Understanding Encryption in Sync

When it comes to syncing with DEVONthink, we are often asked questions about what an encryption key is and how you make and use one. Here’s a brief explanation.

Syncing with DEVONthink gives you the option to encrypt the sync data using a very strong AES-256 encryption key. The key is a string of characters of your choice, though it should be memorable or you should record it in a password manager. It is critical you know or have recorded the key if you’re only using DEVONthink To Go as we have no way of telling you what it is should you forget it. If you are using DEVONthink on the Mac and forget the key, you can look it up in Apple’s Keychain Access application. Search there for _DEVONcloudy_. You’ll need to enter the administrative password to show the encryption key in the password field.

The encryption key is used to scramble the data that is being synced. If someone were to access the sync data, any data they’d find would be unreadable without knowing the key you used. This can provide security for your sync data on a cloud service you may have security or privacy concerns about.

Enabling encryption before the first sync

When you enable or create a sync location in DEVONthink’s Preferences > Sync or DEVONthink To Go’s Settings > Sync: Locations, there will be two fields to enter an optional encryption key. Enter it in both fields; the second one is to verify the entry. Then you can enable databases to sync in that location, but you must enter the key before syncing.

Enabling encryption after the first sync

If you have already synced without a key and would like to use one, or perhaps you’d like to change the key you’re using, you must clean the location first. Stored sync data can’t be encrypted after the fact.

• In DEVONthink for Mac: Control-click the sync location in DEVONthink’s Sync preferences and choose Clean Location. After the clean has been successfully reported in Window > Log, Control-click the location again and choose Show Info. You can now add, remove, or modify the encryption key. Then enable databases to sync again.
• In DEVONthink To Go: Go into the Settings > Sync: Locations, left-swipe the sync location, and choose Clean. A triangle should appear on the sync icon in the bottom toolbar to indicate a log message. Touch the icon and ensure the clean was successful. Then go back into the Sync settings, touch the Edit link at the upper right, and select the sync location. Add, remove, or modify the key and touch Save. You can now touch the sync location and enable databases to sync.

If you are using the same sync location on multiple devices, you can do the clean and change the key on one device, but you will have to change the key on the other syncing devices. On those, do not clean the location; just follow the steps to change the encryption key.