Why should we worry about privacy if we use an encryption key for syncing?


I’ve read lots of warnings against syncing with iCloud and/or with Dropbox.
DevonThink.app itself warns us when setting up syncing : “if you have sensitive data, you may choose not to use iCloud”, for instance.

But, on this thread, Blue Frog wrote:

Questions of privacy, but can be offset using an encryption key.

Since I’m syncing with both Dropbox and iCloud (depending on my databases), my questions are:

  • I’m and have always been using an encryption key for my Sync Stores. In spite of that, can Dropbox and Apple employees access the (sensitive) files stored in my DevonThink databases? If so, what is the encryption key for?
  • If Dropbox or Apple employees (or the NSA) might read what’s in my DevonThink databases, which other cloud service do you suggest?

My DT databases are of course only on my Mac’s drive (never on Dropbox or iCloud, as recommended). I therefore assume DevonThink encryption key encrypts my data BEFORE it syncs to iCloud/Dropbox. Can you please confirm?

No one can access your documents on a sync location. Your documents aren’t stored there. And even if they could access the sync data – again it’s not your documents –, the data is stored in an encrypted state and useless to anyone.

1 Like

For us technology challenged old folks, what is the purpose of the encryption key then?

1 Like

what is the purpose of the encryption key then?

To encrypt the sync data. Why do you ask?

Without encryption key, your data is stored in “clean” but not readable. If you inspect the sync store, you cannot see your PDFs, DOCS, whatever stored there. They are stored in a proprietary format and sliced.

With the encryption key, you have another security layer over the normal scrambling/de-constructing the sync data.

1 Like

You’ve had a few replies to this question, but, I also wanted to chime in with some thoughts. Understanding how DevonThink/CloudKit/Apple/encryption keys/encrypted databases/etc all play together can take a bit of time to fully understand.

What I’m about to describe is my own interpretation of how DT behaves, based upon my having used the product for many years, but, also based upon many decades as an IT security expert.

When you create a Database in DT, you have the option of encrypting that data when stored on your local desktop computer, or not. If you choose not to encrypt it, it’s still stored in a local proprietary format, but, it does mean that anyone with access to your computer (either in person, or, remotely, through any remote access capabilities your system may have) can access the information.

If you choose to encrypt your data and assign a (hopefully) secure passphrase to it, you’re effectively creating a “safe” on your computer which requires the combination to open.

In fact, when you start up DevonThink, you will not be able to open your Database until you provide the passphrase for that encrypted database – the combination to the safe. Once you provide that, then, for as long as DevonThink is running on your local computer, it’s like having the safe door open. DevonThink, and any applications you may use which script/automate/talk to DT, will be able to freely access the contents of the “safe”. When you quit DevonThink, the safe door is closed, and the lock is spun; without the combination the data should not be accessible, by you, or by someone with remote or physical access to your computer.

Some people may choose to set a secure passphrase and then let Apple’s Keychain manage the process of providing it to DevonThink in the future - there is a tick box to enable this feature when you open an encrypted database.

Enabling this feature effectively uses your computer login password to access the REAL password for the encrypted DT database. Think of it this way, the Apple Keychain is like another secure safe, and to open THAT safe you need a user’s password which is used to log in to the computer (it’s a bit more complicated than that, particularly on T2 chip equipped systems where things like TouchID come into play) – so, if you tick that box to save your DT encrypted database password in the Apple Keychain, then, next time you go to open the database, DT will talk to the Keychain Manager and get the encrypted database password for you. Again, I’m grossly simplifying some of what happens here, and the options you have as the user of the system in how this works.

None of this has to do with syncing though – this is is just about how (if) you decide to store your DevonThink data in a database which is encrypted on your local computer, the one you sit in front of.

Let’s say that you have a laptop, and you have a license for DevonThink that you use on that laptop as well as a desktop computer. And you want to have your DevonThink data from your desktop available on your laptop.

That’s where syncing comes into play, and where I would strongly urge you to make use of an encryption password for syncing your data through third-party services (like CloudKit, Dropbox, etc).

When you use an encryption key for syncing, it takes the contents of your open “safe” and encrypts it with that key, and THEN stores it on whatever third-party syncing system you make use of.

Over-extending the safe metaphor, when you use the encryption key for syncing, it’s like taking your information out of your home safe and, when you want to sync it, putting it in another safe, with (preferably) a different combination from your home safe, and then handing it to FedEx, UPS, etc, to convey it to a storage facility somewhere until you ask for it again.

By adding this encryption key, you help prevent the chances that a malicious FedEx employee, or, storage facility worker, or government organisation, or any number of other “threat actors” (horrible term, but, it’s en vogue) can access your private information now that it’s left the safety of your home and home safe.

When you then use Sync on your laptop with DT installed, you will add a sync location and provide the same password you set up when you created the secure sync option on your desktop computer.

This effectively allow you to ask the storage facility to deliver your portable-safe to you, locked and secured, until that sync password is used to open it on your laptop.

There is a catch here, however, that you may want to think about, depending upon how much you care about the security of your data – setting up a secure sync location with an encryption key is only part of the full end to end security of your data.

On that laptop, you still have to import the data from the sync location into a database, and, you have to decide if you want that local database on the laptop to be encrypted. Just like you may have done on your desktop computer.

If you’re not careful, you can create a situation where you have an encrypted database on your desktop, a strong encryption password for syncing, but, no encryption at all on a database on your laptop.

That could put your information at risk.

Thankfully, DevonThink has very good options to let you choose how to secure your data, depending upon the risks you’re personally comfortable taking.

Do note that DevonThink To Go has a few nuances which differ in how this works due to the likely architectural differences on iOS/iPadOS and macOS.

Way more information than you cared to know, but, hopefully someone else will find it of use in understanding the roles that the various bits of DT encryption can play.

1 Like

Thank you for explaining that to me, I appreciate it. Much of what is discussed here is way over my head :slight_smile:

1 Like

Actually not way more info, and explained in a matter I understand. I have encrypted my database with personal info, but only sync via bonjour.

1 Like

On a side note: Bonjour sync data is automatically encrypted on transit.

1 Like