You’ve had a few replies to this question, but, I also wanted to chime in with some thoughts. Understanding how DevonThink/CloudKit/Apple/encryption keys/encrypted databases/etc all play together can take a bit of time to fully understand.
What I’m about to describe is my own interpretation of how DT behaves, based upon my having used the product for many years, but, also based upon many decades as an IT security expert.
When you create a Database in DT, you have the option of encrypting that data when stored on your local desktop computer, or not. If you choose not to encrypt it, it’s still stored in a local proprietary format, but, it does mean that anyone with access to your computer (either in person, or, remotely, through any remote access capabilities your system may have) can access the information.
If you choose to encrypt your data and assign a (hopefully) secure passphrase to it, you’re effectively creating a “safe” on your computer which requires the combination to open.
In fact, when you start up DevonThink, you will not be able to open your Database until you provide the passphrase for that encrypted database – the combination to the safe. Once you provide that, then, for as long as DevonThink is running on your local computer, it’s like having the safe door open. DevonThink, and any applications you may use which script/automate/talk to DT, will be able to freely access the contents of the “safe”. When you quit DevonThink, the safe door is closed, and the lock is spun; without the combination the data should not be accessible, by you, or by someone with remote or physical access to your computer.
Some people may choose to set a secure passphrase and then let Apple’s Keychain manage the process of providing it to DevonThink in the future - there is a tick box to enable this feature when you open an encrypted database.
Enabling this feature effectively uses your computer login password to access the REAL password for the encrypted DT database. Think of it this way, the Apple Keychain is like another secure safe, and to open THAT safe you need a user’s password which is used to log in to the computer (it’s a bit more complicated than that, particularly on T2 chip equipped systems where things like TouchID come into play) – so, if you tick that box to save your DT encrypted database password in the Apple Keychain, then, next time you go to open the database, DT will talk to the Keychain Manager and get the encrypted database password for you. Again, I’m grossly simplifying some of what happens here, and the options you have as the user of the system in how this works.
None of this has to do with syncing though – this is is just about how (if) you decide to store your DevonThink data in a database which is encrypted on your local computer, the one you sit in front of.
Let’s say that you have a laptop, and you have a license for DevonThink that you use on that laptop as well as a desktop computer. And you want to have your DevonThink data from your desktop available on your laptop.
That’s where syncing comes into play, and where I would strongly urge you to make use of an encryption password for syncing your data through third-party services (like CloudKit, Dropbox, etc).
When you use an encryption key for syncing, it takes the contents of your open “safe” and encrypts it with that key, and THEN stores it on whatever third-party syncing system you make use of.
Over-extending the safe metaphor, when you use the encryption key for syncing, it’s like taking your information out of your home safe and, when you want to sync it, putting it in another safe, with (preferably) a different combination from your home safe, and then handing it to FedEx, UPS, etc, to convey it to a storage facility somewhere until you ask for it again.
By adding this encryption key, you help prevent the chances that a malicious FedEx employee, or, storage facility worker, or government organisation, or any number of other “threat actors” (horrible term, but, it’s en vogue) can access your private information now that it’s left the safety of your home and home safe.
When you then use Sync on your laptop with DT installed, you will add a sync location and provide the same password you set up when you created the secure sync option on your desktop computer.
This effectively allow you to ask the storage facility to deliver your portable-safe to you, locked and secured, until that sync password is used to open it on your laptop.
There is a catch here, however, that you may want to think about, depending upon how much you care about the security of your data – setting up a secure sync location with an encryption key is only part of the full end to end security of your data.
On that laptop, you still have to import the data from the sync location into a database, and, you have to decide if you want that local database on the laptop to be encrypted. Just like you may have done on your desktop computer.
If you’re not careful, you can create a situation where you have an encrypted database on your desktop, a strong encryption password for syncing, but, no encryption at all on a database on your laptop.
That could put your information at risk.
Thankfully, DevonThink has very good options to let you choose how to secure your data, depending upon the risks you’re personally comfortable taking.
Do note that DevonThink To Go has a few nuances which differ in how this works due to the likely architectural differences on iOS/iPadOS and macOS.
Way more information than you cared to know, but, hopefully someone else will find it of use in understanding the roles that the various bits of DT encryption can play.