What's your Security strategy for your personal documents?

after so many years of using DT for my projects, I’m planing to move and store also my personal documents (invoices, IDs, contracts, etc…).

My fear is to lose everything, maybe because I’m used to the Cloud (Google Drive and iCloud), so I’m fine thinking that no matter what happens to my devices, I still have my documents somewhere else.
Also…what if someone stole my device?

My strategy for my projects is:

  • the Databases are stored on my MacBook and my iPhone (on my iPhone I store the whole datases only because I have lot of space)
  • Every time I’m at home my MacBook is under TimeMachine (an SSD always connected to the USB hub)
  • all the Databases are backed up with Arq on Google Drive every evening

As for Security:

  • all my devices are locked with fingerprints or FaceID

Do you think it’s enough for my personal documents?
Have you got any other advice before I move my personal documents?

I know I can encrypt a database on DT: do you encrypt your documents? Why?

Hope my question doesn’t sound like a silly question: I have very important documents there.

Thank you

What’s your threat model?

That is, who might potentially want your documents, and what lengths would they go to to get them? What would happen if they fell into the wrong hands?

Worrying about casual snoops blundering into the rough draft of a novel is a very different thing from you personally being a target of corporate espionage or a state actor. Losing a copy of last year’s tax return is very different from losing the access information for your investment accounts, which is very different from losing an interview with a political dissident.

To define a security strategy, you first need to know what you’re securing against.

Generally speaking, documents that I would think of as “very important” shouldn’t be allowed anywhere close to the internet, certainly not in unencrypted form.


I’ve never differentiated; all my documents are stored in Devonthink

You’ve addressed the 3-2-1 of backups with local and offsite copies
and device backup with a Mac and iPhone (I prefer an iPad)

A potential issue I also address is a failure of the Devonthink apps or database
I can’t allow this to block access to my documents
My backups include a weekly export using the files & folders option

As for Security: … all my devices are locked with fingerprints or FaceID

Likewise; I rely on device access security
My Mac storage is protected with FileVault; DT databases are not encrypted;


I don’t store my private data on anyone’s servers, including iCloud. To me it’s like handing my wallet to a total stranger and telling him, “Now don’t look in there, okay?”


Nice question.
My only concern is about Privacy and the usual Credit Cards numbers and similar.
What would happen if someone knew of my last professional insurance? Probably nothing but the Privacy.

So you mean keeping the documents local (with a good backup strategy) and rigorously encrypted?

May I ask you how do you export the files?
DT doesn’t have an incremental export option, so each export is a new one.
Something not so friendly if you have a bad Internet connection

Is there a workaround for this?


There’s a tradeoff between security and convenience. I use a password manager, and I allow it to synchronize between my desktop and my phone. This creates a theoretical vulnerability, as it uses the company’s servers and the public internet, but I’m willing to accept that risk for the sake of convenience.

Exactly how to manage that balance will vary depending on the person, the document, and, again, the threat model.


Just a manual process
Select the files; Files > Export > Files and Folders
and saving to an external drive

DT doesn’t have an incremental export option, so each export is a new one.

Confirmed; each export is a full copy
The exported data is included with my Arq backups (incremental)

1 Like

I also use Arq to backup the databases.

Help me to understand: you export the documents to a local folder, then you let Arq backup the files from this location to the Cloud?
Does the incremental backup work even if the timestamps of the files are new?

I do it differently. Right or wrong eyes of beholder. i have an automated process that makes an archive zip out of DEVONthink. One of the menu options. That zip stored in ~/backups/devonthink/ locally. that local file, along with everything else, backed up by my backup 3-2-1 design using TimeMachine, Backblaze, and a few Carbon Copy processes to the Synology NAS. The Synology NAS is backed up to a USB drive and Dropbox backup.

Overkill? Probably. Oh well.

1 Like

If your data is that important to you, I wouldn’t say it’s overkill.


Well, simple and without angst or performance hits to contend with.

1 Like

I store my personal files in DT and have done for over a year. I’m more comfortable having it all stored natively on my Mac and being responsible for the back-up. I do use CloudKit for syncing DT to DTTG though I think that’s encrypted? I don’t know, but figure Apple at least try to keep me safe.

I think probably my threat tolerance would make others wince. I figure Apple are doing a reasonable job of making sure my devices are secure from digital attack. I don’t live in a city and am not out and about with my devices that much so my danger of physical theft or using unsecured wifi (I never do) is low.

My priority was actually accessibility. Having lived through the joys of a certain country’s decision to depart the EU and revoke rights to live for its non-British citizens, my priority is that paperwork is secure (as in won’t get lost), easy to navigate and easy to manipulate (e.g. being able to drag and drop to a thumb drive for sharing, compile into separate groups, change to a compatible format if required, etc.).


Yes, it seems to work well for an incremental backup

I’m thinking backing up a zip would not be incremental
It’s a full copy each time the backup is run

That is correct.

1 Like

yes, but 1. I do not really care as cpu time and disk space not noticed and 2. Timemachine and Backblaze are incremental. And Backblaze for their benefit not mine.

I have a Hazel rule which deletes all but the last three DEVONthink archive backups.

As you notice I do not sweat the details on this. focus instead on diverse backups.

1 Like

I use similar strategy.

  • Arq for file backup in an BackBlaze Bucket (Encrypted) (Offsite Backup).
  • Encrypted DevonThink DB, always good to have it encrypted…why not, save one time in your keyring, and one time in your password manager. It won’t asked again.
  • Time Machine and Active Backup (Synology) for the Mac.
  • Synced to 2 devices (iPhones) ( Full Sync, currently around 600mb, so doesn’t hurt iPhone at all.)
  • Sync Storage in Dropbox Encrypted.

For the encryption passwords and restore information , I use a password manager with a redundancy of 3+ devices.

I store all my personal doc scans in it.

Welcome @flobow

why not, save one time in your keyring, and one time in your password manager.

You lessen the effective security of using an encrypted database if you store the encryption key in Keychain Access. Just something to consider.

Thank you all for your insightful advice.
Eventually I think I’ll adopt this strategy:

Folders and Backups:

  • Main location → Local machine
  • Backup on Time Machine
  • Backup on Google Drive with Arq


  • All the security provided by Apple