HI guys,
can I encrypt an unencrypted database? I created the DB years ago and did it without encryption. Now, before adding online-sync, I would like to switch to encrypted.
How can I do that?
HI guys,
can I encrypt an unencrypted database? I created the DB years ago and did it without encryption. Now, before adding online-sync, I would like to switch to encrypted.
How can I do that?
You donāt need an encrypted database for secure syncing. Be sure to create an encrypted sync store.
If you want to encrypt an existing database the only option I know is to create a new encrypted database and copy/move all your content there. AFAIK there will be no lost.
Hi konterbande,
thanks for the tip about encrypting sync store. Iāll look into that
Welcome @detlefs
There is no direct conversion from an unencrypted to encrypted database. However, you couldā¦
You can then delete the unencrypted database after youāre finished with step 3.
@konterbande @BLUEFROG ā So would you guys say that itās overkill to have both an encrypted sync store and encrypted database(s) within that sync store?
out of curiosity: why wouldnāt one just create a new encrpyted database and move the items from the unencrypted to the encrypted DB within devonthink? I have not tried, but wouldnāt keep all the metadata intact? thanksā¦
AFAIK is encrypting a database only a local method of security. It does not interfere with an encrypted sync store as encrypted and unencrypted can sync to an (un)encrypted sync store. I gave up on encrypted databases in favour of vault encrypted local ssd.
@BLUEFROG please correct me if my statement is technically incorrect.
Yes this is possible as well, though the metadata (except for Date Added) would be intact in either case.
I would move the items in smaller batches when using drag and drop.
Yes you could put an encrypted database (.dtSparse) in an encypted disk image. However, it would provide no substantial benefit in my mind.
Would you buy a small safe to put inside a big safe inside your locked house?
Iām no cryptographer, and I donāt mean to open a can of worms since I know this has cause heated discussion before, but for a newbie like me, whatās the safest way to store and maintain my DT databases (while syncing over WebDAV and iCloud)?
I donāt work for the CIA, and donāt have anything super top secret obviously, but I like my privacy and want to make sure Iām doing everything reasonably possible to safeguard my data. Am I overthinking this, @BLUEFROG?
@konterbande Do you sync your data via WebDAV or anything like that? If not, does the security (or lack thereof) of syncing over the internet dissuade you from syncing like that push you toward a purely āofflineā method of syncing via SSD like you mentioned? Do you not use DTTG?
Iād say donāt use any public servers for syncing if you donāt want your data out of your hands. I donāt sync any of my data anywhere but my machines via Bonjour and an NAS on my network, not accessed remotely.
Otherwise, using an encryption key is sufficient for sync security.
Yes, I do use DTTG. Confidential stuff sync over a SSD based sync store and Bonjour. Other documents are synced over WebDAV (both locations are encrypted).
@BLUEFROG @konterbande Good stuff, thanks for sharing. Another question, do you guys do any offsite backups via any cloud services? (Not just backups of your DT data, but everything else too) Do you encrypt there? Or do you have a peer-to-peer off site backup set up at a trusted family/friendās home?
Thanks again for sharing, Iām always trying to tighten up my digital/online security where possible and this is all great advice.
Iām using Arq with their encryption and a local NAS/WebDAV without.
Yeah, I think Iām going to start using Arq. And sorry, what do you mean when you say youāre using a local NAS/WebDAV without [encryption]? Isnāt a NAS/WebDAV server, by definition, available even outside a LAN? To be more clear, canāt a NAS be access remotely by a knowledgable/skilled attacker even if youād disabled remote access?
Why would it be if I donāt want it to be? Or rather: what ādefinitionā? NAS means network attached storage. It doesnāt say if the network is LAN or WAN.
Either Iāve disabled remote access or it is accessible. Tertium non datur.
Sorry, but if I do not forward the NASā WebDAV port in my router, how would an attacker be able to gain access to the NAS ā even if they are knowledgable and skilled?
This is true for any kind of server with a private IP address sitting behind a router: Web server, mail server, NAS, DNS⦠No matter what.
Since the IP address is private (which doesnāt mean secret here, but ānot routed in the internetā), all traffic (in and out!) has to go through the router. Which is basically not permitting any incoming connections (at least if itās a router thatās worth keeping). Only if you want one of your local servers to be accessible from the outside, youāll tell your router to forward its port A to port B of your local server. In the case of WebDAV on a NAS, youād of course also have password protected access (or even 2FA, if youāre really paranoid) and
use HTTPS to protect the traffic.
Alternatively, you could decide to not open any ports on the router and setup a VPN to access your local net from the outside. Which might provide even more security.
Thanks for the information, thatās very helpful to a rookie like me with a very rudimentary understanding of encryption and secure networking. Iāve got a Synology NAS that Iām using to sync my DEVONthink databases over WebDAV, and Iām trying to make it as secure as possible.
Why would it be if I donāt want it to be? Or rather: what ādefinitionā? NAS means network attached storage. It doesnāt say if the network is LAN or WAN.
Ha, Iām just an idiot. I assumed all NAS devices were basically connected to the outside world (albeit with usernames, passwords, port forwards, firewalls, and all that other security stuff) but didnāt even stop to consider thereād be an option to have it only available to devices inside a local intranet.
if I do not forward the NASā WebDAV port in my router, how would an attacker be able to gain access to the NAS ā even if they are knowledgable and skilled?
Probably just the fear mongering with online security getting to me with this one. I guess I was just assuming someone smarter than I would know of a way to get past port forwarding. I also assumed the only way to have anything āofflineā was to not have it connected to your router at all.
Overall, I think what Iām getting at is if DEVONthinkās encryption isnāt as secure as this thread seems to make it out to be ā or that it has weaknesses that a layperson could exploit (e.g., database encryption username and password stored in plain text)
⦠then I figured I should start worrying more about securing my sync location. I guess I always fell back on the idea that if my NAS were to be compromised somehow, the assailant would just get a bunch of jumbled, encrypted information rather than anything of value. But if Iām understanding correctly, DTās encryption stores the ākeyā to that encrypted data in plain text and would then obviously allow someone to decrypt that data. (Perhaps DTās encryption is stronger now since itās been nearly 7 years since that thread I linked above?)
I donāt know anything about DT encryption. But if you create a shared folder on your Synology NAS, you can encrypt it. That might be a viable alternative. Though your database itself is still not encrypted on the devices youāre using.
Right, that makes sense. Iām okay with my personal devices ārememberingā the encryption key to those encrypted databases therefore allowing anyone to pick up my laptop or phone or whatever and access DEVONthink data if itās running in the background or something. Thanks for your advice!
Just to reaffirm: As @chrillek has also mentioned in other posts, WebDAV can be run locally with no connection to the outside world. In fact, several of us in-house run Synology NASes for in-network, i.e., local syncing. Mineās in the other room happily syncing to my other Macs and iOS devices, insulated from anyone but me.