Request: Encryption at Rest on Local Machine

I was excited to read about the encryption features of OmniSync because I was hopeful that it meant that the data was really encrypted end to end, but it’s only encrypted when the transfer to OmniSync starts.

I took OmniFocus off of my work machine when the Apple sandbox rules forced me to store my Omnifocus data on the hard disk (I used to keep it on SD card volume). I really don’t want my mixed personal/professional information sitting on my work machine. I’ve been using the Omnifocus inbox to funnel tasks into Omnifocus, etc., but it would be much nicer if I could use the full client no matter which machine I was sitting at.

It would be great if the data at rest could be encrypted. My hard disk is encrypted, but sys admins and management scripts can still access the encrypted drives, search content, etc., so I’d rather they just found a wad of encrypted content rather than all of my stuff in clear text.

I did a cursory search and didn’t find this discussed anywhere. Anyone else interested in local, at rest encryption or know of any reasonable workarounds?

Yeah the data at rest is stored in an XML file. But given it’s actually in a .zip file that’s buried deep within ~/Library/Containers I’m not particular worried about it.

With full disk encryption, I’m just not that worried about hiding the content in there from prying IT department eyes. I wouldn’t put anything in OF on a work machine that was a hugely big deal if administrators were to see it. And I think having every application do its own data-at-rest encryption without support of the OS seems like a ton of extra work and complexity for not that much additional gain.

1 Like

Hi @Vramin ,

I have the exact same concern you have and fortunately there’s a way that will work with OmniFocus, and any other app that relies on containers.

Assuming you have your (encrypted) SD card volume already mounted (lets call it SDCARD) do the following in a terminal shell. We will move the whole container to your SDCARD and then create a symlink from the SDCARD to your ~/Library/Containers folder. Please make backups of your data before you do this. If you are not comfortable with terminal shell try this with the default tutorial project database.

cd ~/Library/Containers
mv com.omnigroup.OmniFocus2 /Volumes/SDCARD/
ln -s /Volumes/SDCARD/com.omnigroup.OmniFocus2 ./

Once you start OmniFocus you should see your regular database populated with whatever tasks/projects you currently have.

Hope this helps! #encryption4thewin ;)

Thanks, @rodgtd. I’ll give it a shot. I tried using a symlinked folder when they first started using the containers and it did not work, don’t remember what errors I got. I probably just tried to link the data folder or something instead of the container.

Actually it was much easier than that. The installer now gives you the option to keep your data in the cloud, so I just chose that option and used the data off the sync server. It doesn’t appear that any of the data hits the local disk (container only has symlinks to some local folders).

Problem solved!

Ummm… no. There is data stored on your local drive, in ~/Library/Containers/com.omnigroup.OmniFocus2

Still… REALLY, it’s just best to not worry about this. If you have data you absolutely 100% do NOT want work to be able to access on a machine they control… use your personal iPad.