How to encrypt an unencrypted database

HI guys,

can I encrypt an unencrypted database? I created the DB years ago and did it without encryption. Now, before adding online-sync, I would like to switch to encrypted.
How can I do that?

You don‘t need an encrypted database for secure syncing. Be sure to create an encrypted sync store.

If you want to encrypt an existing database the only option I know is to create a new encrypted database and copy/move all your content there. AFAIK there will be no lost.

Hi konterbande,

thanks for the tip about encrypting sync store. I’ll look into that

Welcome @detlefs

There is no direct conversion from an unencrypted to encrypted database. However, you could…

  1. Select the items in the unencrypted database, select FIle > Export > Files and Folders, and export to a newly created folder on your Desktop.
  2. Create a new encrypted database with a reasonable maximum size. This should be sufficiently large enough to receive the exported files and also extra space to provide for some future growth.
  3. Select the new encrypted database, the choose File > Import > Files and Folders, importing the contents of the folder from step 1.

You can then delete the unencrypted database after you’re finished with step 3.


@konterbande @BLUEFROG – So would you guys say that it’s overkill to have both an encrypted sync store and encrypted database(s) within that sync store?

out of curiosity: why wouldn’t one just create a new encrpyted database and move the items from the unencrypted to the encrypted DB within devonthink? I have not tried, but wouldn’t keep all the metadata intact? thanks…

AFAIK is encrypting a database only a local method of security. It does not interfere with an encrypted sync store as encrypted and unencrypted can sync to an (un)encrypted sync store. I gave up on encrypted databases in favour of vault encrypted local ssd.

@BLUEFROG please correct me if my statement is technically incorrect.

Yes this is possible as well, though the metadata (except for Date Added) would be intact in either case.
I would move the items in smaller batches when using drag and drop.

Yes you could put an encrypted database (.dtSparse) in an encypted disk image. However, it would provide no substantial benefit in my mind.

Would you buy a small safe to put inside a big safe inside your locked house? :thinking: :stuck_out_tongue:

1 Like

I’m no cryptographer, and I don’t mean to open a can of worms since I know this has cause heated discussion before, but for a newbie like me, what’s the safest way to store and maintain my DT databases (while syncing over WebDAV and iCloud)?

I don’t work for the CIA, and don’t have anything super top secret obviously, but I like my privacy and want to make sure I’m doing everything reasonably possible to safeguard my data. Am I overthinking this, @BLUEFROG?

@konterbande Do you sync your data via WebDAV or anything like that? If not, does the security (or lack thereof) of syncing over the internet dissuade you from syncing like that push you toward a purely “offline” method of syncing via SSD like you mentioned? Do you not use DTTG?

1 Like

I’d say don’t use any public servers for syncing if you don’t want your data out of your hands. I don’t sync any of my data anywhere but my machines via Bonjour and an NAS on my network, not accessed remotely.

Otherwise, using an encryption key is sufficient for sync security.

1 Like

Yes, I do use DTTG. Confidential stuff sync over a SSD based sync store and Bonjour. Other documents are synced over WebDAV (both locations are encrypted).

@BLUEFROG @konterbande Good stuff, thanks for sharing. Another question, do you guys do any offsite backups via any cloud services? (Not just backups of your DT data, but everything else too) Do you encrypt there? Or do you have a peer-to-peer off site backup set up at a trusted family/friend’s home?

Thanks again for sharing, I’m always trying to tighten up my digital/online security where possible and this is all great advice.

1 Like

I’m using Arq with their encryption and a local NAS/WebDAV without.

Yeah, I think I’m going to start using Arq. And sorry, what do you mean when you say you’re using a local NAS/WebDAV without [encryption]? Isn’t a NAS/WebDAV server, by definition, available even outside a LAN? To be more clear, can’t a NAS be access remotely by a knowledgable/skilled attacker even if you’d disabled remote access?

Why would it be if I don’t want it to be? Or rather: what “definition”? NAS means network attached storage. It doesn’t say if the network is LAN or WAN.

Either I’ve disabled remote access or it is accessible. Tertium non datur.
Sorry, but if I do not forward the NAS’ WebDAV port in my router, how would an attacker be able to gain access to the NAS – even if they are knowledgable and skilled?
This is true for any kind of server with a private IP address sitting behind a router: Web server, mail server, NAS, DNS… No matter what.
Since the IP address is private (which doesn’t mean secret here, but “not routed in the internet”), all traffic (in and out!) has to go through the router. Which is basically not permitting any incoming connections (at least if it’s a router that’s worth keeping). Only if you want one of your local servers to be accessible from the outside, you’ll tell your router to forward its port A to port B of your local server. In the case of WebDAV on a NAS, you’d of course also have password protected access (or even 2FA, if you’re really paranoid) and
use HTTPS to protect the traffic.
Alternatively, you could decide to not open any ports on the router and setup a VPN to access your local net from the outside. Which might provide even more security.

1 Like

Thanks for the information, that’s very helpful to a rookie like me with a very rudimentary understanding of encryption and secure networking. I’ve got a Synology NAS that I’m using to sync my DEVONthink databases over WebDAV, and I’m trying to make it as secure as possible.

Why would it be if I don’t want it to be? Or rather: what “definition”? NAS means network attached storage. It doesn’t say if the network is LAN or WAN.

Ha, I’m just an idiot. I assumed all NAS devices were basically connected to the outside world (albeit with usernames, passwords, port forwards, firewalls, and all that other security stuff) but didn’t even stop to consider there’d be an option to have it only available to devices inside a local intranet.

if I do not forward the NAS’ WebDAV port in my router, how would an attacker be able to gain access to the NAS – even if they are knowledgable and skilled?

Probably just the fear mongering with online security getting to me with this one. I guess I was just assuming someone smarter than I would know of a way to get past port forwarding. I also assumed the only way to have anything “offline” was to not have it connected to your router at all.

Overall, I think what I’m getting at is if DEVONthink’s encryption isn’t as secure as this thread seems to make it out to be – or that it has weaknesses that a layperson could exploit (e.g., database encryption username and password stored in plain text)

… then I figured I should start worrying more about securing my sync location. I guess I always fell back on the idea that if my NAS were to be compromised somehow, the assailant would just get a bunch of jumbled, encrypted information rather than anything of value. But if I’m understanding correctly, DT’s encryption stores the “key” to that encrypted data in plain text and would then obviously allow someone to decrypt that data. (Perhaps DT’s encryption is stronger now since it’s been nearly 7 years since that thread I linked above?)

I don’t know anything about DT encryption. But if you create a shared folder on your Synology NAS, you can encrypt it. That might be a viable alternative. Though your database itself is still not encrypted on the devices you’re using.

Right, that makes sense. I’m okay with my personal devices “remembering” the encryption key to those encrypted databases therefore allowing anyone to pick up my laptop or phone or whatever and access DEVONthink data if it’s running in the background or something. Thanks for your advice!

Just to reaffirm: As @chrillek has also mentioned in other posts, WebDAV can be run locally with no connection to the outside world. In fact, several of us in-house run Synology NASes for in-network, i.e., local syncing. Mine’s in the other room happily syncing to my other Macs and iOS devices, insulated from anyone but me. :slight_smile:

1 Like