Dropbox and BoxCryptor: The Dangers of Encrypting Your Digital Life

In my never ending quest to get organized, I’ve been forced to explore the world of encryption.  I set up Dropbox to use as my primary drive for all my digital document filing.  Because my Dropbox files are replicated to all my machines at home and work this has caused a security problem at work.  We’re not allowed to store sensitive data on our local drives, and my own files will set off their security scanner.  So I’m being forced to encrypt my own documents.  Normally Dropbox encrypts your files for transfer over the net and at their storage site, and I’ve considered that good enough security.  However, I started thinking what would happen if someone came into my office when I just had stepped out.  Before Windows times out and locks my machine, people could see my home files in Dropbox, so I felt it was the time to study encryption programs.

We’re being forced to use TrueCrypt and BitLocker at work, so I was having to learn about this topic anyway.  It’s a scary subject because if you’re not careful you’ll lock all your critical files into an encrypted volume and you won’t be able to open it again. 

At first I thought I just set up a TrueCrypt volume inside of Dropbox, but I read there were some issues with that.  Dropbox sees TrueCrypt as a single file, so if you have a gigabyte of data locked down, that’s a lot for Dropbox to handle over the internet.  Doing some Google research I discovered BoxCryptor.  BoxCryptor encrypts file by file, so the overhead for Dropbox is much lighter.

BoxCryptor

BoxCryptor is free for personal use as long as you only create one virtual drive.  BoxCryptor creates virtual drives.  Save something to its drives and it’s automatically encrypted.  It works with Dropbox, SkyDrive and other cloud drive services, as well as regular drives.   After you install BoxCryptor you mount the drive and use this access point to see the files unencrypted. If you don’t mount the drive and browse to the BoxCryptor folder within Dropbox you’ll see your files, but they won’t open.  And evidently, with the free version, you’ll see the filenames unencrypted, they just won’t open.  It appears if you buy the full version ($44.99), it will encrypt the filenames too, if you want.

Encrypting your files can be dangerous.  If you forget your password, kiss those precious documents goodbye.  Unless you’re a master NSA hacker, you’ll have no chance of ever opening them again.  Also, there’s a file listing in your BoxCryptor folder called .encfs6.xml.  Delete it and access to your files are long gone too.  Wow-wee – just thinking about all this makes me nervous.

Using encryption is not for the unfocused mind or scatterbrain user.

Here’s the thing.  We’re moving into an age where all our personal information is digital.  It’s our responsibility to back up our digital life.  Dropbox is a good way to do that, but Dropbox stores your files in the Cloud.  If you’re paranoid about who can see your files you’ll need to think about encryption. 

Encryption takes extra work, extra precautions and can be a very risky endeavor if you’re careless.

Some people encrypt files because they worry that Cloud storage sites might peak at the good bits in their private files.  Other people encrypt their documents because they’re afraid their computers will be stolen and bad guys will steal their identity.  Still other people encrypt files because they don’t want people at home or at the office to mess with their stuff.  Criminals encrypt files because they don’t want the police or FBI use them as evidence.  There are many reasons to encrypt files.  You have to decide if its worth the effort.

When you encrypted a folder with BoxCryptor or TrueCrypt you’ll have to create a strong password that you must not forget, and you’ll be required to save a configuration key file that you should backup carefully.   If something happens to your machine and you want to recover your files from a backup to a new machine, you’ll need that configuration key file.

If you encrypt your life its very important how you handle the password and configuration key.  If your documents are very important you might want to put your passwords and keys into your will.  If a husband encrypts all his financial records and then dies, his wife won’t be able to see them.  If you’re an author and you last manuscript is encrypted, it won’t get published unless you’ve made provisions for your heirs to unlock it.

And it’s important how you configure BoxCryptor.  If you want to just hide your files from Dropbox, just use the defaults.  If you want to hide files from people that can access to your computers (either at home, work or at the thieves hideout), then don’t configure the mount drive to automatically remember the passwords.

JWH – 2/3/13

31 Responses

  1. I find it funny that your first post after “Am I losing my Memory?” is about setting up an encryption. If your memory is going, I hope passwords aren’t the first thing to go. :)

    I’d never hook my home computer’s dropbox up to my work computer. Seems like a bad idea.

  2. That’s why I’ve written my super-secret password down in a super-secret place. Hope I don’t forget that too.

    The plus about hooking Dropbox to a computer out of the house is it gives you an off-site backup.

  3. [...] Choosing your personal passphrase in the most important step. If you lose your password there will be no chance to restore your data because BoxCryptor does not store any password related files. That’s the whole idea behind it. Only you should have access to your files. Make sure you choose a random secure password of at least 8 digits with symbols. Memorize it! And better yet: don’t configure your password to be remembered.  [...]

  4. Good article on BoxCryptor. One tip to avoid the pitfall of loosing access to all your file: Backup! No excuses for forgetting your password, but if that XML files damaged or deleted you need a backup of your files somewhere safe (outside of BoxCryptor) in the same way you’d need a backup in the event of a drive failure.

    I use Dropbox to safely sync files between home, work and mobile devices. I use BoxCryptor in case any of those mobile devices are lost or stolen. As I consider my home to be safe and secure I simply backup Dropbox to an external drive weekly. That includes my BoxCryptor files in encrypted form and the XML file. So, I believe, if I ever lose the XML file I should be able to recover it from backup.

    The XML file is a key, not a file list, so you only need to back it up when you first set up a BoxCryptor drive. So, even if you don’t do a local backup of all your files, at least put a copy of this key on a CDR or a second drive on your main PC if you have one, for safe keeping.

  5. As a “not-ever-going-to-fully-recover-but-did-make-it-out-alive-though-altered-emotionally-for-life” survivor of my encrypting disaster, I can only offer this bit of advice to those about to protect their stuff: make certain your health and life insurance policies are as encompassing as possible. When I lost ALL of my passwords, and EVERYTHING else of importance in my life to an app on my iPod Touch, I wanted to simultaneously shoot myself, slit my throat, and jump of a bridge. The only thing that saved me was it took hours to find the gun, was out of ammunition, the knives were all dull, and I never did find a bridge within a hundred miles of here high enough to jump off. The app was state of the art, as was the encryption methodology, and my password so “super-duper” as to have qualified as a masterpiece. What wasn’t known to me was that if you entered the password three times in a row, and those entries were wrong, the app would devour everything, with no possible way to retrieve the data. Save yourselves people! Oh, and best of luck.

    • That’s the kind of encryption story that makes me think I’d be better off risking hackers finding my personal stuff. So far I haven’t trusted everything to BoxCryptor. I kept a copy of my stuff on my main computer that’s not encrypted.

    • To store ALL of your passwords on your device was a huge classic error. NO BUENO my friend. A password you can not remember is of no value. And to have multiple of those is a sure plan for a suicide mission. LOL

  6. Personal encryption pose these problems. Of-course losing even one employee password will be a total disaster in a business. Another problem is that you need to give the password away for Dropbox sharing of encrypted files which is probably the most important place to apply encryption.

    Take a look at Sookasa – http://www.sookasa.com. We address enterprise level Dropbox encryption and compliance (mainly for legal and healthcare) we will offer a free version too.

    An independent review made for New York State Administrative Law Judges Association by judge Eric Zaidins:

    http://www.nysalja.org/2013/03/sookasa-dropbox-a-marriage-made-in-heaven-and-the-cloud/

  7. Thanks for the writeup, James! It’s helpful to weigh the pros and cons of encrypting our digital lives. We can too tightly guard our data and possibly lose access to it if we’re careless. Or we could possibly open ourselves up to identity theft, etc., if our laptop is stolen and our sensitive information is easily accessible. It’s definitely a balance!

  8. Within the latest version of Boxcryptor your username, KEYS AND PASSWORD are stored on the server of Boxcryptor. For when you login through the Web, Boxcryptor asks for your PASSWORD in order to identify you. ( https://www.boxcryptor.com/app/ ) Thus IMHO Boxcryptor is inherent UNSAVE (since the people of Boxcryptor know your keys AND password AND can decrypt your files in Dropbox or any other cloudstorage you happen to use. Or am i mistaken somehowe? What is your response to this?

    • This is an interesting situation. I’m still very afraid of trusting Boxcryptor completely because if I loose my password, or it fails to work, I’ve lost access to some very important files. Right now my solution is to have an un-encrypted backup, but that’s a pain to keep two file systems in sync.

      Depending on how Boxcryptor holds your keys and passwords that might offer a kind of safety net. What I worry about is other people seeing my financial records, like a burglar stealing my computer or iPad. If I felt safe assuming that people at Boxcryptor didn’t look at my files, and we often trust institutions with our data not to misuse it, then it might be safer to have a credible agency protecting a copy of our passwords and keys.

      This is why I’ve always wanted the creation of a Federally monitored Data Bank – like we have for money banks.

    • I thought I would try to clarify something about passwords. The Boxcryptor application on your computer asks for your password, but the password is never transferred to the servers or anywhere. Here is the quote from the Boxcryptor website:

      “Boxcryptor is a zero-knowledge service provider because any private and sensitive information that we receive from the users will always be in the encrypted form protected by the user’s password – which is never transferred to us or anyone.”

      The people at Boxcryptor cannot decrypt or access your files. That is what makes it zero knowledge.

  9. Nice article, but there is one correcton that ought to be made.
    to wit: Truecrypt updates block by block in DropBox. Therefore, if you change one file, only the blocks containing that file (actually just the blocks containing your changes!) will be updated by DropBox. The process can been faster than BoxCryptor. Go ahead a try it.
    Thanks for the warning about encfs6.xml. I agree: wowwee! All that work and to rely on the integrity of a single HTML file…

  10. When I think about encryption, my main concern is identity theft. There are a lot of files on my computer that are not at all sensitive. There is no real point in encrypting them. However, I do have files that could do a lot of damage to me and others in the hands of an identity thief, ranging from financial records to tax files.

    I use Dropbox, Google Drive and Skydrive to back up documents. In addition, I back up files to a local drive. Even though files are encrypted on these services, the opportunity exists for an employee of one of these companies to steal this data. That is one point to consider when thinking about encryption. The other main concern is the theft of your computer, especially if it’s a laptop. If you have sensitive files stored on it without encryption, you are seriously at risk.

    My recommendation is to do both local backups in a raw form as well as cloud backups. Both the cloud backups and data on a local hard drive should be encrypted. That local raw backup should be properly stored-in a safe if possible, or in a place that a thief wouldn’t really look. There will be places, even in a small apartment, that a thief will not bother with. They want to get in and out fast.

    Lastly, make sure that spouse or family member has the encryption key and/or knows where that backup drive is.

  11. One other thing to consider. Think about the viability of these services as companies. It makes little sense to back up a lot of data to a company that might not exist tomorrow.

    I find it a bit frustrating that Truecrypt is not yet ready for Windows 8. It was launched nearly a year ago. I know this is open source software so development takes some time, but it does raise concerns that I might not be able to access my encrypted files if I get a new computer. Shame on MS for not making Bitlocker available on all Windows 8 systems.

  12. This is a really good article.
    I was going to encrypt all my photos on skydrive howevernow I’m thinking of leaving them unencrypted.
    If anyone hacks the photos, not the end of the word.
    Most importantly they will be there for my children to keep rather then losing them to encryption.

    • Yeah, encryption is very powerful and dangerous. It’s needed only for documents you definitely don’t want anyone to see. And even then, ones that you will take extra precautions with when you encrypt.

  13. Hey. Tx for this great article. Right now I’m putting a lot of (private) stuff on dropbox. And I’m not comfortable with this.I will encrypt some of it soon, no doubt. Here is my share of ideas for those who care ;-)

    I use keepass and very complex passwords for all my needs. Keepass uses an encrypted database. Therefore I don’t really need to encrypt it.

    All the other critical data will be encrypted. I can’t lose my key as is will be in keepass. Keepass also allow to save files. So the XML will be there too.

    Additionally, I will plan a backup of uncrypted data from my home computer to an encrypted tar file which will be uploaded to a remote server or any cloud backup storage, In case of corruption, I will be able to restore from that encrypted file. I will also keep it’s key into the keepass database.

    The weak point here for sure is my memory, and most of all my keepass database :) The next thought to have is how to ensure I will always be able to access my keepass data again if I lose the key to it: ) But hey… Then, there is always a weak point in life. How weak depends on the time and money you want to spend to make it better, doesn’t it ?

    A way of limiting the risks is to send regularly a copy of the DB to a family member for example, and keeping the password in a safe in a bank somewhere. Or, a copy of the DB to a close friend or family member, and the password to an other one. Preferably people who don’t know each other or hate each other :) So they won’t plot against you :)

    All this sounds a bit heavy, but it’s quite easy to put in place, and possible for anyone, or almost.

    Last point, you should think of put some of the information about that into your testament ! Your life is digital. So will be the heritage of your heirs

    That’s my share of ideas :)

    • I’m still trying to figure out how to perfectly store my digital life in Dropbox. I’d like a single solution to storage, backup and security. I don’t know if Dropbox is that or not. Yesterday a friend corrupted a major file she worked with that was saved on Dropbox. She did it at work, but then brought her laptop over to my house. Before we realized it, Dropbox had connected to my wireless and overwrote the file on her laptop’s Dropbox folder. She had no other copies of the file.

      I told her if she paid for Dropbox and bought the unlimited undelete that would have at least gotten her an earlier version of the file. Since I also use the free version I’m not worried.

      Coming up with a secure system for both protecting files and hiding them is hard.

  14. Try Beyond Compare for sync’ing files and folders. WhereIsIt is useful for identifying duplicate files (and Beyond Compare once identified). X1 for indexing and searching desktop files, including email, PDFs, Word docs, etc.

  15. just an FYI … you can select what folder you sync up at your work PC … you dont need to syn up all from Dropbox. Two – dropbox does have the ability to do a hash at a block level so even if you change 1 file on your trucrypt 1GB file it will take second to sycn it up … it wotn take hours. Googl Drive does not do de-duplication so yes in that case it will take hours.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,128 other followers

%d bloggers like this: