Personally, I would not feel secure with this setup as I understand it.
Right now, all your sensitive data is stored in 1Password. To access this data, one would need:
a) Access to your Mac or your Macs hard drive, your user account password (for FileVault) and then your 1Password password, since the local database is encrypted separately or
b) Your 1Password password plus your 1Password secret to login online (plus optionally and highly reccommended, a 2FA code or Yubikey)
Of course, one could still actively spy on you with a keylogger, a camera in a hotel room or some sort of trojan to read your 1Password database while unlocked, but that’s a whole different topic and one where I lack any expertise. (I’m also not an expert on encryption, but at least I have an opinion on that topic. )
From your description, I understand your planning to store passwords and other sensitive data in either plain text or as encrypted PDFs, probably not with a password as long as your 1Password password.
That means as soon as someone gains read access to your encrypted file system, that person will own your full password list. Yes, that list is encrypted by FileVault, but is your user account password as strong as your 1Password password used to be? Is your iPads and iPhones passcode as strong?
You plan to store some of that data on iCloud drive. Do you trust that neither a misguided Apple employee, nor anyone else including the government or hackers will stumble upon your iCloud folder full of unencrypted passwords? Not today, not in future?
Your backup strategy sounds good, but how secure is that backup data? How strong is the key to your external hard drives, which may be easier to steal and more straight forward to brute force than your MacBook? (If you know what you’re doing, brute forcing the MB is probably also not as much of an issue anymore, but it’s not as straight-forward for any unskilled script kiddie, at least.)
Do you use Backblaze’s end-to-end-encryption and did you apply a really strong key?
Even if you trust that your data is safe without end-to-end encryption on Apple’s server and that your local password is as super strong as your backups’ passwords, there’s still the risk that a weakness is discovered in e.g. FileVault or the iPhones encryption system. And honestly, I really wouldn’t trust any data that has been stored in the cloud without strong encryption.
For all your passwords and really sensitive other data (PDFs, notes), I’d go for a separate encrypted volumes, preferably utilizing something else than FileVault. For example, you could create an encrypted disk image with Veracrypt. Make sure to choose a high number for PIM just for some extra fun.
Especially considering you’ll probably only need to access that data very occasionally, and thus won’t keep that volume mounted often and for long times, this will add another, independent layer of security to your storage. (And doesn’t cost much in terms of added friction, since your primary password source will be iCloud Keychain.) Someone spies on you entering your phone’s PIN and then steals your phone, gaining access to your Obisidian vault? That’s bad, but he or she won’t be able to access your passwords.
A horrific bug renders Backblaze’s end-to-end-encryption useless? Well, have fun cracking that Veracrypt volume!
Call me paranoid, but storing clear-text passwords without second layer of encryption and/or storing clear-text passwords online is an absolute no-go in my personal opinion.
Two separate points:
- I would try and avoid storing all that sensitive data and password lists at several different, potentially redundant places. I’m not talking about backups, but about storing some passwords in Obisidian/iCloud, some in Apple Notes, some in separate PDF files etc. Maybe your better at housekeeping, but on my device, this would lead to outdated data being stored in some places, me not being sure what’s still current and what is not, and me eventually deleting the wrong files/notes.
Might be that I simply misunderstood you, though, and you’re talking about e.g. storing your license keys in Apple Notes, your passwords in one backup list, and your medical records in encrypted PDF files.
- I didn’t read a lot about iCloud Keychain yet, but if that’s encrypted and unlocked by just your iCloud password, don’t forget to increase your iCloud password’s strength.