As I understand it, DEVONthink uses a file store on Dropbox to do it’s syncing.
I’m wondering if my data is encrypted on the client-side before uploading to Dropbox? If so, is the encryption key tied to the database password?
As far as I’m aware, there is no data encryption going on in the Sync process.
Thanks for confirming.
To get around the risk, I’ve setup a BoxCryptor folder inside Dropbox. Boxcryptor will automatically encrypt/decrypt the files inside the folder before sending to Dropbox. Then I’ve setup DEVONthink to sync using a “local sync store” that is a folder inside Boxcrypter. This seems to be working fine for syncing between my machines.
I doubt this will work with the future cloud-sync solution in DEVONthink To Go though. As per the suggestion, it would be best if DEVONthink supports encryption on it’s own.
Are we talking in general or relative to network transfers?
First of all, thanks to DT for v2.5 with Sync, much appreciated.
However, if DT is not able/interested in addressing the complicated data encryption issues (for now), then what about making DTP Sync available over some of the reliable DropBox alternatives with strong security features, such as SpiderOak (or even Mega). Would that be difficult to implement?
Please see this topic for more nfo:
DTPO Sync in the Cloud & Security /Tinfoil Hats?
APIs. Don’t say this too loud around our Sync developer. 
The unfortuate thing is that a service might not have a public API for Syncing to their service.
And the unfortunate thing about the API is that it might be very unfriendly to implement. 
Also, bear in mind that DropBox was the hands-down winner in the service Users “had to Sync with”. That doesn’t mean it was easy to implement - it was just the one that had the most assessed need to implement.
Regardless of API factors, it’s riskier devoting resources to sync development/support for some cloud storage services with more future uncertainty (dare said, a cloudier future?) than Dropbox (small ‘b’ 
) currently has.
Surely Google Reader’s pervasive popularity made it seem less risky than alternatives for hoards of developers/users but Google, unlike Dropbox with Dropbox, can absorb its pending shutdown (developers/users be damned) because that’s only one of many products/services it provides.
LOL - sjk. Every the pedant (no offense). I’m going to start spelling it DorpBoX. 
j/k
And I agree with your assessment of the situation. (Actually, I think all of us at DEVONtech would consider this good counsel.)
Well, DropBox itself came close to being absorbed into Apple a while back, so you never know. But it does seem that there are only two options: Secure files at the source (DevonThink) or in the Cloud (SpiderOak, Mega etc). {I don’t know about WebDAV}.
If genuine, encrypted, cloud storage is not the answer, then I guess that leaves it up to the boffins from team DevonTech to find a way to lock the user files prior to transmission. (Assuming that the DTP users care enough about their data security to make the effort). Thou that seems like a lot more work for the developers imho.
I’m also using Boxcryptor with Dropbox. It works fine for me, however, I’m a little afraid of the upcoming Devonthink To Go v2 which is doing something with the syncing. If v2 can only sync via webdav and dropbox and drops local bonjour syncing like 1password did, I will have a problem. Some built-in encryption scheme for Cloud syncing (which is why 1Password with Dropbox works for me), would certainly be better and more flexible. I wouldn’t even mind if only the stuff synced to the cloud would be encrypted and everything else on my harddrive only being encrypted by means of filevault so that spotlight works etc.
@Devonthink Devs: please keep at least local Bonjour syncing in v2 if you don’t do anything about the encryption. Then everything will be fine.
DropBox says they use encryption for both transfer and storage of data.
dropbox.com/help/27/en
Are you saying there is no encryption for transfers between client and Dropbox when using DEVONthink sync?
Most online storage systems encrypt your data during transmission. The problem is that DropBox has access to your encryption keys and holds them with the data. Which means that their staff, or anyone else with access, or a skilled hacker or a government agency, or some legal action, (or a random error) etc can immediately gain access all your data (without your knowledge or permission). And it may never be deleted.
Economist: “Keys to the cloud castle.” (2011).
economist.com/blogs/babbage/ … t_security
There have been several examples of DropBox breaches (that we know of).
Just do a search. Eg.
“Dropbox proves to be a security problem for enterprises.” (2012-08).
cloudpro.co.uk/cloud-essenti … nterprises
“Dropbox breach could have been a lot worse – but it’s still time to wake-up-and-smell-the-coffee.” (2012-08).
insight.cryptzone.com/2012/08/dr … he-coffee/
There are some ways to resolve this problem. For example.
- Have DevonThink encrypt the data, as a transparent internal operation, so that it remains private while floating in the cloud. But that would be a big project for DT.
- Use a Cloud data service that does not store your passwords & encryption keys. There are several options, but DT would have to provide specific encoding for each/any of them.
- Encrypt your DT data yourself using a local protocol such as Knox. But this requires some tech-fu, takes time and can be messy.
- Host your own Server. Which is not something that most users want to bother with.
So, each of these has it’s own problems, costs and advantages ~ but none of them are simple. However, it is a problem worth solving. ~ IMHO.
Searched the forum for BoxCryptor. Is DEVONthink’s new sync technology compatible with BoxCryptor? Seems like it will be problem for the upcoming DEVONthink To Go after it too can use the new sync technology.
Or this perhaps?
cloudfogger.com/
Quote: “Cloudfogger encrypts your data on the local device before it gets uploaded to the cloud. That guarantees that Dropbox and others never get access to the content of your files.”
This subject may also be under discussion on another thread.