After new encryption, OF asks for the passphrase frequently

After I migrated my database to use the encryption, OmniFocus 2 on Mac frequently asks for the passphrase. If I type it in, it will sync just fine, but sometime later the pop-up for passphrase appears again.

I sync over a webdav server, which was rock solid before.

Since I don’t see any error in log, I wonder what I can do to trouble shoot this?

1 Like

I suspect it’s bug related.

I set up a fresh database and try to sync with webdav server. It’s always the second device which I sync that suffers from constant password-asking popup.
If I set up Mac first, only iPhone client has problem. If I set up iPhone first, only Mac client has problem.

I’m scratching my head right now. Maybe it’s my fault to try it out so soon. Glad I have backups.

I have the same problem, only the problem only occurs on my iOS devices (iPad and iPhone). The desktop version works fine. The iOS version ask for the sync password regularly (I suspect every time the app has been removed from memory after not using it). I also use my own WebDAV server to sync and did not have any problems before the database was encrypted.

OF on my Mac did not ask about a passphrase, it just asked whether I want to start encrypting - then it asked for keychain access - but no question about a passphrase. Now my iPhone is asking for a passphrase, but I never entered one when my database was encrypted. What is my passphrase?

I suppose I can find it somewhere in my keychain, but I don’t know where it is stored.

Same problem here. I was asked for a passphrase too.

I pressed cancel and moved on. I haven’t been asked this on my iPhone and iPad however. What is one supposed to do? Help please?

There are a couple possibilities as to what’s going on here. Unfortunately it’s a hard one to deal with collectively.

In this iteration of our encryption scheme, we use your WebDAV password as an encryption passphrase. In normal operation, you should never be prompted for a passphrase because we already have your WebDAV password (and in fact, this is not a problem that appeared during our long public test). This is part of the reason for the lack of explanation in the passphrase prompt itself.

The scenarios where this usage of the WebDAV password breaks down are:

  1. When each client uses a different password to access the same WebDAV share - the database encryption passphrase will be changed by each client in turn, to a passphrase that the other clients don’t have stored in their keychain.

  2. If there are multiple keychain entries stored for a given url in the keychain, and the keychain API supplies us with the wrong one.

In the second case, you may be able to get around the problem by reverting to a pre-miration backup, and then re-migrating on an iOS device, which doesn’t tend to have the problems with keychain API. Unfortunately the first case is not currently supported and there’s no workaround, so you’ll want to revert and hold off migrating until we implement a separate encryption passphrase (soon).

Of course, if you have any questions feel free to ask them here or email omnifocus@omnigroup.com.

1 Like

Hi Dave!

Thanks for the explanation.

As you suggested, I reset syncing on my phone, removed the OF files from the webdav server and reset sync on my mac, then reverted to the backup on my mac, activated sync again, migrated from my phone and then it worked again. My Mac asked me for the encryption password, I gave it my webdav password and it was fine with that.

EDIT: At first OmniFocus on my Mac was asking for my encryption password after every startup of the application. After intense research in my keychain I found one item that has the same name which still contained an old password. My keychain contains about a dozen different items for my webdav server which all have the same name and are used by various applications, it seems a bit random which app tries to access which item - but that is not your fault - the design of the keychain seems a bit outdated.

My suggestion to the others: Just throw out all the old keychain items and after updating your password in your all your apps it should be fine.

1 Like

Thanks for sharing your experiences, @rolandu! It sounds like there is definitely a way to lick this annoying password problem.

When you say “reset sync” for the phone and for the Mac, you mean start over with a completely blank database, right? As is explained here: https://support.omnigroup.com/omnifocus-reset-database/ ?

When @dave talks about a pre-migration backup, that sounds to me like a backup from before when I updated OF to the “problematic” version. But that is over a week old in my case and I would lose all sorts of stuff. I hope that’s not what you mean, is it?

Just to make sure I got this right, let me describe the procedure as I understand it in my own words:

  • make one last backup of the database on the Mac
  • reset the database on the phone to an empty database using the instructions in the link I mentioned above, and deactivate sync
  • delete the file on the Webdav server
  • reset the database on the Mac to an empty database and deactivate sync
  • on the Mac revert to the last backup you made
  • activate sync on the Mac again, thus creating a copy on the webdav server
  • activate sync on the phone again, thus copying the database to the phone

Does that sound right? Sorry if I’m being obtuse, but I want to understand the steps exactly before I try them myself.

  • make one last backup of the database on the Mac.

Not needed, but won’t hurt anything if you have the disk space. One is made automatically when you Migrate. It will be labeled with Before Migrating on both Mac and iOS.

  • reset the database on the phone to an empty database using the instructions in the link.

This could risk data loss and is only done as a last resort if your data is corrupt. It sounds like your data is in good shape, but the password isn’t being found in the keychain as expected on all devices. I’d skip this one.

  • I mentioned above, and deactivate sync delete the file on the Webdav.

Please don’t delete. This may cause new problems without resolving the current one.

  • server reset the database on the Mac to an empty database and deactivate sync on the Mac revert to the last backup you made

Yes, but you should already have the backup on the device you migrated on. It is titled with Before Migrating. Restore it without doing any of the other steps mentioned. If the Mac is the device syncing without password prompts, use File>Replace Server Database instead.

  • activate sync on the Mac again, thus creating a copy on the webdav server activate sync on the phone again, thus copying the database to the phone

No activation/deactivation should be required to resolve this issue, but as long as you aren’t deleting or resetting your database it is safe to deactivate/reactivate if you want to.

While you aren’t getting this specific error, try the steps outlined at https://support.omnigroup.com/omnifocus-no-key-in-slot/ to reset your database and then migrate again. I’ve added a few suggestions for the cleanest possible migration, although many of them are optional.

If you have multiple accounts/password, this isn’t supported currently. What you want to do in that case is still use the steps to restore you pre-migration backup, then make sure you are using only one account/password before migration. Alternately, you can decide to put off migrating for now.


Suggestions for the best possible migration experience:

  1. Start with a cleaned up database following the steps in https://support.omnigroup.com/reduce-size-omnifocus-database/ so that you have your best performance possible on all devices.
  2. Quit OmniFocus on all devices except the one you want to Migrate on.
  3. Tap Migrate Database (iOS) or click the Migrate Database (Mac) button once and wait for migration to finish.
  4. Launch OmniFocus on other devices and sync. Now you are updated on all devices and should have a fresh set of matching data that is all migrated to the new format. If you do sync to a device that is new, the password is the same password for your account on the device you migrated on.

A few things to avoid unless it is a last resort or support asks you to are deleting your main database, deleting and reinstalling the app on iOS (this kills all of your backups on that device), and resetting your database. These extreme measures are sometimes needed, but whenever possible, we try to use less risky alternatives.

I hope this helps! If there is anything we can do to help you resolve this or answer questions more specific to your configuration, please reach out to support.

+1 206-523-4152 or 800-315-OMNI (10a-5p PDT M-F) omnifocus@omnigroup.com

I am having this problem. Went from a stand alone to try to sync with iOS device. Tried to use the cloud service, then tried to sync with phone. Never used a webdav, and still getting the constant request for the omni11.encryption password. I’ve tried deleting the keychains, reinstalling the application on my phone… nothing seems to work. I’m getting really annoyed!

Please telephone or email us so we can help you get this sorted out. As noted above, you can reach us at 1-800-315-6664 or omnifocus@omnigroup.com. Thanks!