New encryption feature and third-party services

I just saw the release notes for 2.6 and noticed that encryption has been added. I can see how this is a nice feature, but it got me a little bummed out because I’ve been working on a service to enable integration to various cloud-based services (specifically Beeminder, Complice and IFTTT for now). The basic mechanism is that I setup my own WebDAV sync and I have some code that reads the WebDAV’d files and serves out a REST API based on the data.

So on to my question - is this all pretty much borked now that the data will be encrypted? Can I access the encryption keys somehow to supply them to my server-side program? Can I turn encryption off (I promise my todo list is just not that interesting)?


Everything you want to do is still possible, but if you want your code to continue to run on the server, you’ll need to update your code to work with encrypted files.

You can learn more about the overall design from the “Gory Technical Details” thread:

And over in our open source frameworks, we’ve published a sample Python script which can decode an encrypted database:

That said, if there’s any way to do what you’re wanting to do using the OmniFocus local device API rather than reading its database files directly, you’ll insulate yourself from file format changes like these. (But I understand that that isn’t an option if your code has to run in the cloud, rather than on the user’s device where OmniFocus is running.)

I should warn you that encrypting the file format wasn’t the only change that we made in this update: we also set the stage for future improvements by changing the data we write based on the capabilities of the registered devices. You can ensure some stability by registering your service as a “older” device, but that will prevent the user from being able to take advantage of new OmniFocus database capabilities as they are implemented going forward. (For example, we’re planning to move attachments out of band so that large attachments don’t incur such a high cost when compacting the database during a sync.)


@kcase what would be the encryption passphrase in case of using a custom sync server? OmniFocus never asked me the password I want to use to encrypt.

Didn’t quite solve the original question (what is the passphrase), but did figure a workaround -

Basically an explicit username / password is needed on webdav server, this way we can use the webdav server access password as the encryption passphrase.

OF will ask you for a pass phrase once it recognizes that all of your sync clients are upgraded.

One thing I’ve noticed is that the iOS app seems to ask for this pass phrase a lot. Is this the intended behavior? I would’ve thought it would store the pass phrase similar to what it does for the OmniSync password. Note that I only see this when using my own WebDAV sync

As an omnifocus user for the past 5+ years, I think this is the last straw. I’ve had to develop my own method of automating the extraction of my personal omnifocus data for my own custom automated reporting due to Omnifocus not having any sort of API. Instead of developing an API, Omnifocus does the opposite to make it more difficult for me to get access to the data for custom reporting. In my opinion, this makes it more clear that Omnifocus has no intention of ever building an API.

Hey. What is this local device API? I’d love to use it.