, and I forgot: an offsite backup, either to a cloud or an second location, is essential for complete peace of mind. We tend to worry about theft, but fire is also a possibility.

For most people, I agree, the WDE route is overkill. But I’m travelling a lot with all my data on my MacBook Pro and I need to protect my personal information. Even a bunch of seemingly innocuous letters and spreadsheets can contain nuggets of information that can help with fraud or identity theft. And I rely on Devon so much that it is a complete record of all my financial and personal data, including scanned bank statements, contracts and so forth. If I lost any of this in clear I would worry myself to death.

Encrypted Disk Images are a pretty robust technology. And the Sparse Bundle technology (the default in 10.5) is even more robust. I know of thousands of people who have used it, and issues are very few and far between. I have seen 2 issues with corruption (both were the result of improper shutdown), and both were fixed by DiskWarrior when I ran it (it can actually repair the issues with volume header corruption on the encrypted images just like it can on a real disk).

IMO if you have sensitive data and you’re on a laptop, it’s worth it. And of COURSE you should have a backup (you should have at least 2… one offsite), so the “data loss” issues are really somewhat of a non-issue.

Just to chime in here, but I have 3 different encrypted volumes I use regularly, all sparsebundles. And even though I’ve sometimes had to reset my machine (even hard reset), I’ve never had an image lose integrity.

That said, I have several backups as well. Although do note: When using Time Machine, I often cannot access backups from when the sparsebundle was in use. Sometimes I have to go back for days to find a version whose internal consistency was sufficient. This is due probably to the fact that it was backing up some 8MB chunks at different times.

John

I would also like to confirm that I have had no issues with sparsebundles, despite the occasional hard reset. Nor have I had problems with PGP whole-disk encryption after similar emergency shut-downs. The whole process just trundles on. But I keep my fingers crossed!

I use an encrypted sparsebundle as well. One question I have is that documents within the sparsebundle (some in DT database and other outside of DT) can not be searched by spotlight - probably due to encryption. Therefore, where does DT store the index that it uses to search the files stored in DT database. Are they within the database? If so, then by default should be protected to same degree as the database and its files. Is my thinking correct? Thanks.

I’d like to see the app support per item encryption, rather than the file itself. This way, we can encrypt per item as we see fit. Evernote does this and it would be a great feature to copy.

Matthew

I know this is an old thread but came across it when I was inquiring about DT2.0 and security. I plan on trialing the program but wanted to comment in terms of encrypted folders.

I have recently started to use Knox for encrypted drives. You can activate spotlight searching on Knox Volumes. The security plus here is that the spotlight database itself is stored on the knox volume so that if its locked, the contents are not visible w/ a spotlight search.

In regar to time machine and Knox or Apple own encrypted Sparsebundle’s, they really should be ignored for time machine backups. If the volume is open, Time machine will backup its contents and its possible for it to be incomplete. Knox has a backup solution built in that the folder will be closed and encrypted and then you can backup the sparsebundle thus guaranteeing a full complete backup.

As far as remembering passwords. Knox was purchased by Agile, makers of 1-password. I have been using this program for a while to store all of my passwords. Right now there isn’t any automated integration with Knox. But its a place where you can store all of your passwords and access across multiple platforms/computers (Windows, Max. iPhone, iTouch, iPad, Dropbox). Thus you then only need to remember 1 Password (ala the name) to gain access to all of your passwords. Plus, 1 password has its own password generator to create strong passwords.

I have been storing DTP data in encrypted sparsebundles for two years now. Knox is simplied way of doing what you can do anyway in OS X). I store the files in a Dropbox folder so I have both major types of data security - prevention of loss of information through theft and protection against loss or damage of recording media. Dropbox no longer backs up the entire sparsebundle every time it changes but manages to cope with incremental changes. My 1Password data file (you are right in saying that Agile now own Knox as well) is also stored on Dropbox as an officially recognised solution and the one set of data is then synced across all my computers and iOS devices.