Plaintext passwords in /Library/Caches/Metadata/DEVONthink

DEVONthink Tips
1

I want two things:
a) Make users aware, that they might have a leak of sensitive data - and how to fix it easily
b) Verification of the DevonThink Support, that my information is valid.

My situation

I use DevonThink Office Pro (DTOP) to store sensitive information, like useraccounts and passwords in plain text files.

To secure my DTOP-Database, I store it on an encrypted, password protected volume as described here:

My problem

The information from my plain text files show up in
/Users/myUserName/Library/Caches/Metadata/DEVONthink Pro 2/…
See attached images.

220 - Mac OS X - Cache File.png
220 - Mac OS X - Cache File.png776×282 100 KB

The cause

According to this post:

This folder is needed if you want to use Spotlight to search your DEVON database(s).

The solution #1

According to the same post:

If you don’t want this, go to the File > Database Properties and untick the Create Spotlight Index.
If you do want it, you may want to move that folder to the Trash and use the aforementioned panel to Rebuild the index. That will guarantee that the Rebuild starts from a fresh slate.

The solution #2

I could encrypt the plaintext file with a GPG Program outside of DTPO.

@support:
Is all of this correct?

Greetings from Germany
Uwe Schmelzer
200 - Cache Dir.png

2

Yes. This has been discussed in the past. I usually recommend unchecking the option to create a Spotlight index. Even the Names of documents revealed in a Spotlight search might reveal too much information about the content of your sensitive database.

It’s also a good idea, if you have sensitive information, to set up a password to awake from sleep or a screensaver. That’s protective while you leave the computer to get a cup of coffee or whatever.

Of course, don’t write your passwords on a Post-It note stuck to your desk or computer. :slight_smile:

3

Thx for the quick reply :smiley:
Have a nice sunday.
uwe schmelzer

4

I’d like to know if there’s any sensitive information that can be cached by DEVONthink that’s not also in a database (even while temporarily inaccessible on an encrypted volume, like uweschmelzer uses). And can DEVONagent also cache sensitive info?

Maybe this particular risk could be generally mitigated by caches (user-specific and system-wide) being similar to Secure (encrypted) Virtual Memory? But what about unencrypted sensitive info that remains vulnerable (in varying durations), even more easily obtainable than from any caches of it? I wonder when and where benefits of cache encryption would actually exist.

Is disabling Spotlight indexing of Dt databases only a securative [sic] measure while any sensitive info it caches is secured in other ways? Seems at best only partial protection against unwanted access to any info stored in Dt databases. Whenever a db is unencrypted I don’t think it matters to me if caches of it are or aren’t but there might be cases I’m overlooking.