Keeping DB on Disk Image (Encrypted Sparse bundle)

Hi - I’ve always saved my DEVONthink databases on an encrypted disk image - Mac OS Extended (Journaled). I just create the disk image through Disk Utility on my SSD hard drive. I read this a while ago in a Taking Control of DEVONthink book and have always just done it that way.

Anyway, I did a clean install of Mountain Lion this summer, read a little about encrypting folders and am now questioning whether keeping my databases on a separate disk image is necessary and worth the effort. I guess either way I do it, I have to always type in the password (which is fine with me); however, I’m not sure if it make it more cumbersome to back up (frankly, I’m not sure the best way to back up other than to just copy the databases from the disk image on my hard drive to an encrypted disk image on an external hard drive). My databases really aren’t that big so space is not that big of a deal.

Maybe the only benefit is that it helps me keep my DEVONthink databases separate (at least mentally) from the rest of my documents on my computer’s hard drive. I wondered if anyone had any advice, thoughts, tips on how/where they store there databases. Thanks in advance. Chris.

IMO, it depends on whether the security of encrypted, password-protected data is worth the effort. If your databases are just web bookmarks, then maybe not. If they are where your store the passcodes to your Cayman island accounts, then maybe yes. 8)

In general I recommend users enable FileVault whole-disk encryption. In that situation, a separate disk image doesn’t get you much unless you need to keep the database private from other users of that computer.

Thanks. Sounds like I’ve made it more difficult than necessary. Have you seen any performance issues after enabling FileVault on the entire hard drive (2011 Air 1.8 GHz 4GB RAM)? Is it okay to just move the DEVONthink DBs to the hard drive, trash the disk image and then enable FileVault on the harddrive. I understand the current DEVONthink DB files (e.g., pdfs, etc.) are on the disk image but the index files for the database are in my library directory and just wanted to make sure the move won’t screw everything up. Thanks again for your help!

I suggest reading up before using Filevault. There have been incompatibilities with some software in the past as well as causing issues with Spotlight. YMMV

BTW, I use encrypted disk images (sparse bundle) to store sensitive data (financials, etc.). I personally see no reason to encrypt my entire drive since the vast majority of my computer usage requires no real privacy.

I have FV2 full disk encryption on and have no issues since I did so (more than a year ago now, since Lion came out). In fact it was mandatory to have full disk encryption at my last place of work, so it was the main reason to upgrade to Lion at that time.

Right after I did upgrade to Lion and enabled full disk encryption I moved my sensitive DT databases out of encrypted sparsebundle and never looked back. Works like a charm.

I haven’t come across any applications so far that have problems with FV2 full disk encryption so far. Spotlight works 100% as well :wink:

Alex, glad to hear your experience.

Of course, once you’ve entered your password, everything previously encrypted is no longer encrypted. If you have sensitive information, a second security step would be to set up a password to wake the computer from sleep, and put it to sleep whenever you leave the computer for a time.

Do you use backup software such as Time Machine? I would assume that Time Machine backups made while File Vault isn’t active would be unencrypted and a potential source of concern. Of course, there are measures that could be taken to mitigate that issue.

I’ve never gotten over the problems that some had with early versions of File Vault, so am still reluctant to use it. Probably just paranoia on my part. Instead, I use encrypted sparse disk images to hold sensitive data. Of course, the same potential problem exists. While that disk image is open, a simple measure should be taken to protect it while I’m away from the computer. And I might turn off Time Machine while the disk image is mounted. That would require backup of the entire disk image rather than incremental backups.

Another caution about using encrypted sparse disk images is that, if the option to generate Spotlight indexing for a database is checked, a Spotlight search could reveal the names of documents within the database, even when the database is closed and the disk image is no longer mounted.

High level encryption is hard to break. The biggest weakness from a security view is the kind of password used. Most knowledgeable intruders don’t try to break the encryption scheme, but instead use simple “human engineering” to try to guess the password, based on some knowledge of the user. Don’t use your wife’s name, your dog’s name, your birthday, etc. Those are easy for you to remember, but also easy for a spy to figure out. Above all, don’t write your password on a Post-It note stuck to your computer. :slight_smile:

Of course, TM disk is also encrypted (another good feature that Lion brought in). So, once the disk is unplugged, it’s locked just as my laptop’s internal one.

When you have FV2 full disk encryption and TM disk is encrypted, you are back to the world of incremental backups :wink:

I have tested that as well and Spotlight index is local to the Volume. Once you unmount Volume, Spotlight can’t reveal anything from encrypted disk.

:slight_smile: of course, if one was to apply special measures to me, I’d reveal the password. Nobody can stand torture for long. Encryption only gives you protection from “drive by shooters”. Determined interested party will have the data within hours (or even minutes), if they truly need it.

I guess it’s like with my house or motorcycle keys - I’m trying not to leave it for everyone to pick up and run with it. But as they say ‘when there is a will, there is a way’ :wink: :wink:

do you do remote backups too? if so, how?

SpiderOak. They have ‘zero knowledge’ of my data/password/keys (

1Password, Bill, helps a lot and saves some Post-It :wink:

i looked at them but i am way too paranoid. do you have any “proof” they are truly unable to decrypt my files?

I don’t think it’s unreasonable to be paranoid about storing one’s data in the cloud. :slight_smile:

Not only can there be breaches of security by the outfit that stores your data, a recent news article in Technology Review reports an exploit through which other files in a cloud repository can “spy” on data. See … t=20121109

I’m pretty sure that I’m not being monitored by U.S. or foreign intelligence agencies, such as the NSA. Why would they do that, other than mistaken identity, as I’m pretty harmless so far as such interests go? But my databases do contain some information that I wouldn’t want captured by hackers, and I prefer controlling any potential access to that data. I don’t put it out on the cloud.

My working assumption when I send an email is that it has become susceptible to being viewed by persons other than the one to whom I addressed it, and may remain accessible to such persons indefinitely. I can’t control information I’ve sent out via the Internet. I make the same assumptions about my sensitive data, and prefer to control that myself.