Executive summary: I want to be sure I’ve taken all the correct steps to ensure my synced data is safe and is not on anyone’s cloud service or otherwise exposed.
Context: I’m in the process of migrating a moderately large set of notes to DT from another app (old, abandonware). One of the most critical issues for me is the security of data in my notes that will be synced between my desktop Macs and multiple iOS devices. There are a number of things that make DT attractive, but at the top of the list is the fact that (AFAICT) I am not required to sync data via any cloud service. I’ve got my test setup synced via Bonjour, which keeps everything local to my home network (I think), which is what I want. It’s not that I don’t trust Apple, DropBox, Microsoft, Google or anyone, it’s that…well, actually yeah, I don’t trust any of them, and I believe that every cloud service gets compromised eventually. So I want to keep all sensitive assets local, and not on any cloud sync service.
Before I move all my legacy notes over to DT (some of these notes contain bank account details, passwords, and other things of value) I want to be sure I have not inadvertently exposed them to any cloud sync services via settings in DT on my Mac or iOS devices.
What I’m looking for is a list of things to check to ensure I haven’t left any windows wide open after I think I’ve locked all the doors.
Here’s how I have things configured currently:
On my Mac (which is used as the database server), with DT Personal running, I go to DEVONThink > Preferences and click on the Sync tab. I click on the Bonjour Options button, I have “Enable incoming connections” checked, there’s a Port number (which was machine-supplied, I did not enter it manually), and a password.
Back in the Sync/Prefs panel, there’s a green dot next to the “Bonjour” Options" button and it says “Incoming Connections: Available”.
Under Locations I see 4 items: CloudMe, DropBox, WebDAV, Local Sync Store. None of these are checked. “Synchronize” is set to “Manually”
On my iOS devices, in DTTG, in Settings, everything is unchanged from the defaults, except under “Locations” it has the local name of my desktop Mac listed which is enabled (with a “wifi fan” symbol).
In Settings > Security > Edit… Use Passcode and Use Face ID are both off (these were defaults, I believe). I assume I can enhance security by enabling one or both of these later (I probably will, later, when I load my live data).
Bonjour options are all left at the defaults (currently “Enable incoming connections” is off).
At the bottom of the panel, “Backup” - Backup data to iCloud is OFF.
So…my questions/suggestions:
Is there anything I have wrong here (or elsewhere), or that I have missed, that would expose my DT assets (via sync activities) to unwanted cloud services or other security vulnerabilities?
For completeness: I do NOT backup my Mac or iOS devices to iCloud or any other cloud service (I backup iOS devices to my Mac locally, and I backup my Mac to multiple local external hard drives). I do use a few cloud services sparingly, only syncing specific folders (photos, etc.). I believe that my home network (and local machines) are set up with appropriate security and the chances of hackers gaining access is very low; likewise, I believe my Macs, external backup drives, and iOS devices are secure and will not be physically removed or accessed - and of course these items are outside the scope of anything you guys need to deal with.
A suggestion:…
I bet I’m not the only paranoid here (I once worked for a company that sold cloud services and had to deal with many customers who swore they would never, EVER let their critical data live on anyone’s cloud, never, over their dead body, etc.). I suspect I’m also not alone in wanting to do a sanity-check to confirm that I have things set up correctly to maintain no-cloud control over the data I’ve entrusted to DT and haven’t inadvertently missed any setting that leaves me vulnerable.
I’d like to suggest that you folks might want to author and post a short self-help document that covers this subject - basically, “How To Set Up DT To Ensure None Of Your Data Is Uploaded To Any Cloud Service” or “Security Settings Summarized” or “DT Security Audit” or something similar. (My apologies if such a document already exists and I’ve missed it, pointer appreciated.)
Thanks in advance for the help and for considering this.