Use DTP as a Password database?

I might look at that Stephen thanks.
I’m trting DT3 now with a Password database and getting an encrypted database to appear on DTTG is proving a challenge.

OK unless I’m missing something, DT is really awkward to use for this purpose!
Firstly Bonjour doesn’t play well with encrypted databases it seems.
Then if you create a ‘Password Database’ on your Mac, you end up with a ‘Password Database’ on your ios device for everyone to see, unless you password protect all of your databases, which I really do not want to do.
(…there is a contextual Username and Password option for a database on DTTG but it doesn’t seem to do anything?)

I am seeing no issue with syncing an encrypted database via Bonjour or any other sync method. Indeed, regarding encrypted databases there is nothing technologically distinct about the database itself.

DEVONthink 3 is in beta testing. It is not the final release and encrypted databases are not supported in DEVONthink To Go (which is not in beta).

I don’t have information on how this will be implemented in DTTG, especially considering the filesystem and operating system on macOS and iOS is not the same.

You could be using DTTG’s Settings > Security to lock access to the application, but no the database would not be hidden from view or inaccessible.

You might also look at Enpass, with which I am experimenting as a replacement for 1Password. It uses local storage and has similar integrations with other apps to 1Password - also cheaper. A little cruder.

I endorse the view that using DT would be a lot less convenient

I endorse the view that using DT would be a lot less convenient

You’d have to define the operations to determine what is “convenient”.

Could it be convenient, just as a container of passwords? Absolutely. I actually have a database containing login information going back many years. It works perfectly fine for looking up login information, i.e., it’s quite convenient. :slight_smile:

Yes the trouble with Enpass et al is I don’t want anything but a plain document so I can dictate format.
Bluefrog do you sync your login database to ios? If yes, how do you keep it secure on the actual ipad?

Security is handled by DTTG’s Settings > Security and using a mandatory passcode and an optional TouchID (on my iPhone 7). There is no per-database locking in DTTG.

As I thought.
I’d really like to see per-data base locking in DTTG.

What is the Username and Password on DTTG, available in the context menu for? I have searched Help but cannot find it referenced.

It is used for sync security, the same purpose as it’s intended for in DEVONthink 3.

From DEVONthink 3’s Help > Documentation > Windows > Database Properties (and applicable to DTTG as well):

Protection: To add a layer of protection when syncing your databases, you can add a username and password to the database. Anyone trying to import the database from a sync location will need to provide these credentials.

Ah OK that’s clear

OK - makes sense

Mi scenario is even more secure:

I have a Synology NAS with an encrypted folder. Apart from administrator (two step account), only other specific account has permissions to RW that folder.

All my databases are password protected and synchronized with that folder via https (with digital certificate) WebDAV…

All passwords are secure (long and non-dictionary).

I think you can safety store your passwords in this scenario.

PS: And yes, I have a PostIt with all those data attached to my main iMac… :sweat_smile: Noooo, I have all in my 1Password safe.

PSS: If someone takes the job to break all of that he will reach a zillion of most (but not all) public domain pdf, a scrapbook from internet and not much more. :joy: (Well, yess, more things like my writings, software licenses and other more or less critical related stuff).

Can you explain that a bit more…I have a Synology NAS too but did not know I can sychronize it to DT.

Thanks

You need to enable WebDAV service in your NAS (Install WebDAV Server package). Enable HTTPS and disable HTTP in that configuration. You can even change the default port.

Done that, all your NAS can be accessed via WebDAV, only by HTTPS.

To have HTTPS enabled, you must go to Control Panel -> Security -> Certificate and install a purchased certificated or one done via Let’s Encrypt (that your Synology can renew automagically). THis is a little bit critical thing because you need to specify where you are going to access from to avoid warnings like (“this certificate is not for this site” or similar).

Then you can access via fixed IP inside of your network or via Synology DDNS (or similar) with HTTPS.

Next step is create a shared folder in Control Panel with encryption. IMHO this only can be done if your Synology is formatted with BTRS file system. On each NAS restart or you manually can unmount the disk and won’t be able to mount it without the password. This is similar to Windows Bitlocker or Apple FileVault

Next is to create a normal user account with only access to the shared folder you are going to use to sync your DT. This is done in Synology Control Panel as well. Then specifically deny access to that folder to other sinology accounts you could have in your NAS (I left access to my admin account just in case).

In DT, you need to specify WebDAV and HTTPS as remote location, point to the desired shared folder and use the specially created account in synology for that specific folder.

(You have tutorial of all of this in Synology website). I recommend you do this first without HTTPS and when it is working, enable HTTPS in WebDAV as final step.

At this moment you have 4 layers of security:

  1. DT database password
  2. HTTPS over internet to avoid intercepts
  3. Synology only account access
  4. Synology disk encryption

In my case I have a DS1019+ with 4 disks (SHR 1 disk fault tolerant) + 1 as spare with auto repair in case of disk failure), and 1TB RAID (1+1) eMMC R/W cache. The performance result inside my local network is higher than having some external cloud service to store my files.

1 Like

That is super-clear! I will give it a go soon.

Thanks!

1 Like

I use both 1Password (for passwords) and DEVONthink. I support the view that a good specific program such as 1Password is more convenient for the purpose it was made for. However, and sorry for saying this in a DEVONthink forum, I’ll add that from security standpoint I trust 1Password and AgileBits (the company behind 1Password) a lot more than general purpose apps such as DEVONthink or Day One that promise end-to-end encryption, which basically means that data is encrypted before it leaves the device and is stored to the cloud. For instance, there’s probably a lot more expertise and auditing done for 1Password that for the generic apps. I’ve read of some security groups studying possible weaknesses in the 1Password implementation, and them responding to it, etc.

If you want to sync passwords through cloud between Macs and iOS, then something like 1Password is most likely a more secure choice than DEVONthink. I’d personally opt to think that even 1Password through cloud sync is a more secure way to get passwords synced between Mac and IOS than the Bonjour DEVONthink solution in general. There are probably many potential ways someone could get to your passwords in DEVONthink on iOS devices, such as someone browsing to them through the files app while you’re not looking. Or someone figures out a way to dump the data on your device and they find your password file.

On Mac, if you open an encrypted database, then I think the files are unencrypted in the mount point anyway while the database is open, and at least in DEVONthink 3 beta it seems the mount point often remains open even after you’ve closed the mount. Even if you’re the sole person using the Mac, there’s a chance that you for instance run some downloaded ransomware or other software that can read your filesystem, and then send the passwords to another place. Or maybe you make a personal mistake and backup all that stuff to an unencrypted place, or your custom NAS drive setup perhaps isn’t as secure as you think.

So in general, I think there are several factors to consider whether cloud or custom bonjour is safer. Personally I use 1Password with their cloud sync for my private passwords, and a local 1Password vault for some more sensitive work related things. BTW I’m not affiliated with the company behind 1Password in any way and I used it as an example. I kind of evaluated the risks of storing passwords and also syncing them between the devices and this is what I came up for my situation. It seems I’d more probably make mistakes with a custom solution than with a specific product from a reliable company targeted to the issue.

2 Likes

Whoa, can this be explained in detail? I am entrusting loads of sensitive data to DT desktop and mobile, synced via Dropbox, having understood that the remote data is encrypted. I also have a username/password on these sensitive databases and don’t allow Spotlight indexing. Does this mean my data is NOT encrypted?

Also, I just created a test, encrypted DB on DT desktop, synced it via Dropbox to mobile, and I can see the test text on mobile.

@BLUEFROG Could you kindly explain further and clarify?

Thanks

having understood that the remote data is encrypted.

If you are using an optional encryption key when using our sync with Dropbox, yes the sync data is encrypted in your Dropbox account.

In DEVONthink, adding a username and password in File > Database Properties does NOT encrypt anything, and never has. When that database is synced to DEVONthink To Go, the credentials are required to import the database, but it also does not encrypt the database.

Encryption of the databases in DTTG is handled under Apple’s mechanism, where locking the device encrypts the data and unlocking the device decrypts it for use. We added Settings > Security to allow for a passcode or TouchID / FaceID to be used to unlock the app.

Great, thanks @BLUEFROG that’s reassuring and is consistent with what I understood from before. Phew.

No problem :slight_smile: