My unencrypted sync hell ... and my salvation

June 24, 2012

Over the last couple of years I’ve spent a lot of time thinking about task-management applications (I’m notorious for having bounced around frequently between OmniFocus, Things, and The Hit List), and the ways in which their data is synced across instances of their apps.

While each of the “big three” task-management apps for the Mac now provides a native OTA sync service, none of these services encrypts your data at the point of storage. Sure, the communications between your devices and their sync server may be secure, but the data itself isn’t. I find this kind of unbelievable, and frankly, a bit odd, as I think most users of these services would be willing to sacrifice a little speed for a lot of security. (If you spend any time on these apps’ support sites, you’ll see that all of them say they may offer this sort of thing in the future, but it’s most certainly not a priority.)

A while ago I settled, finally, on OmniFocus, despite its Mac app being kind of a visual abomination. While I probably still prefer The Hit List overall, I’m not confident in its future development, and Things really is too simplistic for what I need these days.

I use OmniFocus a lot. Probably more than 99% of users out there, actually. And, because of my particular job, all day long I deal with nothing but highly-confidential and highly-sensitive information. It’s not an option for me to leave this data sitting unencrypted on some machine over which I have no control.

The way I see it, I have three options.

Local WiFi sync

This is what I was using until a few months ago, and it works well. I kept the canonical database on my main machine (a MacBook Pro), against which I synced OmniFocus running on an iPhone, an iPad, and a MacBook Air (work). Obviously, by having kept all of the databases “local” to me (and not on a remote server out of my control), it was a relatively secure setup.

I don’t think I ever had a problem with it, except it could be a bit bothersome. By definition, it required the syncing devices to be on the same local network and running OmniFocus at the same time. As you can imagine, this could be incredibly annoying, especially when, for example, I wanted to get something from my phone to my work machine, as I’d have to go through two levels of syncing, and I’d have to actually remember to do it.

(The Hit List doesn’t support local WiFi sync at all, and it seems like Things may eventually deprecate the feature. Huh?)

Be cryptic

Another option is to be very, very cryptic, but this of course adds another layer of abstraction onto what is, for me, an already almost-impossible-to-manage list of stuff. It’s not an option for me.

Third-party, encrypted-everwhere WebDAV

OmniFocus’ saving grace when it comes to secure sync is the ability to use your own WebDAV server, whereby, via HTTPS, you can ensure that communications between your device(s) and the WebDAV server are secure. The final piece of the puzzle is using a WebDAV service that encrypts your data at the storage site and doesn’t have access to the key—if you lose the key, you lose your data.

There are a few of these services out there, and after a little research I settled on CloudSafe. While I could have gotten away with their free plan (because I’m using, quite literally, less than 5MB of data), I opted for the $3/month plan because I want to support their service.

Setup was a total breeze, and in the few months that I’ve been using it I’ve yet to have a single issue.

Ah, my tasks, synced between four devices automagically and without thought, encrypted every step of the way. Feels good.

You should follow me on Twitter here