Dropbox is a service for backup and synchronization of files, and it runs on Windows, Mac OS X and Linux. As I pointed out before, I’d like to be able to use Dropbox without security torments. I don’t think that the guys who run Dropbox really want to peek inside my files, but the risk that someone else does indeed gain access to my data, accidentally or intentionally, is not negligible. A malicious employee, a security breach, the company is sold… I want to feel safe; I need a solution that, on top of Dropbox, adds the security I need. One of the best things about Dropbox is the ability to run on most computer platforms, so a nice solution to the security problem should also possess this quality. The most portable solution up to now seems to be the addition of TrueCrypt. TrueCrypt is a cross-platform encryption software that, among other functionalities, creates files that can be used as encrypted volumes. The idea is to put these encrypted files (that can be considered as safety vaults) inside Dropbox, and to use TrueCrypt on the local copy of the files to decrypt and access the private data. In this way, the data that is stored inside Dropbox is completely unusable by everyone, except the ones who can decrypt it. The decryption can involve a password that a user must remember, a key file that a user must have in his computer, or both. I like the idea of having both because then, in order to read my data, a potential spy must have:
- The encrypted vault file (located in my Dropbox or any other computer linked to it)
- The key file (located in my computers or inside a USB drive)
- The password (located in my brain)
I think the only feasible attacks to read my data would then be aimed at reading it when I have decrypted it (other than beat me with a 5$ wrench to make me hand over my USB drive and spit out the password).
Installation steps in brief:
- Install Dropbox
- Install TrueCrypt (or use it in Portable Mode)
- Create a TrueCrypt encrypted vault file (with optional key file)
- Put the vault file in a Dropbox folder
- The vault file is automatically synchronized by Dropbox
For each other computer that you want to use to access the vault, you need to:
- Install Dropbox
- Install TrueCrypt (or use it in Portable Mode)
- Synchronize the Dropbox folder (to download the vault file)
- Copy the optional key file
The common use case to access your private data will then be:
- Mount the vault
- Access or modify the files inside the vault
- Unmount the vault
- The vault file is automatically synchronized by Dropbox
Tips to Ubuntu users:
I created a simple script that opens/closes a vault. It can be easily added to the “Applications” menu.
#!/bin/bash
MOUNT_DIR="${HOME}/truecrypt"
VAULT_FILE="${HOME}/Dropbox/Vault.tc"
KEY_FILE="${HOME}/Vault.tck"
if mount | grep "${MOUNT_DIR}" >/dev/null; then
truecrypt -d "${VAULT_FILE}" && zenity --info --text="Vault closed: ${VAULT_FILE}";
else
test -d "${MOUNT_DIR}" || mkdir -p "${MOUNT_DIR}"
truecrypt --keyfiles="$KEY_FILE" "${VAULT_FILE}" "${MOUNT_DIR}" && gnome-open "${MOUNT_DIR}";
fi
Another useful trick for Linux/Mac users is to keep the files in the Dropbox folder, and create a link where you need them using “ln -s target link_name“. For example, you can copy the “places.sqlite” file that is inside your Firefox profile, and contains your bookmarks and history, inside the Dropbox folder, and create a link to it in your Firefox profile folder. Doing so, you can synchronize your Firefox bookmarks for all your computers.
Entries
James Sigley
2009/11/09
I want to create a “dropbox” type website but with encryption. would you be interested in helping? Also checkout i D r i v e.com. this is ultimately what I want to create.
Balau
2009/11/10
Hello James,
unfortunately I don’t think I have the necessary free time to help consistently on a project like yours. I just have the time to hack together a solution with existing tools. If you accept suggestions, I think that a good solution should have:
1. open source client
2. client-side encryption (the server cannot see the content) AND/OR open source server that can be installed at home
3. portable client on different platforms
4. change-driven actions and not polling (using inotify on Linux and something like ReadDirectoryChangesW on Windows)
A possible implementation could be a big “image” file on the server that contains an encrypted filesystem, and the protocol gives you read/write access to the image. This could prove problematic with multiple contemporary accesses or multiple users accessing the same data.
thousand
2010/07/23
The problem with this technique is that if youre vault size ( or whatever your vault size is ) is large , then every time you update a single file in the vault , the entire vault is reuploaded… So if you added or modified a 1KB file, and your vault size is 500MB, you will cause yourself to have to reupload 500MB.
Balau
2010/07/23
I thought so, but actually it doesn’t. I have a 10MB vault file. I tried to change a file inside it and monitor what happens in the network. Here is the result. The screenshot displays what happens when opening the vault, editing a file (a small file actually), closing the vault and waiting for the Dropbox icon to become a green tick (“V”) again, meaning that the files have been synchronized. As you can see, the upload phase is not sending 10MB of data, because it lasts only a few seconds. I don’t know what happens exactly because Dropbox is closed source, but I suppose that Truecrypt changes only a small block of the vault when a small file is changed, and Dropbox synchronizes only the parts of large files that have changed, using some sort of hashing technique to optimize bandwidth. You can try it for yourself if you’re skeptic.
emkersyt
2012/08/05
Maybe I’m wrong but I think using this system one could possibly lose data. If you have two machines using the same vault in Dropbox and you make independently changes to the local files in the Dropbox folder on your drive without any internet connection the file in both cases would not be uploaded. This way you would end up with two different file vaults on your machines.
The first machine regaining internet access would immediately update the file. The other machine would update later while losing the changes made which weren’t updated when made. I think this happens because the file when it’s still encrypted (this be always the case in the Dropbox folder since while you have it opened it just mounts as an extra drive) will just overwrite.
When you close the drive another vault file will be created and uploaded.
Did you experience this kind of situation? I know this case is not too likely but still… it’s your most important data probably.
Balau
2012/08/05
I don’t think there’s a problem of losing data, the situation is similar to having any kind of file on Dropbox and modify it in two places at the same time.
Dropbox will remember the version from which the modification has been done, and declare the second attempt to update as a “conflict”.
See here: What’s a conflicted copy?
Basically you need to merge the two vaults manually by mounting one and the other and merging the changed files inside.